Tuesday, August 14, 2012
When was the last time you thought of extortion? A celebrity lawsuit, perhaps? Now we have health record extortion in the health and human service field. In a case that just came to light, a small Illinois surgical practice had their internal server hacked. The hackers encrypted patients’ health information and offered it back to the practice “for a ransom” (see the FierceEMR story, EHR hackers encrypt files, demand ransom). I call it EHR extortion.
Unlike the normal fear in hacking cases, there was no threat of exposing or using the information obtained for medical identity theft. Rather, the hackers seemed to take great care with the information they obtained by encrypting it hoping to make a profit from the medical practice (in this case it didn’t work, as the police were notified and no monies were handed over to the hackers).
No matter where you store your data (internally or in the cloud), or who you share you data with – it is critical that you too pay close attention to security issues. Even when the technical and physical safeguards of the HIPAA Security Rule are addressed – access controls, audit controls, integrity, person or entity authentication, and transmission security – security is never really guaranteed. Here are three additional things you can do to help minimize your risk:
Perform a Security Risk Assessment as mandated by HIPAA – This is a “must-do” first step for any organization implementing an EHR system. This will help you understand what your vulnerabilities are and how to best remedy them (see Privacy and Security Toolkit: Risk Assessment Basics ).
Get detailed information from your vendor about their security controls – It is not enough to simply let a vendor say “oh yes, we are HIPAA compliant.” Question their processes, controls, back-ups, visit their facility, get documentation and Business Associate agreements that detail their protocols and “guaranties.”
Hire a security firm for a non-HIPAA viewpoint – No organization will profit from “technical tunnel vision”, and getting an outside perspective on your system will let you know what vulnerabilities were missed in the Security Risk Assessment, and how to best protect yourself from them.
For a deeper look into the “must-have” data-breach preventive measures, check out my Circle briefing, Hacked! all members – due diligence regarding the security of your EHR is not only a best practice, it is the smart thing to do.
Lisette Wright, M.A.
Senior Associate, OPEN MINDS
For another free resource, see: It’s The People, Stupid! all members
This is free for the next sixty days to all registered OPEN MINDS Circle members.