October has already had a haunting effect on health care providers given the two big news stories related to compromised patient information.
The Journal of the American Medical Association recently released a staggering study regarding the recent data breaches that health care providers have been experiencing. The study reported that from 2010 through 2017, there were 2,149 data breaches reported by business associates, health plans and health care providers. Those breaches exposed 176.4 million records, according to the study.
While in 2010 the most common form of a breach was from a laptop or paper films, by 2017 the most common form of a breach was to network servers and emails. In 2017 alone, 132 million records cumulatively were breached due to hacking or an IT incident. The most common breach was through a health care provider, which accounted for 70 percent of the breaches. This study indicates that cyber hackers are targeting health care providers’ networks and IT systems.
Then there was the recent $1 million settlement of three Boston hospitals related to potential HIPAA violations, proving there is a hefty price to pay when Protected Health Information (PHI) is not properly protected. This settlement arose from a compliance review investigation by the federal Office for Civil Rights after it learned that one Boston hospital was allowing ABC to film a documentary at the hospital.
The investigation revealed the hospital had impermissibly disclosed the PHI of patients to ABC employees during the filming of the documentary. Massachusetts General Hospital paid the stiffest fine of $515,000, Brigham Women’s Hospital paid $384,000 and Boston Medical Care paid $40,000 in fines related to accusations from the Department of Health and Human Services and Office for Civil Rights for failure to appropriately and reasonably protect their patients’ PHI from disclosure.
Although the results of the JAMA study show this type of employee-related compromise is on the downtrend when compared to incidences of network and IT breaches, the corrective action plans two of the three Boston hospitals agreed to complete are instructive since they can be molded to apply to network and IT breaches.
The plans require the hospitals to develop processes, policies and procedures that:
The hospitals then must distribute the policies and train their employees on them. Any new employee must also receive the same training. The hospitals must also provide an implementation report that includes:
If a health care provider were to implement similar processes, policies, procedures and reporting related to protecting PHI from network and IT breaches, then this would be a beneficial initial defense that would likely help reduce the breadth of any breaches. It would also limit any hefty penalties that could arise from any breaches.