It’s extortion for the electronic age: Hack into the computer system of a healthcare provider and then ransom control back to the owner for cash (well, bitcoins). Happened to a California hospital in February, temporarily shutting down physician access to medical records. The demand: $3.4 million– that’s 9,000 bitcoins– to avoid wholesale loss of protected health information (PHI).
Here’s a recent piece on digital hacking in healthcare.
There’s some confusion among addiction programs about potential vulnerability. One bit of advice: Exercise particular care with your financial records. There may be quite a bit of PHI in there, too, with fewer safeguards than you think.
PHI includes any data that can be used to identify a patient, either by itself (unique identifier) or in combination with other readily available info. A partial list:
- Patient name
- City or town, zip code
- Name, info for emergency contact person
- Date of birth, admission, or discharge
- Telephone and fax number
- E-mail addresses
- Social security numbers
- Medical record numbers
- Account numbers
- Vehicle numbers including license plate
- URLs and IP addresses
- Full-face photos
It helps to realize that electronic records are easier to break into than the old-fashioned paper sort. No burglar’s tools required; it can be done remotely, from a distant locale, using nothing more than the right software, or a password obtained from a careless employee. And once in the system, a hacker can easily move from one area to another– accessing PHI on many other patients.
Here’s a brief plan to reduce your risk– and hopefully, your liability in event of a breach:
First, carefully assess your records system. Clinical and financial records, of course, but what about records of admission contacts, referrals to other providers, access by business associates for specific tasks (CQI. UR, or billing)? Ask yourself: how likely is a breach at that point? How much damage could occur? How many patients might be affected?
Second, develop a strategy for reducing risk and minimizing damage from a breach. That includes a policy for a systematic, organized corrective response. Make this a team project, involving multiple functions, as part of a performance improvement plan.
Third, train your staff. We recommend putting a copy of the plan on every computer desktop, so people can’t help but find it when needed. Go over the plan during orientation and as part of inservice training.
Finally, ensure accountability. Have a clear, comprehensive policy for investigating a possible breach. Include HR policies that describe consequences if an employee is found responsible for a breach. Make sure the consequences apply to executives as well as line staff. As one director put it: “No special treatment for big shots.”
There are some very good models for the above already in use– search “PHI breach management” or related terms to locate them. We also recommend having a copy of this (or something similar) in your library. It’s worth the investment.