Lessons from the Target Data Breach
By Mike Semel
Blog: 4Medapproved.com/HITSecurity
Twitter: @SemelConsulting
A doctor’s oath to “Do No Harm” also means they need to protect patient data. Protecting confidential information is providing good health care. Identity theft can last a lot longer than an illness or injury. Just ask the victims of the Target data breach.
Whether you are a 1-doctor practice or a large hospital corporation, you are entrusted by your patients to protect their confidential information. The information is protected by law and could cost you a fortune if breached.
The cause of the Target data breach was hackers stealing login credentials from a heating and cooling company that provided services to Target. In HIPAA terms, Target’s heating and cooling vendor was the equivalent of a Business Associate. For no good reason they had access to the same network that connected Target’s cash registers. The vendor was hacked, which gave the hackers access to Target’s customers’ credit and debit card information.
The Target data breach was both predictable and preventable, and there are lessons you can learn so your patients are not victims of a similar incident.
Have an IT professional secure your network
Even though Target has its own internal IT department, they failed to protect their customers’ data by segregating cash registers from other systems. The Target data breach could have been prevented if they had their network according to their security risks.
No matter what you think, all of your protected patient data is NOT in your EHR system. It can be on servers, desktop computers, laptops, tablets, smartphones, and even copiers. Doing your own IT, using consumer-grade routers and computers, not encrypting data on portable devices, and not monitoring the effectiveness of your security measures are all a recipe for your version of the Target data breach.
Get a Professional Security Risk Analysis
Is your primary mission for treating patients getting paid or helping people? Your risk analysis mission should be to protect data, not just comply with a regulation. The Target data breach would have been prevented with an accurate risk analysis.
Since 2005 HIPAA has required a Risk Analysis, which is now required for Meaningful Use. Many healthcare providers do the simplest and cheapest Risk Analysis they can just to say they have one. Some have their IT department or vendor do it themselves and miss (or ignore) security threats that would be caught by an experienced outside expert.
Risk analysis experts discover things others miss.The Meaningful Use program says if you want your Security Risk Analysis to stand up to a compliance review you should consider hiring an experienced outside professional. Hiring an expert to identify your risks, properly analyze them, and develop a risk management plan is the most effective way to protect patient data.
Hiring a pro to do your risk analysis is like paying a doctor for a thorough and accurate medical exam. A doctor will find more than if you do your own medical exam. Isn’t that the point?
A cost justification for a thorough and accurate Risk Analysis is that you won’t have to return your Meaningful Use incentive money. A better reason is to prevent your version of the Target data breach which would hurt your patients.
Manage your Business Associates and their Subcontractors
The HVAC vendor was Target’s “Business Associate” and apparently did not adequately secure logins and passwords. Look at the Target data breach for the costs and reputation hit Target is encountering because of a vendor.
How confident are you in your vendors? It is not enough that they signed Business Associate Agreements—are you really sure your Business Associates are really complying with HIPAA and really protecting their access to your network? If they really want your business they should agree to be audited at their expense with the report going to you.
Train Your Users and Enforce Strict Password and Lockout Rules
Make sure your required HIPAA training isn’t just a few minutes of general info so you can check off a box that your staff was trained. Upgrade your training with the goal that you must protect patient information and include cyber security advice. Require users to log in with individual credentials (not “Nurse”) and don’t exempt users (like doctors) from having to reset their passwords every few months. Set systems to lockout so visitors can’t just jiggle a mouse and get into your patient records.
Protect Patient Data like it is Gold
Don’t just think your records include medical history and ignore the fact that your records are worth money. Patient records often contain Social Security numbers and other information that could be used for identity theft. Your records are valuable like the credit card info taken in the Target data breach.
HIPAA and many state laws protect patient information and penalties can be severe. You should not protect patient information just because you are afraid or because you might have to give back your Meaningful Use money. You should not ignore protecting patient data because you think you might never get caught. “Do No Harm” means you should protect your patients by protecting their data.
This article was originally published on 4Medapproved and is republished here with permission.