Securing doctors outside of healthcare walls
Third party breaches force hospitals to look beyond their own boundaries
Because of the increasing number of third parties who must touch – or, because of poor security, can touch – patient data, healthcare security has become a vexing challenge.
Advocate’s record $5.55 million Health Insurance Portability and Accountability Act (HIPAA) settlement in 2016 related in part to its failure to “obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession.”
In the first eight months of 2016 alone, 30 percent of reported hospital breaches came in through third parties, according to research done by Protenus. Many of these breaches occur because offices of small private practices can present special risks.
Consider this scenario:
While working with a new patient, a physician downloads data from the patient’s wireless medical device.
- Threat: If the link between the medical device and the tablet is unencrypted, hackers sniffing wireless signals could gain access to the device and modify it or shut it down.
- Solution: Require vendors to provide a secure, encrypted and authenticated link to all medical devices. Implement a remote access policy that covers management of remote users, access methods and best security practices requirements.
To be HIPAA compliant, your organization should already have established rules for clinics to tie into your networks.
Physicians’ offices should conduct regular IT risk assessments. And securing your hospital’s network will ensure that data flowing in and out – from associates and anywhere else – will be tracked.
The question is whether relying on associate contracts and minding your own store is sufficient.
“I’ve seen cases where a doctor’s high school-aged son was managing the IT infrastructure from his PC,” says Axel Wirth, healthcare solutions architect with cybersecurity giant Symantec. “Especially among one- or two-physician practices, security seems like a luxury. This is why we are seeing smaller organizations move towards hosted or managed services to minimize their on-premises infrastructure –and exposure.”
Small clinic risks
Financial pressures on small clinics exacerbate the problem. Clinics may do the bare minimum to meet HIPAA privacy requirements, but miss gaping security holes.
“Many [doctors’ practices] purchased a HIPAA security manual online or from a salesman, but a lot of times the book sits on the shelf gathering dust,” says Christopher Allman, director of risk management, compliance and insurance at Garden City Hospital in Garden City, Mich., who frequently assists newly allied practices in conducting assessments.
In such offices, HIPAA-mandated training often is lacking or non-existent. Simple risks – such as thumb drives left lying around – are commonplace.
“When you explain to physicians what you’ve found [after a risk assessment], they kind of get the deer-in-the-headlights look,” Allman says. “But when you break down what it may cost them if they do have a breach, they generally get on board pretty quickly.”
Looking beyond the boundaries of your enterprise is the only way to truly mitigate risk.
Work with private practices to develop an action plan based on risk factors uncovered, and ensure that all groups make progress over time. The manpower for offering this guidance may not be accounted for in your staffing, and you need to be cognizant of Stark Law rules against providing financial assistance to physician practices.