TMCnet News
[SDS]-Breach of outpatient surgery records raises red flag - Know and protect your data(AHC Newsletters Via Acquire Media NewsEdge) Breach of outpatient surgery records raises red flag Know and protect your data Cyber attacks. Data thefts. System breaches. They're all on the rise, and healthcare is the no. 1 field at risk, according to a just-released Internet Security Threat Report 2011 Trends from Symantec Corp. 1 Consider these recent examples from the outpatient surgery field: • Earlier in 2012, St. Elizabeth's Medical Center in Boston notified almost 7,000 patients that their billing information, including credit card numbers and security codes, might have been compromised. 2 The documents were removed by a vendor from a building that was about to be demolished and were to be shredded. A few days later, an individual reported finding cashier's receipts for credit card payments made by five patients, including some from the hospital's surgery center, blowing through a field in another neighborhood. The receipts included patients' names, hospital account numbers, credit card numbers, security codes, and expiration dates. • Also earlier this year, Emory Healthcare in Atlanta found that 10 backup discs containing information on surgical patients were missing from a storage location at one of its hospitals. The information on the discs was from about 315,000 surgical patients treated at one surgery center and two of its hospitals. The discs contained patient names, dates of surgery, diagnoses, procedure codes or the name of the surgical procedures, device implant information, surgeons' names, and anesthesiologists' names. About 228,000 of the patient records included Social Security numbers. All affected patients were provided identity protection services, including credit monitoring, and access to a toll-free hotline for questions. Any patient who discovers identity theft or fraud issues within one year is provided an investigator to help them restore their identity. (For more information, view Emory Healthcare's "Notice to Our Patients" atwww.emoryhealthcare.org/protection.) Emory leaders acknowledge that the discs had not been stored according to the facility's protocol, according to a published report. 3 The discs were in an office cabinet that was not locked at night, although it was on a restricted hallway, the media report said. The information on the discs was associated with an outdated system and, thus, was not encrypted. Additionally, in 2011, bills of 32 patients at Emory's orthopedic clinic were stolen, and information was used to file fraudulent tax returns in the names of nine of those patients, the media report said. Stolen patient data can put an outpatient surgery program into legal problems fast. "In addition to HIPAA, there are several states that have pertinent laws, says Joe Santangelo, MS, principal consultant at New York City-based Axis Technology, which provides data security services. What would it cost you? Maybe millions And then there's the cost. Emory estimates that this latest incident cost the healthcare system between $1.5 and $2 million. There were no fines. "If you are found to have a breach, it can be a very costly and potentially debilitating affair," Santangelo says. He points to a recent example of a small surgery center with 5 physicians that was fined $100,000 by the Office of Civil Rights (OCR) for failing to protect patient information. 4 "The investigation found that the practice failed to implement adequate policies and procedures to protect patient information, did not document that it provided HIPAA training to employees, failed to conduct risk analysis, and failed to obtain proper agreements from business associates," Santangelo says. (To see the resolution agreement, go tohttp://1.usa.gov/IlVjXX.) He points out that in addition to the costs of notifying patients, investigating and controlling the breach, and potential litigation and fines, there are intangible costs such as damage to your brand, loss of customers, decline in practice value, and reputation management. "Thus providing proper security of patient information is actually a cost-effective practice, when looked at in terms of the cost of a breach," Santangelo says. Healthcare is vulnerable 24/7, says Anne Adams, chief privacy officer at Emory Healthcare. Adams spoke openly with Same-Day Surgery about the privacy breach and shared a presentation on the incident that she gave earlier this year to the University Risk Management and Insurance Association (URMIA) Southeastern Regional Conference. 5 Some of the reasons for healthcare's vulnerability? Data is used across multiple locations, and you have a vulnerable population that includes patients under anesthetics. In addition, medical facilities have substantial traffic, says Arthur J. Fried, JD, member of Epstein Becker Green in New York City. Neil Roiter, research director at Corero Network Security in Hudson, MA, says, "With the reported rise in data breaches in the healthcare sector, it is imperative that patient information is secure in any environment: an outpatient surgery center, hospital, or doctor's office. Data protection policies, procedures, and security technologies for outpatient surgery centers must be part of a holistic organizationwide security program." Corero Network Security is an international network security company and the leading provider of Distributed Denial of Service (DDoS) defense and Next Generation Intrusion Prevention System (IPS) solutions. "High-profile healthcare record breaches … appear to show a pattern of lax standards regarding the handling of sensitive patient data and, in many cases, inadequate processes and procedures to ensure that data is not lost or stolen through carelessness by employees or partners," Roiter says. Consider the lessons learned from this year's data breaches: • Know what data you have that is at risk. After the data breach, Emory conducted a comprehensive inventory of all physical spaces across the system to ensure data were properly secured. Adams said, "That is the real lesson learned: To make sure everyone is aware of what they have, in terms of patient information, whether it is electronic or paper, within their environment." To protect your data, understand where personal health information (PHI) exists in your environment, Santangelo says. "The inventory should be sufficiently automated and audited periodically and needs to be updated as new functionality is introduced and new reports are introduced," he says. "Once we understand where the PHI exists, we can have a plan for safeguarding this data." At Emory, the "net" of protected information has been broadened to include not just patient information, but employee information. • Ensure that employees and partners understand policies and procedures for handling patient information. Emory Healthcare launched an institutionwide initiative using inservices to reinforce and clarify existing policies