Healthcare News & Insights

Your biggest breach risk may be inside your hospital

You know you have to be vigilant about potential external cyberattacks. But are you giving as much attention to internal breach risks? 

526421081Despite all the attention put on guarding patients’ protected health information (PHI) from external threats like hackers, it’s still more likely that a breach will occur from within your and your business associates’ organizations.

Don’t believe it? Tell that to Senior Health Partners and its business associate, which just reported a breach caused by an employee.

Cautionary tale

According to Healthcare IT News, Senior Health Partners, a New York-based long-term care provider, had to notify 2,700 patients that an incident had exposed  their:

  • names
  • Medicaid IDs
  • diagnoses
  • treatment information, and
  • health insurance claim numbers.

But it wasn’t a hacker or a new computer virus that led to the breach.

A nurse working for Senior Health’s business associate, Premier Home Health, had her laptop and phone stolen, which compromised PHI “through a potentially accessible” email containing the information.

An investigation by the groups revealed that although the nurse’s laptop was encrypted, she had left the encryption key in the laptop bag. Additionally, her phone wasn’t encrypted or password-protected.

It’s not clear what kind of HIPAA penalties the groups will face, yet. But even if the fines aren’t astronomical, there are other costs the providers will have to worry about, such as potential lawsuits from patients or offering credit monitoring for those affected.

Protecting PHI internally

The moral of the story is, while protecting against hackers is certainly important, you shouldn’t neglect internal protections.

To help hospital leaders better prevent these kind of internal breaches from occurring, privacy and data security lawyer Joseph Lazzarotti offers some best practices for internal security on the Workplace Privacy Data Management and Security Report blog.

Some of the steps Lazzarotti suggests include:

  • Conducting in-person training — As opposed to online training, in-person instruction allows providers to show employees how privacy policies apply to their specific operations. It also gives workers a chance to ask questions and better understand how HIPAA applies to their duties.
  • Enhancing monitoring — Employees might mean well when they bring work home, or try to look into information about a friend or family member’s medical condition, but that doesn’t mean there aren’t consequences for doing so. As Lazzarotti notes, “Implemented carefully and responsibly, monitoring systems activity can be an excellent tool for helping the organization to mitigate and in some cases stop data loss.”
  • Creating policies for device management — Set standards for which employees can bring and use devices for work, as well as what information they can access. Lazzarotti also recommends considering what steps to take for removing PHI from devices if an employee is terminated.
  • Preparing a data breach response plan — Breaches are an increasingly common occurrence. That’s why facilities should have a plan in place that addresses issues such as who to contact in case of a breach, who will investigate and what information to include in notices.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.