Data breaches a near certainty

In today's digital climate, says Jennifer Searfoss, Esq., loss or breach of protected health information (PHI) is not a question of likelihood – "It's a certainty. It's just a question of when, and of what nature." As chief solutions strategist for Ashburn, Virginia-based consulting firm SCG Health, she says she hears of new data breaches in dermatology daily.

"Most dermatologists probably received no specific training in information security,” says Jules Lipoff, M.D. “Younger physicians may be more comfortable in this arena because they've grown up with electronic communications. But really, everyone is at risk." Dr. Lipoff is assistant professor of dermatology at the University of Pennsylvania.

Mr. SchoberThe depth and richness of healthcare data make it a "top three" target in terms of financial damage being done, says Scott Schober, president and CEO of Berkeley Varitronics Systems. Rather than making hundreds of dollars in bogus retail purchases, he explains, medical-history information allows thieves to order – and get paid for – thousands of dollars in appropriate-looking tests before anyone notices.

"The value of stealing someone's medical identity is 10 times that of their basic identity," Mr. Schober says.

Moreover, "It's very difficult to catch these criminals. It's not a single case of medical fraud." Instead, Mr. Schober says, thieves may take a year to test and package the data from up to 1,000 individuals and sell it for perhaps $100,000.

"It goes through several hands before it gets broken up and spread out, so you can't trace it back to the original cyberthieves," Mr. Schober says.

Any device employees or business partners use to access your network can be vulnerable (for data-security tips, see related article).

You've been hacked!

Ms. SearfossUnder the Health Information Portability & Accountability Act (HIPAA), physicians must report breaches involving "the acquisition, access, use or disclosure of PHI" to the U.S. Department of Health and Human Services (HHS).¹ If the breach impacts more than 500 people, physicians must report the name and state of the entity breached, number of records affected, type and source of the breach and involvement of any external vendors. When a breach impacts 800 people, says Ms. Searfoss, "we start looking at identity-theft protection and media releases. But I've never had a breach that was anywhere close to those numbers. It's either two or 200,000."

If a breach appears to impact 50 patients, Ms. Searfoss explains, "Those are just the 50 you know about." The problem likely has spread to hundreds or thousands of their connections. Often, says Mr. Schober, victims aren't certain what has been compromised – and it could cost six-figure consultant fees to ferret it out.

When one's practice experiences a suspected breach, the appropriate response depends on the problem's scope. If a portable device that uses encryption and remote-wiping capabilities is lost or stolen, says Ms. Searfoss, "That's not a reportable breach." If an incorrect bill goes to one patient, she says, your HIPAA privacy officer should document what happened, identify preventative tactics for the future and share this information with the patient.

NEXT: Data

But if you think a cybercrook has accessed hundreds of your patients' electronic health records (EHRs), experts recommended the following steps:

• "Stop everything and unplug your computers to prevent further damage. Disconnect from the Internet. Pull the plug from the wall," says Mr. Schober.

• Call your IT provider to confirm and investigate the breach, says Ms. Searfoss.

• Contact your HIPAA privacy officer, legal counsel and insurer. If a break-in occurred, call the police. When Mr. Schober himself was hacked in 2014, he discovered $65,000 missing from his checking account and notified his bank, which contacted the Federal Bureau of Investigation.

• Issue a press release.

• Notify impacted patients by letter, explaining what happened and how you're fixing it. If a patient has not disclosed their diagnosis to their family or employer, Ms. Searfoss says, "Call the patient before that letter goes out."

• Consult applicable state regulations, which may differ from those of HIPAA.

• Mr. Schober suggests contacting the Federal Trade Commission, which can advise physicians about reporting the breach to patients. It also offers short-term identity-theft monitoring and may send investigators.

HIPAA fines can range up to $40,000 per breach (not patient), says Ms. Searfoss, with the higher numbers reserved for large organizations that have neglected PHI security for years. Although HIPAA has existed for more than 20 years, she says, "I was recently in a dermatologist's office that had not posted its notice of privacy practices. That's a great marketing tool," and a HIPAA requirement.

Dr. LipoffDr. Lipoff says, "Most HIPAA violations that have been reported (80%, in one report)² have not been hacking or aggressive data breaching – it's more mistakes, such as people posting inappropriately on social media." Perhaps the strongest argument against personal phones in employee workspaces comes from a case in which a checkout staffer surreptitiously snapped a morbidly obese patient exiting a dermatology practice. When the photo appeared on Facebook – with a fat-shaming comment – the patient successfully sued the dermatologist, says Ms. Searfoss.

"I love younger people," she added, "but for whatever reason, we're seeing more frequently that they somehow think they're not going to get caught" hacking items like a local celebrity's electronic medical record.

A recent study found that among 949 data breaches involving more than 500 individuals reported to HHS between 2010 and 2013, two-thirds involved electronic communications.³ The most common type of data breach was theft, 58.2%.

The ease of sharing information via text or e-mail makes it easy to overlook security concerns, Dr. Lipoff says. In a survey he co-authored, "We found that 30% of dermatologists had patient photos on their personal phones," 48% of which were not secure or encrypted.⁴ Fortunately, Ms. Searfoss says that in her experience, such photos rarely contain personally identifiable details such as tattoos.

After being breached, says Mr. Schober, "Many companies are reluctant to report that they may have been compromised." But silence only fuels the problem, he says.

"As technology becomes more accessible and ingrained in what we do," adds Ms. Searfoss, "there will always be new sources of vulnerability."

Dr. Lipoff says, "Because patient information could be used for financial gain, we must be vigilant in establishing safeguards to prevent any breaches."

See related:  Protecting patient data is everybody's job

Disclosures:

Dr. Lipoff reports no relevant financial interests.

Mr. Schober is the author of Hacked Again.

Ms. Searfoss is chief solutions strategist, SCG Health.

References

1. The Health Insurance Portability and Accountability Act. https://aspe.hhs.gov/report/health-insurance-portability-and-accountability-act-1996. Accessed November 11, 2016.

2.  Blumenthal D, McGraw D. Keeping personal health information safe: the importance of good data hygiene.JAMA. 2015;313(14):1424.

3. Liu V, Musen MA, Chou T. Data breaches of protected health information in the United States. JAMA. 2015;313(14):1471-3.

4. Anyanwu CO, Lipoff JB. Smartphones, photography, and security in dermatology. J Am Acad Dermatol. 2015;72(1):193-5.