Breaches from violating HIPAA protocols have cost healthcare entities hundreds of thousands, and even millions of dollars in penalties. And now hackers are finding medical data ten times more valuable than credit card data. According to Reuters, the cyber criminals use provider and patient numbers to buy and then resell medical equipment or drugs and file false claims with insurers.
Many medical offices are strewn with unintentional HIPAA violations. “An office sent me a photo of their monitor to help with an IT problem,” says Thomas Kane with Keep IT Simple. “It showed all the sticky notes around the monitor that listed passwords. They had just unintentionally given me access to everything.”
A more hidden violation of HIPAA lies in unsupported software. The most recent will occur this year on July 14th when Microsoft will no longer support their highly popular Windows Server 2003 software. After that date, Microsoft will no longer issue security patches to protect against new viruses or malware.
“Which means all the hackers of the world are waiting for that day when they can go in and find those open gateways into servers running that software,” says William Sester with TekLinks.
Anytime patient information is shared outside the practice or accessed from outside the practice, HIPAA has requirements. To create secure remote access, practices need to require a different user name and password to access patient health information (PHI) when offsite, employ 128-bit AES encryption, allow passwords to be changed immediately, and activate an automatic log-off of the connection after a short period of inactivity.
“Audit the usage log, too, so you can review when people log on,” Kane says. Logs reviewed at one practice revealed that the husband of a front-desk employee signed in from their home every few days. Her remote access was cut.
Even on cloud-based data, the same vulnerabilities exist. “You can cut your exposure by setting it so nobody but the physicians have access after seven pm or only certain usernames have access from certain IP addresses,” Perry says.
“A lot of times administrators overlook the importance of passwords,” Sester says. Even laziness in devising passwords can be a violation. HIPAA requires that passwords contain eight to nine characters and include uppercase and lowercase letters along with non-alphabet characters, like exclamation points. “Avoid common phrases and current crazes too,” he adds.
Following those guidelines, a computer could take years to find a correct password on a system. “Don’t use the same password at work that you use anywhere else, either,” Sester says. “You’ve heard about all the breaches. If you use the same password in multiple places, they can test that on other websites, including your workplace.”
Safeguarding the Workstation
“Set all your monitors to go to the password screen after 15 minutes if there’s no activity,” Kane says, because allowing the public to view computer screens that contain patient health information violates HIPAA requirements.
“You should also install privacy filters on any computer where patients can see the monitor,” Perry says. The filter, a thin skin that overlays the screen, distorts anything on the screen unless viewed from the front of the computer.
The desire to expedite workflow regularly supersedes thoughts of protecting PHI. “That’s why unsecured texting is a rampant violation at practices,” Sester says. “For instance, if the nurse texts the doctor at the hospital that his patient, Mary Smith with chest pains is in a certain bed, that’s protected health information. Think about what you’re supposed to shred in the office. That’s what you don’t share unless it’s secure.”
The solution is secure text messaging. “Many software developers have apps for that,” Sester says. But there’s no way to ensure an app is HIPAA compliant or secure.
Sester recommends using common sense. “If it says in print and on their website that the app is secure, it’s likely to be. But if only a sales rep tells you or it’s a mom-and-pop app, that’s different.”
Business Associate Agreement
Besides the tech itself, a common unintentional HIPAA violation lays in the relation with vendors who access patient data, including IT companies. “You need to have them sign a Business Associate Contract. It’s an agreement to not share the data with others,” Kane says.
In case of a breach at the hands of the third party, it shifts some liability off the practice and onto the vendors. A sample business associate contract can be downloaded at the hhs.gov website.
“If practices, especially smaller ones, try to dot every i and cross every t to be 110 percent compliant with HIPAA, they’d be out of business, because they don’t have the resources to pull all this off,” Sester says.
He recommends that if an administrator or physician hears something about a HIPAA/HITECH regulation, to take note. “If you see it mentioned again, pay attention. If you see it a third time, you know it’s serious,” Sester says. “And you need to make sure you’re compliant.”