5 Actions to Take to Secure Healthcare IT Systems and Prevent HIPAA Breaches
The publishing of data from the 2013 Survey on Medical Identity Theft by the Ponemon Institute has highlighted the prevalence of medical identity fraud and has shown the crime is becoming much more commonplace. Over the course of past 12 months the number of reported cases of medical identity fraud has risen by 20%. There are now believed to be over 1.84 million Americans now affected by medical identity fraud. The cost is colossal and is a huge drain on the economy, while the victims have had to cover over $12.3 billion in out of pocket expenses.
Many of the victims have had their medical records exposed in data breaches at healthcare organizations. If data breaches result from violations of HIPAA regulations, healthcare organizations can be held accountable. The HHS Office for Civil Rights is issuing substantial fines for non-compliance and class action lawyers are keen to sign up victims of data breaches to claim damages.
Even in cases where PHI has been accidentally exposed or been deliberately hacked, healthcare organizations can still face hefty fines. In extreme cases it is possible than licenses will be lost.
HIPAA fines may be limited to $1.5 million per year, although Columbia/HCA recently discovered the total financial cost of security breaches can be substantially higher. It was required to pay $1.7 billion in financial penalties, fines and lawsuits for numerous cases of Medicare fraud.
There are a number of ways that criminals can use Protected Health Information to obtain goods and services. With access to the right information, thieves can submit insurance claims, obtain treatment for illnesses, get prescription drugs, obtain free medical care and inflate treatment claims. The rewards for criminals are so high that there is a huge market for stolen health information on the black market.
In addition to the financial problems identity theft creates for the victim, having another person’s medical history entered into a personal medical record can result in improper medication being issued and has potential to cause serious health problems.
Medicare Fraud also costs the economy billions of dollars every year. To tackle the issue and prevent losses, the Department of Justice along with the HHS created a new action team that is focused on tackling Medicaid and Medicare fraud. The enforcement unit, termed Health Care Fraud Prevention and Enforcement Action Team (HEAT), was set up in May 2009 and was tasked with saving the billions of dollars being lost in medical fraud. In 2011, it managed to close down networks that had fraudulently billed $530 billion.
In light of the increased risk of accidental disclosure of PHI, the high value of patient data to thieves and the substantial penalties being issued by the OCR, healthcare organizations are advised to take prompt action to ensure that privacy and security systems are robust, active, up to date and that they comply with all HIPAA-regulations.
Measures which should be taken to improve privacy and security include:
1. Conducting a full risk analysis of IT systems – The analysis should identify all software and hardware that touches data. It may not be immediately apparent that software programs access PHI and care should be taken to ensure all systems are thoroughly analyzed.
2. Purchase software and hardware that permits scans of data in motion and at rest, and that it can be adapted to meet the needs of your organization. It must be possible to conduct a number of regular checks to ensure operational security and identify security issues.
3. An automated monitoring system should be implemented to record data access and keeps logs. These access logs must be checked frequently and any anomalies investigated. Logs must be retained to confirm compliance with data privacy and security rules.
4. When security risks or threats are identified they must be removed promptly and the easiest way to do this is to set up automated processes to scan and quarantine infected files. New content should be automatically encrypted and made secure.
5. Develop a system of classification and nomenclature for different types of data for ease of identification of the correct security procedures to use. Make sure that it is abundantly clear what data is classed as protected and to ensure the staff is trained on all obligations under privacy and security regulations.