If one could sum up the 2010s in one word, that word would be “data.” And the healthcare industry has not been immune to the data revolution. The Health Insurance Portability and Accountability Act’s (HIPAA) primary area of concern in 2017 has been data security. That said, HIPAA breaches such as employee gossip, for example, still pose a threat to protected health information (PHI).
Students pursuing a Doctor of Nursing Practice program must be intimately familiar with HIPAA and cybersecurity. Their careers will bring them into close contact with protected confidential material on a daily basis. They will also be tasked with finding new ways to train their nursing staff to identify and help combat cybersecurity threats.
Advanced Technology, Advanced Risk
Over the past few decades, everything from medical records to prescriptions, credit card numbers, insurance information, and confidential details of all sorts have been transferred from paper files to computers in the form of electronic health records (EHRs).
The benefits of EHRs include portability, accessibility by multiple users, and networkability enabling providers, patients, and payers to coordinate efficiently. However, EHR security breaches range from simple flaws in network security to determined, focused attacks maliciously orchestrated by expert hackers.
In May 2017, a simple authentication flaw in Molina Healthcare’s network exposed up to 4.8 million patient records. The exposed data included names, addresses, birth dates, diagnoses, and other medical information about individual patients, according to healthcare IT expert Jessica Davis in her Healthcare IT News article, “Molina Healthcare Breached, Exposed Patient Data For Over A Month.”
Where The Vulnerabilities Lie And How To Avoid Them
While the majority of HIPAA breaches involve unauthorized access to protected information, the ways these breaches begin don’t always involve computer hacking. Data breaches can start with something as seemingly innocuous as a lost cell phone.
Several types of HIPAA violations can be found among healthcare organizations, according to HIPAA training authority Jason Karn in his NeuMD blog post, “The Top Ten HIPAA Violations And How To Prevent Them.” They include:
- Lost or stolen devices – Require encryption on all employee personal devices that could at any time be used to store, view, send, or receive confidential data.
- Hacking – Update passwords, utilize software firewalls, keep malware-scanning software up to date constantly, and always update software.
- Employee dishonesty – Workers caught accessing information they are not authorized to access should be subject to strict disciplinary action, up to and including fines and imprisonment.
- Improper disposal – Ensure that information that is no longer needed is properly destroyed or erased either through physical shredding or the proper wiping of hard drives.
- Third-party disclosure – If you have to share information with business associates or subcontractors, be sure to view their HIPAA compliance plans before signing any contracts or agreements.
- Unauthorized release – Only release patient records to the patient, the patient’s parents if the patient is a minor, or in cases where a legitimate power of attorney exists.
- Unencrypted data – Not only mobile devices, but laptops, desktops, and servers should be properly encrypted to satisfy HIPAA requirements.
- Lack of training – Ensure that all employees are thoroughly educated in the proper handling of PHI in compliance with HIPAA, and be sure to do periodic follow-up and continuing education.
- Unsecured records – Lock all physical records in filing cabinets, lock buildings or offices that house PHI, encrypt computers, and use complex passwords that are changed frequently.
- Word of Mouth — Focus training programs on the dangers and subsequent punishments associated with divulging sensitive information in casual conversations outside of a confidential setting.
Essentially, healthcare facilities can best avoid HIPAA violations through proper training, encryption of sensitive data, and the establishment of strict procedures. Students studying to be doctors of nursing practice will eventually be in positions to have responsibility for their patients’ PHI.
Training programs must also focus on the social networking habits of healthcare employees. Personal social network accounts should be kept separate from business accounts, personnel should avoid “friending” patients, and everything posted on social media should be assumed to no longer be private, according to healthcare law expert Kyna Veatch in her Law360.com article, “A Checklist For Avoiding HIPAA Violations On Social Media.”
A Word On EHRs And Ransomware
Most modern-day HIPAA violations involve EHRs, in one way or another. EHRs can be accessed through healthcare facility computers, doctors’ and nurses’ mobile devices, and apps installed on patients’ smartphones. More access points to secure networks mean more security vulnerabilities.
Calyptix Security warns healthcare businesses in its company blog post, “Healthcare Data Breaches Expected To Dominate 2017,” that stolen EHR information can be used to open fraudulent credit cards, bill insurance companies and government medical services (including Medicare or Medicaid), create fake IDs, and obtain controlled substances.
Ransomware is potentially the worst possible hacking assault a healthcare organization can face. In a ransomware attack, hackers break into a secure system and encrypt files so that they can no longer be accessed. The hackers then exchange the decryption key for a ransom (usually in Bitcoin).
Encrypted files will grind a healthcare business to a halt. Patients’ medical records will be inaccessible for the duration of the attack, so unless a backup copy exists on a separate server or in hard copy, healthcare providers will find it next to impossible to treat patients.
Even though some hospitals have paid ransoms to hackers in the past, the FBI recommends never paying. The best way to guard against ransomware is to have separate backup servers in place, just in case.
Doctor of Nursing Practice Program At Duquesne University
Duquesne University’s online Doctor of Nursing Practice program educates graduates to be ready and able to affect the way healthcare is practiced. Coursework in healthcare policy, finance, information systems, and translating evidence into practice will enable students to increase their facilities’ overall efficiency and effectiveness by adapting policy to the ever-changing landscape of healthcare. Contact Duquesne University today to learn more about its online DNP degree.
- Molina Healthcare Breached, Exposed Patient Data For Over A Month http://www.healthcareitnews.com/news/molina-healthcare-breached-exposed-patient-data-over-month
- The Top Ten HIPAA Violations And How To Prevent Them https://www.nuemd.com/blog/top-10-hipaa-violations-prevent-them
- A Checklist For Avoiding HIPAA Violations On Social Media https://www.law360.com/articles/743560/a-checklist-for-avoiding-hipaa-violations-on-social-media
- Healthcare Data Breaches Expected To Dominate 2017 http://www.calyptix.com/hipaa/healthcare-data-breaches-expected-to-dominate-2017/