Telehealth applications have been a welcome tool in the effort to keep residents, families, patients, and healthcare workers safe during the COVID-19 pandemic. While the U.S. Department of Health and Human Services (HHS) has relaxed some Health Insurance Portability and Accountability Act (HIPAA) rules, inherent risks come from using these virtual applications. It is important to remember that patient data is extremely valuable to cybercriminals, as it often includes the person’s social security number, credit card details and birthdate. Patient data is always at risk on software and hardware devices that employees use to store, capture and modify patient information.
THE HIGH VALUE OF HEALTHCARE DATA
For this reason, the number of breached personal health records increased by 25% year-over-year to 29 million in 2020, while ransomware attacks increased by 100% from 2019. Small medical organizations are becoming increasingly enticing to hackers because they often lack sophisticated technicians and the tools to prevent an attack.
Simultaneously, healthcare data breaches are more expensive than other breaches and take longer to detect. The average cost per breached healthcare record is $429, more than double any other industry. Containment is critical in stemming the impact of the damage and the costs; yet, it takes an average of 236 days to identify a breach and 93 days to contain the attack.
POLICIES AND PROCEDURES ARE IMPORTANT SAFEGUARDS
Although HIPAA imposes stiff fines for breaches, it is important to note that penalties are often based on the lack of adherence to policies and procedures. For example, the Athens Orthopedic Clinic PA settled a $1.5 million payout to the Office for Civil Rights (OCR) at the HHS, based on the clinic’s failure to maintain HIPAA policies and procedures. It was also cited for its lack of a documented risk analysis and its failure to train its employees on HIPAA regulations properly.
SOCIAL MEDIA UPDATES SHOULD CONTINUE, WITH CAUTION
Once considered a high-risk practice, many facilities have turned to social media to keep family members connected after the government banned non-essential visits to nursing homes and limited hospital visitation. With residents and their families freely sharing social media profiles, email addresses and phone numbers with nursing home staff, the burden of protecting patient privacy increases.
While these social media updates provide a vital virtual connection as a substitute for face-to-face visits and will likely continue after visitation restrictions are lifted. Social media has opened a new pathway to connect loved ones in long-term care communities to friends and family living in faraway states and countries. More importantly, these updates can be used as a valuable method to boost employee morale and improve retention. Facilities can use them to acknowledge and highlight the hard work and exceptional care of staff who are working under some of the most challenging and demanding circumstances.
IS HIPAA ENOUGH?
Is ensuring conformity to HIPAA guidelines enough to protect patients from a costly data breach? For example, HIPAA stipulates that that electronic patient health information (ePHI) — whether at rest or in transit — must be encrypted to the National Institute of Standards and Technology (NIST) to ensure it is unreadable, undecipherable, and unusable if the data is breached. However, Apple has not signed a HIPAA compliant Business Associate Agreement (BAA), which means FaceTime is not HIPAA compliant. Yet, the OCR will not impose penalties against covered healthcare providers for the lack of a BAA. But in terms of the urgency to protect patient data, it would be prudent for all employees to exclusively use telehealth tools from HIPAA-compliant vendors who do have BAAs, including Skype for Business, Google G Suite Hangouts, and Zoom for Healthcare.
SIX KEY ELEMENTS FOR CYBER SECURITY PROTECTION
With so much at stake, how can providers ensure they are doing everything they can to protect their patients from cyber-attacks amid our increased reliance on telemedicine? The HIPAA Security Rule requires that covered entities conduct a risk assessment to help ensure compliance with HIPAA’s administrative, physical and technical safeguards. Guaranteeing that everyone in a facility is fully compliant begins with a plan. Below are six suggested steps to mitigate risk:
- Put standards of conduct in writing. Document your compliance program and specific policies. Establish expectations for ethical and legal conduct and how issues will be investigated. Include information from the Centers for Medicare and Medicaid Services (CMS) marketing guidelines.
- Create a standardized, secured hub to store and share social media and email updates. Relieve staff from the responsibility of sharing updates with family members, and assign this duty to a specific person, or department.
- Assign compliance responsibilities. Define the roles and responsibilities of specific individuals so that employees understand who to go to for concerns and ensure there are anonymous reporting methods available.
- Train and educate employees. Ensure employees and volunteers, regardless of their roles, understand the importance of keeping patient data secure.
- Establish standards for disciplinary actions. Ensure staff has the autonomy to identify problems, or blind spots, leading to a breach or violation.
- Monitoring and auditing. Create a system to periodically check and audit your program. HIPAA requires regular risk assessment updates.
IMPLEMENTING PROCEDURES WITHOUT A BUDGET
When there is no IT department and no IT budget, ensuring that patient data is protected is still achievable. The Security Risk Assessment Tool (SRA Tool) is a free downloadable program that can help breakdown the entire assessment process so that even smaller facilities can identify the specific administrative and electronic safety measures to strengthen procedures and policies to ensure patient data is safe.
Created in collaboration with the OCR, the SRA Tool is designed to help healthcare providers conduct a step-by-step full security risk analysis to uncover weak security points. With its systematic guidance, the tool can uncover blind spots and vulnerabilities. More importantly, this modular tool can help you stay current with the continually evolving HIPAA rules and requirements.
INCLUDE REMOTE WORKERS IN SAFETY GUIDELINES
The pandemic has likely transformed the way healthcare is delivered permanently. Work-from-home employees are no longer a stopgap measure but likely will continue to be an ongoing part of staff. Regardless of where the work is performed, HIPAA rules still apply, and patient data is still vulnerable. While it is impossible to ensure every safeguard, providers can take the most crucial actions to establish procedures, policies and training. At a minimum, policies should include:
- Requiring VPNs with regular software patches and security configurations.
- Using multifactor authentication on all VPN connections and ensure the use of strong passwords.
- Training employees on how to secure home networks, including using a second network dedicated exclusively to home health work.
- Ensuring all mobile software devices receive regular updates and security applications.
- Using passwords for teleconferencing appointments on HIPAA-compliant applications.
THE BOTTOM LINE
Risk assessments are not a one-and-done requirement. HHS requires assessments to become an ongoing, dynamic process of gathering, analyzing and updating information. HIPAA rules are complex and continuously evolving. Regardless of a facility’s size, keeping patient data safe is an ongoing process and risk assessment is a tool that can help with this challenge.