Medicare Compliance & Reimbursement

Tip: Change your password often and don't share it with coworkers or friends.

Email has been around for a long time, so it's easy to assume that your staff understands the nuances of spam, junk, or malicious threats that corrupt the practice network. But the rise in email attacks highlights that not all healthcare workers fully understand the implications.

Background: Last year, emails from a myriad of healthcare organizations were the cause of several large-scale HIPAA breaches, according to the HHS Office for Civil Rights (OCR) Breach Portal. In the last quarter of 2017 alone, there were 14 email violations that exposed the electronic protected health information (ePHI) of 49,094 individuals. From hijacks by hackers to unauthorized access or disclosure, email breaches compromised both practices and patients.

Insider Threats Often Lead to the Loss of ePHI

"Although there has been a lot of recent publicity about external threats to the information systems of healthcare providers, covered entities need to also consider and proactively address threats from within their organization," such as their employees and contractors, suggests healthcare counsel Elizabeth Hodge, Esq. and partner attorney Carolyn Metnick, Esq. with Akerman LLP.

Tip: Focus on possible threats from employees and business associates (BAs) in your enterprise-wide risk assessments, and not specifically for nefarious reasons or because you think your staff might steal your patients' information. Many high-level employees including managers, clinical staff, and administrators are often the most at-risk for attack in a phishing practice known as "whaling." Social engineers use another tactic called "spear phishing" too, which targets vulnerable or novice staff who unwittingly click and unleash chaos.

That's why you might want to "identify security threats by conducting a security risk assessment or a more thorough test of system-wide vulnerabilities," Hodge and Metnick say. If you do experience a breach, having written verification that you completed an assessment and implemented your findings with compliance protocols will go a long way in reducing the feds wrath.

"Training on data security for workforce members is not only essential for protecting an organization against cyber attacks," reminds the HHS-OCR in its July 2017 Cybersecurity Newsletter. "It is also required by the HIPAA Security Rule."

Follow 4 Expert Tips to Prevent This Type of Breach

This type of massive, sophisticated data breach may seem impossible to prevent - but you can actually avoid it by taking a few simple steps. In a health law blog from Ogden, Murphy, Wallace Attorneys in Seattle, attorney Casey Moriarty, Esq. offered the following tips:

1. Safeguard and Educate: This is yet another reminder to safeguard your electronic systems and educate your staff members on security policies and procedures.
2. Watch Staff Emails: A staff member who clicks on a link in an email or responds to an email from hackers who pose as security personnel could result in unknowingly installing the malware.
3. Use Encryption: Consider employing encryption technology that meets the HIPAA breach safe-harbor standards to avoid or mitigate this type of breach.
4. Check with IT: When staff members are in doubt about a suspicious email, phone call or other communication, instruct them to always check with your IT personnel and your HIPAA privacy officer before taking any action.

Remember Privacy Still Matters

"Also consider your workforce's privacy knowledge," Hodge and Metnick add. "Many employees do not know how to identify socially engineered emails or other security threats. Employees should be trained on identifying socially engineered emails."

And that's why technical training is essential to keeping breaches to a minimum. Most costly violations are caused by staff accidentally due to a lack of education on the HIPAA Security Rule not the HIPAA Privacy Rule. "Fix your people. They are prone to human error," recommends compliance expert Brand Barney, CISSP, HCISPP, QSA, a security analyst with Security Metrics in Orem, Utah.

Resource: For a look at the OCR's Cybersecurity Newsletter on phishing, visit www.hhs.gov/sites/default/files/july-2017-ocr-cyber-newsletter.pdf?language=es.