5 Ways to Prevent Hidden Risks
I recent visited a medical practice to conduct a Meaningful Use Security Risk Analysis. They told me their EHR patient records were being backed up offsite every 30 minutes by their EHR vendor. I called the EHR vendor for verification. What they verified was that the data had never been backed up by them. In fact, they said they didn’t offer that service.
I met with the doctors and said I had started their risk analysis but had discovered a huge risk to their practice. I told them this was like discovering a lump during a physical. It needed immediate attention before we could move on with the risk analysis. They had 7 years of patient records that would have completely disappeared if their building had burned down, if their servers (sitting in an open area of their office) were stolen, or if a recent tornado had hit them instead of a few miles away.
The doctors told me that their EHR sales rep assured them their data would be backed up “every 30 minutes to Atlanta.” They assumed this was being done but had never checked. Then one of the doctors said their practice might not be able to stay in business if they had to tell their patients (and the world) that they had permanently lost all of their medical records.
You can’t blame a vendor if you are caught violating HIPAA. You might get some compensation if a vendor loses your data but that might be excluded in the fine print of your contract. HIPAA audits are coming back in a much greater way than before. Meaningful Use audits happen every day and can result in the return of incentive funds or even charges of Medicare fraud.
Thousands of data breaches are investigated each year. Data breach enforcement can come from the HIPAA enforcement agency, PLUS state attorneys general and agencies, the Federal Trade Commission (FTC,) and through malpractice lawsuits using HIPAA as a Standard of Care. In fact, multiple authorities can all gang up for a single data breach and become a nightmare.
Just ask Community Health Systems, which had a recent breach of 4.5 million records, and has reported and is facing investigations at the federal level and in 29 states. Lawsuits have already been filed. Or ask Accretive Health Plan, which after a breach was banned from doing business in Minnesota for 2-6 years, and placed on a 20-year monitored compliance plan by the FTC for the same breach.
Don’t You Believe Me?
When doing a HIPAA/Meaningful Use security risk analysis we always ask the client for evidence to support what they have told us. We are often there to follow up on a risk analysis they did themselves, after which they became doubtful that their self-analysis would pass an audit.
They ask, “Don’t you believe me?” We reply, “We do believe you are telling us what you think is the truth, but sometimes people are wrong. Please show us evidence.”
Many times the evidence proves the person wrong, but most often there is no evidence at all to support their ideas. These are good people, not liars. They have simply deceived themselves. When they didn’t know something, they assumed the best and said they were secure and compliant.
It’s not just medical practices. We have similar experiences with hospitals and business associates.
We rely on evidence from technology assessment tools that look “under the skin” of a network to see what is really going on. Our opinions are based on data and facts, not guessing.
What We See
We often find:
- Medical practices that don’t have the fundamental technology resources to comply with HIPAA.
- Computer networks built by part-time friends and family members, even doctors, who have no IT security education.
- Vendors who don’t follow HIPAA during their implementations, leaving their customers at risk of data breaches and compliance violations.
- Vendors who don’t follow through on their promises.
- The worse thing of all, clients who blissfully fail to validate that their networks and EHR implementations include the security and compliance they thought they were buying.
We worked with a hospital that told us they had a high quality network firewall from a leading vendor. Searching for evidence, we looked at its configuration we discovered that the firewall had no security features implemented. The IT department told us that the Chief Financial Officer had turned down their budget request for the security features, so they installed the firewall anyway even though it had no protections against outside intruders.
An IT managed services provider spoke with a leading dental software company and told them the way they were setting up a dentist’s network was not compliant with HIPAA. He said their response was, “Don’t worry about HIPAA.” We heard a similar thing from a dental technology company at a trade show when we asked why some security features were disabled in their product. They said, “Dentists don’t want to be inconvenienced by Security and HIPAA.” We replied that dentists aren’t exempt from HIPAA nor do they have a special line to bypass TSA at the airport. Why do I think that the dental clients assume that their software vendor is helping them comply with HIPAA, not leading them into a compliance violation?
What You Can Do
The mission of the HIPAA regulations is protecting health information. You should focus on that instead of buying administrative tools to look compliant.
- Focus on Security before Compliance. You can look compliant but not be secure. Just looking compliant won’t prevent breaches, which are far more likely to occur than compliance audits.
- Become knowledgeable about HIPAA. Many of the HIPAA training programs we have seen are designed to get the training requirement out of the way, not educate staff and really show them what they should do and shouldn’t do. If you are responsible for HIPAA in your organization you should know what is required. HIPAA training should be more than a formality.
- Invest in IT experts to secure your network, and in devices that provide adequate security and compliance. Doctors refer patients to specialists every day. Refer yourself to an IT security specialist who has a HIPAA certification. Demand evidence that your network is secure.
- Validate, validate, validate. President Ronald Reagan said, “Trust but verify.” Have your IT security professionals validate that offsite backups are occurring and can be restored, that your network has active perimeter security against intrusions, and all of your systems are getting their security patches and updates to their endpoint protection software.
- Talk to us. Through us you can offload critical compliance tasks, prevent data breaches, and be prepared for audits and investigations. Semel Consulting offers risk analysis and HIPAA compliance assessments that are independent, thorough, and accurate. We also offer HIPAA Security Officer Services (HIPAA SOS) that includes the risk analysis and compliance reports, plus policies, procedures, cybersecurity training, incident investigation and management, and consulting for a year. We will work with your IT department, IT vendor to make sure your technology is secure and your data is really protected. Our clients tell us we find things others have missed. We can even help you protect the value of your practice, your license, and your career.