Thursday, April 12, 2012
The last time we ran a headline like that, hackers were using an automated program with generic user accounts to infiltrate our e-mail server here at OPEN MINDS (see We Were Almost Hacked! all members). This time around, we’re talking about something with far more important – the Utah Medicaid system was hacked on Friday, March 30 (see Medicaid hacked: over 181,000 records and 25,000 SSNs stolen).
The breach was one of the worst to date. One in six people in Utah (almost 800,000) have been affected by the security breach of the server that houses Utah Medicaid claims. Personal information for 181,604 Medicaid and Children’s Health Insurance Plan (CHIP) recipients was reported stolen.
If you’re like many managers, your first reaction is to be glad you’re data was not in the Utah Medicaid system. The second reaction is to wonder if that could happen at your organization.
The changing health and human services landscape is making data interconnectedness and information sharing a ‘must have’ competency (see Managing in an Era of Bioconnectivity all members). But with this increase in connectivity comes increasing cyber-risks. Where do these risks come from? According to the 2012 HIMSS Analytics-Kroll Advisory Report, 79% of breaches were caused by employees, 18% experienced a breach by a third-party partner, and the increasing use of mobile devises are large contributors to breaches.
What should you be looking for in your system to prevent these risks? Give some thought to these four preventive measures…
Encrypt: Most mobile devices, laptops, back-ups, archives and the majority of computers are not encrypted. This is the one step that is recognized as a best practice, but not utilized nearly enough. If data is encrypted, there is no duty under the Notification Rule to notify clients if a breach occurs (“safe harbor” clause). While HIPAA requires data is encrypted at 178 bits, your software provider may offer 256-bit encryption which is considerably more secure.
Use strong authentication: User names and passwords are abundant in our lives. However, requiring the user to change their passwords every 60 days, use biometrics, using a combination of characters and symbols will help prevent unauthorized access. It is also important to utilize any access authentication controls your EHR may have (certain people are allowed to see certain information).
Make sure you have “best practice” policies and procedures: Would your policies and procedures be considered ‘antique’? Be sure to review and revise your policies and procedures at least once a year if not more often. Make sure to include imposing sanctions on employees who violate the policies. Include policies on monitoring third-party partners and incident response and planning (this is especially important if you use a cloud-based EHR).
Create awareness of cyber-risk among your team: Most breaches are caused by human error: putting a laptop in the trunk of a car or leaving a password on a post-it note. Mandatory staff education will cost your agency less than a fine by the OCR.
I could go on (and on) with other measures to enhance your security and prevent hackers from being successful in your systems. The options are many – failed log-in’s after a certain number of attempts, vulnerability testing of your system, data mapping, use of firewalls, digital signatures, perform yearly logical penetration test, provide free credit monitoring to clients, risk assessments performed on a regular basis, audit trails that are reviewed and updated regularly, tools to shut down the system if hacking is detected, building and computer room security, consider how your dispose of your old hardware, thorough third party screening…But these four steps are the “must haves” in my view.
If you don’t have a risk assessment checklist, that’s a great place to start. Or you can take a look at the Health and Human Services guide on how to do risk assessments (see Privacy and Security Toolkit ). An assessment will cost you far less than a fine from the OCR.
Lisette Wright, M.A.
Senior Associate, OPEN MINDS
For another free resource, see: It’s The People, Stupid! all members
This is free for the next sixty days to all registered OPEN MINDS Circle members.