How to Use Cybersecurity to Build Patient Trust in Your Practice
Why do we care so much about cybersecurity? The Department of Health and Human Services (HHS) in 2018 received notifications of 351 data breaches of 500 or more healthcare records. A 2018 Verizon data breach report showed that 63% of data breaches come from third-party providers in the healthcare industry and that 24% of all data breach victims are healthcare organizations. Protected health information (PHI) is vulnerable.
Data from Kareo’s recent State of the Independent Practice Report reinforced these statistics. Nearly 60% of providers indicated that security and compliance are their most important initiatives, especially after COVID-19. Since the pandemic, when many services became remote, there has been a threefold increase in cyberattacks. Eighty percent of healthcare organizations surveyed for a report released recently have experienced a cybersecurity breach precipitated by a third-party vendor over the past 12 months, according to Healthcare News. Perpetrators are automating these attacks on customers with lower levels of security or whose basic security controls are not in place.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules provide federal guidelines for PHI held by covered entities and give patients many rights concerning that information. Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the requirements to protect the privacy and security of health information, including the requirement under the HIPAA Security Rule to perform a risk analysis as part of their security management processes.
All health care providers, health plans and health care clearinghouses that transmit health information in electronic form are “covered entities.” They must comply with the HIPAA Privacy and Security Rules. The HIPAA Rules define “protected health information” (PHI) as all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information that relates to an individual’s health and that identifies an individual or for which there is a reasonable basis to believe can be used to identify an individual.
According to Healthcare News, “HIPAA is inextricably linked to patient privacy, but building a trusted, long-term patient relationship goes beyond HIPAA compliance and requires a deeper commitment to keep patient PHI safe and private. Healthcare organizations need to treat patient privacy as a corporate social responsibility. In other words, they need to go above and beyond the bare minimum HIPAA safeguards. To enable safe and secure data sharing without losing control or placing a burden on users, healthcare organizations should embrace a data-centric security approach.”
Taking that approach is often easier said than done. Not all breaches are committed by bad actors, Salmon said. It is estimated that 35 percent of health care data breaches are accidental. As another example, passwords are hard to remember, so people use them across various systems. Data breaches give other people access to passwords, especially if you use the same one across many sites.
As Salmon explained, “It’s easy for hackers to make malicious software that can be launched quickly to steal data. Their motivation is usually to make a quick buck. The Colonial Pipeline hackers were quoted as saying that their motivation was not political. Their goal was simply to make money. Larger organizations often have more security in place than smaller medical practices and it’s just as important for both. We have to realize that r these bad actors are likely to be around forever and we must be ready for them.”
Awareness is the key, he said. Salmon recommends using strong passwords and effective access controls. Control access to protected health information. Train the staff. Think before you click. Make sure your software provider has third-party certification. Recognize that data breaches can happen to anyone and take actions to prevent them.
According to a recent Journal of American Medical Association article, “Trust is so fundamental to the patient-physician relationship that it is easy to assume it exists. However, because of changes in healthcare and society at large, trust is increasingly understood to be at risk and in need of attention.” For more information on how Kareo is committed to keeping our customers’ patient data safe, visit us here.