Maintaining secure patient data is a critical consideration for an independent practice. Patients want the reassurance that their medical information will not be shared with anyone who should not have access. Independent physicians using electronic health records (EHRs) must ensure that those records are not susceptible to security breaches, to reassure their patients as well as for a number of other cybersecurity considerations.
Smaller independent practices are particularly vulnerable to security breaches. Rather than react to threats, however, the more effective approaches are proactive, according to John Nye, vice president of cybersecurity strategy at an IT consulting firm who spoke on cybersecurity during a session at the Healthcare Information and Management Systems Society (HIMSS) Annual Conference in Las Vegas in 2018.
Independent physicians should look for potential areas within their technology systems, to identify and correct vulnerabilities. This could entail contracting with an outside IT firm or even hiring a hacker to determine if there might be breaches in the system. Certified ethical hackers can look at the independent practices systems and try to “break in,” reporting to the physician their findings and recommendations. As cybersecurity expert Nye said, “We have to start looking, and finding, these issues before the bad guys do.”
In addition to patient concerns, the independent physician has the responsibility to protect electronically transmitted patient data under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009. Subtitle D of the Act addresses the privacy and security concerns associated with the electronic transmission of health information, including associated penalties for violating patient data security rules.
The Department of Health and Human Services (DHHS) has also published guidance on what to do in case of a cybersecurity attack. The Office of Civil Rights (OCR) lists, in its Quick-Response Checklist, states that a HIPAA-covered entity:
- Must execute its response and mitigation procedures and contingency plan
- Should report the crime to other law enforcement agency
- Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs)
- Must report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.