Nearly every industry in the United States has state and federal regulations as well as standards companies must follow to achieve quality control of outcomes. For example, the Sarbanes-Oxley Act for the financial industry is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures. The North American Electric Reliability Corp. (NERC) standards for the utilities industry were developed to enforce reliability standards for the bulk-power system of North America.
A major regulation with which healthcare providers and other entities within the industry must comply is the Health Insurance Portability and Accountability Act (HIPAA). One of its key goals is to “assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.”
Under HIPAA, covered entities – which encompasses healthcare providers, payers and clearinghouses that create, receive or transmit PHI – must ensure they’re compliant with the HIPAA Security Rule and its administrative, physical and technical safeguards. The Security Rule was established “to protect
individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.” However, these entities often encounter obstacles in compliance, including securing communication, protecting mobile devices, and addressing outside threats with a changing regulatory environment. A lack of compliance can lead to costly HIPAA violations.
Challenges to HIPAA Compliance
Healthcare providers that fail to address weak spots in HIPAA-compliance risk a loss of revenue, a damaged reputation, along with fines and fees. They also make themselves vulnerable to a possible data breach, in which the average price per record is $360. Stolen medical data can sell for 10-20 times more than credit card information. Medicare numbers can be sold for $500 apiece. In cases where a HIPAA breach compromises protected health information (PHI), the average cost is $7.79 million.
You might be surprised to learn that only about half of data breaches are the result of criminal or malicious intent. The other half can be attributed to human error and system glitches. According to research, the three top security vulnerabilities found in health systems and hospitals are user authentication deficiencies, endpoint leakage and excessive user permissions.
User Authentication
Defined as the verification of an active human-to-machine transfer of credentials required for confirmation of a user’s authenticity, this can be achieved through password strength requirements, single sign-on controls and the locking of accounts after too many failed login attempts. For example, user authentication can reduce the risk when a staff member in a doctor’s office might use a generic password, send an unencrypted email over an external network or have his or her password visible to patients and other staff members.
Security information website Security Boulevard lists password reuse paired with the use of exposed passwords or healthcare staff sharing passwords as the largest password vulnerabilities within the healthcare industry. Lack of user authentication also can occur when a health system, hospital or provider does not implement procedures to govern the release or disclosure of ePHI during an emergency.
Endpoint Data Leakage
Although the leakage of data through various endpoints does not always transpire through a malicious act, healthcare providers that compromise PHI put themselves in an expensive predicament. The International Association of Privacy Professionals (IAPP) notes employees are believed to be responsible for approximately 84 percent of data breaches.
One common situation that results in endpoint leakage is the use of mobile devices that utilize endpoint interfaces such as Wi-Fi and Bluetooth. Another is employees copying proprietary information from their computers to portable storage devices. Not all healthcare entities employ education and training to provide their staff members with rules and regulations on how to handle PHI and other sensitive data.
Excessive User Permissions
The Identity Management Institute states, “excessive access rights beyond someone’s normal job functions create an opportunity for errors, accidents and exploits which can affect the confidentiality, integrity and availability of data and systems.” A healthcare employee with unnecessary access to patient data might unlawfully copy, change or distribute it without his or her employee knowing.
Importance of Patient Privacy
Again, not all instances of noncompliance and breaches of PHI are the result of intentional acts. However, that does not make them any less problematic. Patients value the confidentiality of their health records, especially when they have an injury or illness they may want to keep private. Plus, patients who trust their health systems to protect their data likely receive better outcomes.
The U.S. government also takes PHI seriously. Criminal penalties for HIPAA violations vary from a fine of $50,000 and up to a year in prison to $250,000 and up to ten years of jail time. Penalties for civil HIPAA violations range from $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations, to $50,000 per violation, with an annual maximum of $1.5 million. Denying a patient access to their PHI or not providing it within 30 days of the request can result in a HIPAA violation as well.
Standards for patient data security provide direction for healthcare providers. The HIPAA Security Rule requires “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information.” With many healthcare entities implementing bring your own device (BYOD) policies, these safeguards should also be applied to mobile devices.
Suggestions for Data Security
There are multiple ways hospitals, health systems and providers can protect patient medical records and other PHI. First and foremost is training employees on company and industry policies and procedures correlated with handling PHI. Other recommendations include:
- Performing a risk assessment to identify, address and correct weaknesses.
- Defining access authorizations for all devices.
- Regularly reviewing access permissions.
- Understanding gaps in the security controls related to user authentication and the percentage of risks around the flaw.
- Prohibiting employees from connecting to public Wi-Fi networks using a device with access to PHI.
- Ensuring remediation plans are implemented for user authentication deficiencies.
- Keeping track of what devices employees are using to access PHI.
- Verifying PHI and other data is encrypted in transit and at rest.
- Ensuring all devices use up-to-date antivirus software.
- Utilizing a virtual private network (VPN).
Streamline Your Compliance Initiatives with maxRVU
maxRVU Charge Capture achieves the utmost secure standards to safeguard patient data using encryption of all data transmission, submission and storage. Data is also strictly controlled by permission-based architecture for authorized, authenticated personnel users. Sign up today to start your free trial of maxRVU – training is included!
