Before 2015, data breaches were mostly confined to retail businesses. However, as more patient information becomes digitized, big data breaches are becoming more common in health care. And hackers don’t discriminate; they target organizations of all types and sizes, ranging from big hospitals to small private practices. So, is there anything a small-to-medium-sized physical therapy practice can do to reduce the risk of a data breach? Performing a HIPAA risk assessment is an excellent first step.
No risk assessment can mean big fines.
As WebPT Chief Compliance Officer Veda Collmer explained in this blog post, “The HIPAA Security Rule requires all covered entities (a.k.a. providers) and business associates (a.k.a. the people and vendors providers do business with) to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information (ePHI).”
But while these requirements have been around for quite some time, the healthcare industry is just beginning to appreciate the importance of HIPAA risk assessments. On August 20, 2018, Anthem accepted a $115 million settlement with the Department of Health and Human Services over its 2015 data breach, which—according to Thinkstock—exposed personal information on 79 million people. It was the largest data breach-related settlement in history until the Equifax breach in 2019. (Equifax will pay a fine of $700 million stemming from a data breach that exposed personal information on nearly 150 million people.)
Now, Anthem is one of the largest insurers in the country—not to mention a Fortune 500 company. So, how in the world did a hacker access Anthem’s systems? Using the weakest link in the security chain: humans. According to Anthem’s internal examination team—as well as a separate internal investigation group—it all started when a user within one of the company’s subsidiaries opened a phishing email that triggered a malware download. This allowed hackers to remotely access the user’s computer and at least 90 other systems within Anthem—including the organization’s data warehouse.
The Anthem data breach exposed the following protected health information (PHI): names, dates of birth, medical IDs or Social Security numbers, street addresses, email addresses, and employment information. The Equifax data breach, on the other hand, exposed sensitive information including names, Social Security numbers, driver’s license numbers, and addresses.
In the Equifax case, according to CNN Business, the organization first disclosed the hack in September 2017—three months after it discovered the breach. A security flaw in a web application-builder gave hackers a window into the company’s data stores, and Equifax admitted to knowing about the security issue two months before the hack. As noted here, the Federal Trade Commission (FTC) found that Equifax failed to “implement reasonable access controls” despite claiming to have deployed “reasonable physical, technical and procedural safeguards” to protect consumer data.
Both Anthem and Equifax were required by their settlement agreements to take a series of steps to improve their cybersecurity and provide credit protection for consumers affected by the breach. Of course, ideally, organizations that house sensitive data would take such security measures before experiencing a breach. And for any company—especially small-to-medium-sized healthcare practices—staff education is key to ensuring data security, as human error often is the root cause of security lapses.
Staff training is an effective defense.
One very effective way to reduce the risk of a data breach is to conduct employee training. Physical therapy practices can implement a simple employee training program to educate staff members about security best practices and teach them how to identify potential threats (such as phishing emails). Phishing is one of the top data breach causes; thus, it’s a prime training focus. Here are some common characteristics of phishing scams, adapted from this blog post by Wendy Zamora, the editor-in-chief at Malwarebytes Lab:
- Emails, text messages, or voicemails asking you to update or enter personal information—especially if those messages appear to come from a bank or government organization (e.g., the IRS)
- Messages (like those described above) that ask for login credentials
- Any difference between the URL shown on the message and the URL that displays when you hover over the link
- Messages in which the “from” address is imitating the address of a legitimate business
- Different formatting than you’ve seen with previous emails sent by that specific organization (e.g., the logo is pixelated, the buttons are not the right color, or there’s odd spacing in the body of the message)
- Obvious spelling/grammatical errors, poor sentence construction, bad word choice, and the general vibe that the message was written by a computer or someone who is not fluent in English
- An urgent or desperate tone (e.g., claiming that your account will be closed or has been compromised)
- The presence of email attachments from unknown or unexpected sources
- Links to unsecured websites (i.e., the URLs do not begin with “https” and/or do not have a lock symbol next to them in the address bar)
Policies and preparation are key.
Bringing it all back to preparation, perhaps the biggest takeaway from the Anthem and Equifax breaches is the importance of performing a risk assessment. After all, as Collmer wrote in the previously cited post, “failing to conduct a HIPAA risk assessment can be a risk in and of itself.” Whether you work in a small physical therapy practice or a large healthcare organization, a HIPAA risk assessment will help you protect patient information by identifying and understanding the security and privacy risks to your patient records. Check out Collmer’s full blog post to learn more about the how and why of HIPAA risk assessments in rehab therapy.
Looking to enlist some professional help? Tools such as SunHawk Consulting’s “HIPAA Check™” take the guesswork out of completing a risk assessment. HIPAA Check™ uses an algorithm to assess OCR settlement agreements and guidance and analyze regulatory risk for each Security Rule requirement. It also helps you prioritize items with higher regulatory risk, as those items will have a significant impact on the risk to your ePHI. (WebPT Members can access a special version HIPAA Check, which includes seven free HIPAA policies and procedures, via the WebPT Marketplace.) Sunhawk also provides materials that can help you set proper expectations with your staff, and thus, greatly reduce your practice’s security risk.
Jan Elezian, MS, RHIA, CHC, CHPS, is a director at SunHawk Consulting.