General Surgery Coding Alert

One of the easiest ways for your practice to inadvertently release your patients’ electronic protected health information (ePHI) is by falling for an email scheme.

Context: Remember that “there are two parts to HIPAA [Health Insurance Portability and Accountability Act],” says Melissa Dill, managing director for the healthcare consulting practice at Crowe in Indianapolis, Indiana. “There’s the Privacy Rule, which tends to be more focused on the non-electronic and access aspects of an individual’s PHI; and then there’s a Security Rule, which focuses on the electronic management of that individual’s information.” Compliance with the Security Rule is where email protection comes into play.

Make Staff Training Ongoing

Your employees are going to get a wealth of HIPAA and information technology (IT) training when they start at your general surgery practice — but that shouldn’t be the end of their data security education.

With each new threat — and especially if an incident such as phishing occurs — you must update and re-train staff, keeping them in the loop and offering tools and guidance, such as the following:

• Don’t open any email or attachment if it seems suspicious. Your computer’s antivirus software could even be fooled into thinking the message is safe. Attackers constantly release new threats before protection software has been updated. If you feel uneasy, trust your gut.
• Remain skeptical. Even if an email was sent to you by a colleague or from an email address that looks like a colleague’s, that doesn’t necessarily make it legitimate. Attackers can create fake email addresses that look like the ones you know. Do your due diligence and check with the supposed sender to make sure the email was purposely sent before opening any attachments.
• If you open an attachment and your computer screen “goes crazy,” immediately disconnect your machine and alert a supervisor. Sometimes disconnecting a node in a timely manner can limit your exposure.

Even with ongoing training, your staff may be vulnerable to making an error. Time and again, phishing is the culprit that takes systems down with just one click on a link.

Do this: Perform periodic phishing tests to help employees sidestep these common attacks.

A phishing test is the practice of sending phishing messages to employees and if someone clicks on it, they are afforded the opportunity to learn more about phishing,” says Adam Kehler, director of RSP Healthcare Services at Online Business Systems. “This is an extremely effective training method and is relatively inexpensive.”

“Do not exempt physicians and executives. They are the biggest target and often the most likely victims,” Kehler says.

Strengthen Your Email Systems

As important as staff training is, you shouldn’t leave your practice’s email security up to each individual’s behavior. Your IT team should enact the following measures to ensure the most secure system possible:

• Stay on top of software updates: Operating systems and software developers release updates regularly when they discover vulnerabilities, security flaws, or any number of other problems. By running these updates as they’re released and vetted by your practice’s IT department, you’ll protect your devices against attackers.
• Turn off automatic downloads: Your email software settings may have an option to automatically download attachments. If so, disable this feature to protect your computers against possibly dangerous files.
• Perform frequent backups: If a cyberattack occurs, you’ll be able to get your computer and network back up and running sooner if your practice has backups on hand.
• Secure legacy systems: If your organization depends on a legacy system to keep things running smoothly, ensure that it’s compatible with new software. The chances of a cybersecurity incident are higher with legacy systems, so it’s critical that you manage updates and implement strict authentication protocols.
• Consider cloud-based email security: Many of your staff may still be working from home. A cloud-based email system can help curtail ransomware woes and secure your data more efficiently as your IT team and vendor have easier access to shut down issues.
• Utilize encryption: Even with training, your employees may lack the skills to identify a phishing scheme, and that’s where encryption technology comes into play. Email encryption can help your organization authenticate emails with tools to ensure that the email isn’t a phishing attack.