Safeguarding Data - Managing Professional Risk

What is the worst computer problem you need to prepare for? Is it arriving at the office to find your server doesn’t boot? Is it finding that a friend’s computer was compromised by a virus which your computer now has? Is it the power going out in the middle of the day? Or maybe you just downloaded the latest Microsoft updates and your software stopped working.
 
These are all serious problems, and the threats are seemingly endless. Risks need to be mitigated by backing up your systems; using up-to-date operating system software, antivirus and anti-spyware software; and having reliable batteries in your Uninterruptible Power Supplies.

But arguably the worst computer problem you could face would be compromised data. If data containing personally identifiable patient information (also known as Protected Health Information) leaves your possession and you know it—or, in the view of regulators, you should have known it—you will be subject to notification and reporting requirements under state and federal law (including but not limited to HIPAA).

In other words, you must not keep this security breach hidden under the rug. But when you notify patients that confidential information about them and their medical conditions has been taken and could be misused, your reputation may suffer considerable damage. We will discuss some of the ways data can be compromised, how to guard against this happening, and how to respond if it happens despite best practices.  

There are many ways data can be compromised. One of the simplest is for a staff member to make a copy of data. While it has always been possible for staff to easily photocopy records in paper form, digitized data can be copied in huge quantities. It would be quite conspicuous to copy 1,000 patient files on a photocopier, but it would take only moments using a computer, and it’s possible no one would ever notice. Duplication of data is difficult to control. Mitigation begins with strong written policies that clearly notify staff that data should only be copied for specific, approved purposes, and with proper processes in place to safeguard security and privacy. For example, staff may copy medical records to removable media (e.g., USB flash drives, CDs or DVDs) in response to patient requests. Consequences for failure to follow policy, up to and including termination, must be outlined. (Read on for more information on removable media.)

Another way data can be compromised is if the computer sends data across an unencrypted (undisguised) Internet connection. Data flowing across a network can be intercepted by eavesdroppers. Always look for indications that Secure Socket Layer (SSL) is being used when connecting to sites on the Internet for business purposes, such as banking. This is indicated by a gold padlock in Internet Explorer, or a grey padlock in other browsers. There are dozens of web browsers, so familiarize yourself with the SSL graphic in the address line of the web browser you use.

Mitigation also requires using a good antivirus software product and keeping the virus signatures updated daily (virus signatures are like fingerprints that can be used to detect and identify specific viruses). You need to keep computer operating systems and software up-to-date and patched (problems repaired) on a regular basis (at least monthly). For computers running Windows, each time Microsoft issues security updates for operating systems and/or programs all computers in the network or accessing the network should be updated.

Avoid using wireless connections to communicate confidential patient information unless you are certain you are using current encryption methods (currently WPA or WPA2), and institute strong written policies about this. (Policies regarding use of antivirus software and regular updates must be in place even if Macintosh computers are used instead of Windows computers. While Windows computers are at much higher risk, any computer can become infected with a virus.)

If you use laptops in your practice, staff members need to be advised to avoid storing patient data on the hard drive (that is, on the C drive or in My Documents, etc.). If the laptop is lost or stolen, the password can be easily hacked, and any data on the local hard drive can become accessible. This is one case in which you must contact ALL of your patients to notify them that their data has been stolen. (It is strongly advised that you seek assistance from your professional liability insurance carrier in the event that protected health information or other patient data is stolen or compromised in any way.)

One excellent way to mitigate the damage when a laptop is stolen or lost is to use disc encryption on all laptop hard drives. A few years ago, the idea of encrypting hard drives struck fear into the I.T. community. Doing so slowed down the system and made it difficult to recover data if the computer crashed. While it is still true that it is tricky to recover data when the computer crashes, it is not necessarily impossible, and new encryption software does not noticeably slow down the computer. In fact, once your laptop is encrypted, chances are good that you will never even notice that your data is encrypted. The encryption software runs quietly in the background, and automatically decrypts data for e-mailing, exporting or copying. If the encrypted laptop is stolen, the data cannot be accessed—and no letters need to be sent to patients or anyone else. The peace of mind that comes from knowing this is worth the tradeoff of any inconvenience.

Encryption software can be configured to encrypt not only hard drives, but also removable media, such as USB flash drives. USB flash drives are a headache to IT security personnel. As mentioned earlier, staff can easily steal data by copying to a USB flash drive. Automatic encryption when copying to an external device, such as a USB flash drive, makes it more difficult to steal data. If the miniature drive is dropped, lost or stolen, the data on it cannot be read by another computer. (Note: Before attempting to encrypt any hard discs on your own, or even with the help of a consultant, be sure to back up all existing data to reliable media.) When copying a medical record to removable media for a patient, the encryption feature should be disabled.

While raising awareness of the many serious threats to data, this article merely scratches the surface of the subject. NORCAL Mutual Insurance Company provides extensive information to assist you in understanding information risks and formulating appropriate policies and procedures. If you are NORCAL insured, you have online access to this information through your MyNORCAL account (access is at www.norcalmutual.com). Here are some additional free online articles if you would like to learn more about data security:

http://www.ama-assn.org/resources/doc/psa/hipaa-phi-encryption.pdf — A good overview, including helpful graphics and additional resources.

http://www.brighthub.com/computing/smb-security/articles/61722.aspx — More insight into security breaches.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack — Discusses eavesdropping or “man-in-the-middle” attacks. Ω

Copyright 2011 NORCAL Mutual Insurance Company. All rights reserved.