Beazley Institute for Health Law & Policy, Loyola University Chicago, Masters of Law 2019
In a time where much of the healthcare industry has shifted to incorporate telehealth and telemedicine, health care organizations and providers are faced with the upkeep of the growing influx of patient data and the challenges associated with their obligation to maintain patient privacy. These challenges increasingly more burdensome as providers strive to keep up to date with the advancement of technology. Healthcare organizations must maintain patient privacy through close monitoring of clouds, employee use of mobile devices, patient access to medical information and scheduling, and access to the provider networks through non-organizational devices. Maintaining the multiple platforms is costly and the industry remains at risk due to the rising volumes of cybersecurity attacks and breaches. UConn Health recently experienced a data breach that necessitated notifying 326,000 people of potential impact to their protected health information (PHI) including names, dates of birth, address, billing information, and even social security numbers due to potential access by an unauthorized person.
How Attacks Can Occur
The Health Insurance Portability and Accountability Act requirescovered entities such as health care providers, including institutional and sole practitioners, to protect individuals’ health records and other identifiable health information by requiring entities to place appropriate safeguards to protect privacy. The privacy rule also sets out limitations and conditions on the use and disclosures pertaining patient information without patient authorization. In 2017, health care organizations experienced an increase of attacks by 82%. The Department of Health and Human Services’ Office for Civil Rights received notifications of data breaches that have resulted in the unauthorized exposure of 13,020,821 healthcare recordsin 2018. As hackers become more sophisticated and targeted with their attacks, some of the biggest breaches occur due to phishing attacks and errors by employees. Phishing attacks can occur through social media, malware advertising, and emails that lure employees to follow links to web pages request the employee to input information such as username and password triggering the download of malware. Once the download occurs, a breach has occurred creating great liability given the impermissible use or disclosure of the information by an unauthorized person. Email phishing is the most common form of a data attack within the health care industry.
The data breach that occurred at UConn Health transpired through an email phishing attack on multiple employees. Fortunately, the attack did not affect UConn Health’s computer networks or Electronic Health Records. Covered entities that incur data breaches must comply with the HIPAA Breach Notification Rule by notifying the Secretary, those affected concerning the unsecure PHI, and in some circumstances, as UConn has done, the media. Because UConn experienced a breach affecting more than 500 patients, they are required to not only inform each patient by mail individually, but to also provide notice to prominent media outlets within sixty days following the discovery of the breach.
Preventing Future Breaches
In order for other organizations to prevent attacks like the UConn Health breach, the privacy officer will need to ensure that employees have access to and have a clear understanding of the privacy laws and internal procedures to abide by the law. Because multiple employees at UConn fell victim to the phishing attack, running an administrative risk assessment and audit of the system to pinpoint other ways employees are lured will provide ways to update internal policies and procedures going forward. Depending on the size of the system, it is likely that minor breaches occur more often on a regular basis for medium to large systems like UConn Health. A comprehensive risk assessment should include researching the many breaches that have occurred in other health systems through the year to serve as a guide as to what employees need to pay more attention. Once the risk assessment identifies the areas that PHI is used, and audits of the effectiveness of current procedures are complete, it is likely to expose other breaches. Ideally, those fall below the breach notification rule amount. The privacy officer will need to update the organization’s policies and procedures providing examples of what breached looks like and how to avoid them.
Implementation of new policies and procedures should govern use of not only workstations on organizations premises, but also the use of mobile devices when accessing ePHI. Mandatory training, either in person or in online, raises awareness in employees of new procedures that the privacy officer has developed. Training should also show how employees might identify malicious attacks. Due to the significant repercussions and financial burdens that result from breaches, training should include assessments as a way to guarantee employees understand the laws, past procedures, and updates to those procedures.
Healthcare organizations of all sizes should have protocols in place to ensure that employees have effective lines of communication with the privacy officer and the officer’s team. Employees should freely communicate if they have encountered a potential phishing attempt, giving the privacy team the ability to investigate internally into the possible attack and providing a notification alerting the entire organization. Effective communication and a commitment to taking the time to look into any incidence that an employee might encounter can save the covered entity from penalties and, most importantly, reinforce patients trusting the entity with private and personal information. As employees are generally more encouraged to communicate things if they are incentivized, covered entities should place rewards to those that report actual phishing threats within the organization. Because medical identity fraud is on the rise and typically takes longer to detect, employee alerts are beneficial to the health care entity as they allow for prompt responses in detection and prompt action in correcting potentially reportable breaches. Effective privacy management and constant reminders that data breaches are looming is a proactive way to ensure employees are constantly looking out for potential attacks, especially as the healthcare industry becomes more “mobile”.