Gastroenterology Coding Alert

Privacy:

Secure Your Emails to Avoid This GI Practice’s Fate

This practice’s email breach also caused practice funds to be diverted elsewhere.

Technical advancements can bring efficiency to your gastroenterology practice, but they can also lead to more opportunities for security breaches. That’s the lesson that gastroenterology staff members at a digestive health practice in Florida recently learned, according to a January memo that the practice shared on its website.

The Issue Was Rooted in Email

The practice’s main issue stemmed from an email breach. After an employee noticed that suspicious emails had been sent from their email account, the practice also discovered that company funds had been sent to an unknown bank account.

The ensuing investigation revealed that unauthorized users had accessed a few staffers’ emails, potentially breaching protected health information such as patient names, insurance details, and Social Security numbers.

Here’s How to Avoid A Similar Fate

Email has been around for a long time, so it’s easy to assume that your staff understands the nuances of spam, junk, or malicious threats that corrupt the practice network. But the rise in email attacks highlights that not all healthcare workers fully understand the implications.

You should proactively address the threats that are likely to come from inside the practice, including possible breaches that can affect your employees and contractors. Although many people think they don’t need to train employees because they know their staffers wouldn’t expose patient data for nefarious reasons, sometimes these breaches occur without the person’s knowledge.

Many high-level employees including managers, clinical staff, and administrators are often the most at-risk for attack in a phishing scheme, but novice staff may also unwittingly click and unleash chaos.

That’s why you might want to identify security threats by conducting a security risk assessment or a more thorough test of system-wide vulnerabilities. If you do experience a breach, having written verification that you completed an assessment and implemented your findings with compliance protocols will go a long way in reducing the feds wrath.

“Training on data security for workforce members is not only essential for protecting an organization against cyber attacks,” reminds the HHS-OCR in a recent Cybersecurity Newsletter. “It is also required by the HIPAA Security Rule.”

Follow 4 Expert Tips to Prevent This Type of Breach

This type of massive, sophisticated data breach may seem impossible to prevent, but you can actually avoid it by taking a few simple steps:

Safeguard and Educate: This is yet another reminder to safeguard your electronic systems and educate your staff members on security policies and procedures.

Watch Staff Emails: A staff member who clicks on a link in an email or responds to an email from hackers who pose as security personnel could result in unknowingly installing the malware.

Use Encryption: Consider employing encryption technology that meets the HIPAA breach safe-harbor standards to avoid or mitigate this type of breach.

Check with IT: When staff members are in doubt about a suspicious email, phone call or other communication, instruct them to always check with your IT personnel and your HIPAA privacy officer before taking any action.

Remember: Privacy Still Matters

Provide privacy training on a regular basis, rather than offering it just once. That way, staff members are reminded of the importance of identifying threats, understanding what suspicious emails look like, and evaluating when to raise a flag.

And that’s why technical training is essential to keeping breaches to a minimum. Most costly violations are caused by staff members accidentally, due to a lack of education on the HIPAA Security Rule, not the HIPAA Privacy Rule. Fixing human error can go a long way in eradicating email-based threats.