and procedures for safeguarding the security and privacy of sensitive information. In smaller facilities, use a checklist or set of procedures when new employees start, and review them periodically for updates in requirements and changes in procedures, Santangelo advises. They should be easily accessible to pertinent staff, he says. The checklist should include items such as: – administration of confidentiality statements; – providing copies of requested medical record; – secure filing and maintenance of documents; – procedures for secure destruction of documents; – inventorying and managing technology assets; – utilization of social media. • Work to regain patient trust. Part of your assessment of a data breach should be the impact on your reputation, Adams says. "That could be even more harm to the institution than a financial standpoint: losing patient trust," she says. To address this concern, Emory promoted a policy of transparency in letters sent to patients that explained every aspect of the data breach. "We had to put it in a format that people would understand, and not get too much 'into the weeds," because that's what happens," Adams says. Emory strived to reassure patients that the breach was an isolated situation. "We are revising our policy to ensure people understand 'secure,'" Adams says. "When I personally talk to patient, I would tell them that." (For more information on internal communication, see story, below.) In the end, securing your data is a win-win situation, Santangelo says. "Providing security around patient data and restricting access to data is not only morally ethical and legally required, but is a sound business practice that has a real return on the investment made," he says. (For information on how to secure access to sensitive information, see story, below.) References • Symantec Corp. Internet Security Threat Report 2011 Trends, Volume 17. Published April 2012. Accessed at http://www.symantec.com/threatreport. • Weisman R. St. Elizabeth's Medical Center notifies patients of billing data breach in Charlestown incident. The Boston Globe. April 6, 2012. Accessed at http://bo.st/HQMjtu. • Teegardin C. Patient data missing for 315,000 Emory patients. The Atlanta Journal-Constitution. April 18, 2012. Accessed at http://bit.ly/JcFRjJ. • Department of Health and Human Services Press Office. HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards. April 17, 2012. Accessed at http://1.usa.gov/IUpWr7. • Adams A. Anatomy of a Breach: Effective Investigation, Analysis, and Mitigation Steps in Privacy Breaches. Presented to the University Risk Management and Insurance Association (URMIA) Southeastern Regional Conference, Feb.28, 2012. Resource • Open Security Foundation maintains a database of data breaches. Web: http://datalossdb.org How to secure access to sensitive information Physical security of your sensitive protected health information (PHI) is critical, says Joe Santangelo, MS, principal consultant at New York City-based Axis Technology, which provides data security services. That step means "ensuring access to areas where PHI is handled by only those who must have access to that data," Santangelo says. Have a process for destruction of documents that is clear and workable within your staff's working environment, he says. "Clean desk policies, as well as clearly marked locked bins to house documents to be shredded, are important," Santangelo says. Assess your policies periodically, and document this self-assessment for regulators, he advises. "Any sensitive data that resides on devices should be encrypted," Santangelo. "In the event that the device falls into the wrong hands, this will provide security from less sophisticated threats and buy time from more sophisticated ones." Use asset controls, including documentation of asset retirement or destruction, he says. "Ideally, mobile devices will have an on-device protection solution and be ready to be remotely disabled in the event that they are lost or stolen," Santangelo says. Use a data loss protection (DLP) solution to oversee movement of data, he says. "This can range from standard network monitoring and PC protection software to very sophisticated suites which provide both intrusion detection and prevention," Santangelo says. After a recent data breach, Emory Healthcare in Atlanta asked staff members to examine their area and record what information they have and where it is located, and then ensure the information is physically secure. "For example, maybe they have laptops that aren't encrypted, or data disks that aren't encrypted, or other such information," says Anne Adams, chief privacy officer at Emory Healthcare. Staff members are asked to immediately secure the information, such as making sure it is in a locked file cabinet in a locked office. In the long term, Emory is looking at moving patient/employee information to a secure server, while purging paper files. "We remind people: If you can purge it, do it," Adams says. Sensitive information is shredded and picked up by a vendor. "We're also ensuring any backup data is on an approved system server, or it has to be in an encrypted environment, which has to be approved," Adams says. Involve your IT staff in security of electronic data, says Mark Mayo, executive director of the ASC Association of Illinois and director of ambulatory services at Ambulatory Surgical Care Facility, Aurora, IL. Under the Health Information Exchanges (HIE) federal program, several states are setting up secured electronic interface security systems for sending and sharing PHI. IT should be certain that thumb drivers or downloadable ports discs or printouts are disabled, Mayo says. "There needs to be IT review of data traffic to look for unauthorized access to data in areas when info is not needed," he says. "IT needs to make sure that data is encrypted and that firewalls are in place to detect and deter hackers." Internal communication is key during breach probe Keep people in the loop. That's always good advice, but perhaps never more important than after a data breach. That suggestion comes from Anne Adams, chief privacy officer at Emory Healthcare, which suffered a data breach earlier this year. Tell your board members early when you have a breach so they're not caught off guard, Adams says. Otherwise, if your board members also are patients, they might receive a letter about the breach before they're notified as a board member, she warns. Also, Emory ensures that staff members and physicians are informed of breaches. "We send out a communication, usually at the same time that letters are sent to patients or before it would appear in the media," Adams says. "This way, if staff receive calls from patients or if patients have concerns, staff can address it with the patient or know where the patient can receive additional information."(A copy of Emory's breach notificationchecklistis included.) SOURCE-Same-Day Surgery (c) 2012 AHC Media LLC. All Rights Reserved. |