Data breaches are as prevalent as ever, with news of large-scale breaches such as Facebook and insurance company Anthem — which recently paid out $16 million over a 2015 data breach — popping up on the news nearly every week. Medical practices, though not necessarily large targets like major corporations, are often easier targets because of their abundance of rich personal and financial data available.
Below are five ways to help avoid HIPAA-related data breaches.
1. Analyze Risks Related to Staff and Security Procedures
At least once a year, conduct a risk analysis of your staff and your practice’s procedures. This can be quite technical, including testing firewalls and antiviral software. It also includes making sure passwords are updated and changed, all software patches and updates have been installed, and software or technology is updated. Consider hiring an outside firm with expertise in HIPAA requirements to conduct this analysis. Your initial outlay will likely pay off in the long run by preventing future breaches.
2. Designate Someone to Oversee Security
Ensure a staff person handles all updates and procedures. That person also needs to educate and monitor the rest of the staff on compliance with HIPAA and security procedures.
3. Hire a Consultant
A consultant can help review procedures and technology, which are constantly changing and requiring updates. Hackers become more sophisticated every year at retrieving private data.
4. Customize Computer Toolbars with Antiphishing Applications
Some of these can be downloaded free from the Internet and are usually system-dependent. In other words, they’re designed for Windows, Chrome, Safari or Firefox. Conduct research before you download anything from the Internet — even antivirus and antiphishing apps. Reviews will generally give you a good idea of which ones to stay away from.
5. Be Skeptical and Suspicious
We tend to view hackers as the ones who use computers to break into your systems and steal your information. But, in fact, a lot of hackers use social engineering to deceive people into giving up confidential or personal information. Examples of social engineering include emails and phone calls from vendors and companies suggesting your passwords or other vital information need to be updated, and you should link through to a website to do so. This is a common way for hackers to gain access to your passwords and systems, so be wary of any such links. Be cautious about providing any information over the phone and alert your staff to this as well. And don’t forget, one of the most common causes of data breaches is stolen laptops!
Health care institutions are tempting targets. In 2017, Detroit’s Henry Ford Health System had 18,470 patient records stolen. In July 2018, a virus attacked Arkansas Oral Facial Surgery Center, keeping the practice from accessing images, files and notes related to 128,000 patients. For your practice’s safety and your patients’ protection, take precautions.
Please contact a member of your service team, or contact Kathy Walsh at firstname.lastname@example.org for further discussion.
Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.