Back Private Health Information Leaks: 6 Common Mistakes Providers Make

Private Health Information Leaks: 6 Common Mistakes Providers Make

By Jennifer Larson, contributor

Could you be unintentionally putting your patients’ health information or data at risk?

A research letter published on November 19, 2018 for JAMA Internal Medicine found that internal negligence by health care providers is more likely to be responsible for personal health information (PHI) data breaches than external, malicious hackers.

Researchers from Michigan State University and Johns Hopkins University analyzed PHI data breaches affecting more than 164 million patients between October 2009 and December 2017 to identify the triggers. They discovered that 53 percent could be attributed to internal factors in healthcare entities. Meanwhile, when they analyzed external breaches, they found that only 12 percent could be attributed to hackers.

“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers,” explained John (Xuefeng) Jiang, the study’s lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”

Jiang said that big mistakes can lead to even bigger accidents and that even seemingly innocuous errors can compromise patients’ personal data.

“Hospitals, doctors’ offices, insurance companies, small physician offices and even pharmacies are making these kinds of errors and putting patients at risk,” he continued.

6 Errors That Could Lead to Leaks of Personal Health Information

Here are some common mistakes that you and your medical staff might be making that can put patients’ personal health information at risk:

1. Not using strong passwords. Whether at work or at home, it might be too easy for a hacker to suss out your password and gain access to your patients’ information. Don’t use names, words easily found in the dictionary, or anything similar to a previous password that you’ve used. A strong password is at least eight characters long and contains a combination of upper and lowercase letters, numbers and symbols. Also, be sure to change any default passwords on any devices.

2. Accessing unencrypted data on a portable device.  Cybersecurity expert Steven J.J. Weissman, who teaches white collar crime at Bentley University, warned that people may not realize the need for strong security measures for smartphones, tablets and other portable devices, which are now widely used in healthcare settings. Also, your medical team may not realize the potential hazard of logging onto an unsecured network in public.

3. Allowing too much access to patient data. Who has access to your patients’ private information? Your organization may be allowing too many people in the office or practice to have access, which opens up more possibilities for breaches. “Access to patient records should be limited, based on staff members’ duties and needs,” said Jason Glassberg, co-founder of cybersecurity firm Casaba Security. New team members, including those working locum tenens assignments, should clarify policies and access rules if there are any questions.

4. Clicking on an attachment. Even with security measures in place, emails that may appear legitimate could get through, and hold hidden dangers. If an email appears in your inbox and you don’t recognize the sender, whatever you do, don’t open any attachments. If the sender is malicious, the attachment could cause spyware or malware to download on your computer or device that could jeopardize the safety and security of medical records and other sensitive information.

5. Not updating computer systems. Healthcare providers can’t expect to keep patient information safe if their computer systems and anti-virus and anti-malware software aren’t up to date. “I’ve personally seen doctor’s offices where they were still running Windows XP even after Microsoft stopped supporting it,” said Tom DeSot, executive vice president and chief information officer of Digital Defense Inc. He added that it’s also important to stay current on patches that get released to ensure systems aren’t vulnerable.

6. Medical staff not fully understanding the risk.  While most health care providers are made aware of HIPAA laws, they may assume that technology safeguards and common sense are enough to protect patient privacy. Your unit or practice shouldn’t assume that everyone knows the policies and best practices; in-service training can keep everyone vigilant.

How to avoid data leaks and address any problems

Some of the mistakes mentioned above may result in only minor consequences, but even small health data breaches could lead to big problems. That’s why it’s important for organizations to adopt internal policies and procedures that can reduce the likelihood of PHI leaks, the researchers noted.

“What I always counsel is that you have to build a cage around the data that is sensitive,” said Kim Verska, a certified information privacy professional with the law firm Culhane Meadows. “You have to put barriers in place in real life against the things that people can do.”

For example, consider a situation in which someone needs to take a laptop containing patient data out of the office. Maybe they’re headed to a conference or a meeting, or maybe they’re just taking some work home.  It’s imperative to already have in place a policy governing the protection of data before that person is allowed to walk out with the device.

Weisman recommended that practices or organizations institute policies with rules that require encryption of data, strong passwords and dual factor authentication. “All electronic devices including laptops and phones that may be used in regard to patient data must have proper security software, constantly updated, and all data should be encrypted,” he emphasized.

What else can you do? One of the most essential factors in reducing the likelihood that you or anyone in your organization could leak patients’ health information is to educate everyone on your team.

Educate them about the unintentional things that they may be doing and what they should be doing instead, as well as how to avoid falling victim to a scam. Go over the policies and procedures and reiterate best practices. Warn people about potential situations in which they may be vulnerable, like being the victim of a spear phishing attempt—which is when a hacker targets an individual and sends them an email with the goal of surreptitiously installing malware on the person’s computer or stealing data.

But don’t just hold one training session and consider it done. You may need to hold ongoing training sessions to keep everyone up to speed on health data security.

“If you have new staff, then it’s really not enough to make them sign something when they come aboard,” Verska added. “You have to talk to them about it.”

The bottom line is that you need to be proactive and prepare your reaction to breaches, said Shane Pratt, senior vice president of customer experience for Z5 Inventory, which provides supply chain solutions for hospitals.

“The question isn’t ‘if’ but ‘when,’” he said. “So, you need to have a plan for early detection that leads to quick, thorough responses. Invite employees tor report potential issues without any fear of blame or retribution. Because the longer you wait, the more it will cost you.” 

10 Top Apps for Emergency Medicine Practitioners

LOCUM LEADERS matches physicians and advanced practitioners with locum tenens opportunities across the country. CONTACT a recruiter to learn more.