Could ambulatory surgery centers be vulnerable to patient record hacking? President and CEO of PriorityOne Group Nelson Gomes shares key thoughts on how to keep patient records safe. Q: What are the crucial things ASC administrators need to know about the potential for hacking into patient records?
Nelson Gomes: The recent hacking of the Community Health Systems' network reportedly affecting nearly 4.5 million people further shows the significant value hackers are placing on patient records. The hackers stole names, addresses, birthdates and Social Security numbers — information that can help with identity theft.
A large organization the size of CHS has likely invested significantly in security measures to prevent such a breach, but these measures were not enough to deter the hackers from targeting CHS and its millions of records. While ASCs may not seem like an appealing target for hackers since they lack such a substantial quantity of records, there are several reasons why hackers may target ASCs.
ASCs are likely easier targets for hacking than large hospital systems. An ASC's information technology (IT) budget, including budgeting for IT security, is typically much lower than a hospital system's budget for IT and security. With fewer resources dedicated to IT security, ASCs lack enterprise-type security measures and are more vulnerable to a security breach (as less work is required of hackers to breach an ASC's systems).
Since ASCs spend less on IT security, a breach may not be discovered for some time. During that time, hackers can continue to copy and transfer out new data added to the system. While hacking a single ASC will likely not yield hackers the substantial return they could expect from hacking an organization such as CHS, hacking many ASCs can add up very quickly.
The key takeaway: While ASCs are not necessarily highly desirable targets for hacking, they are still desirable as they do possess information hackers are showing an increasing interest in stealing.
Another way to look at it: While thieves may make a lot of money robbing a bank, the risk and work needed to pull off such a heist is high. On the other hand, there's still money to be made by holding up a convenience store, and there's usually lower risk and effort required.
Q: How can ASCs make sure their patients' data is secure?
NG: There are numerous steps ASCs should take to better ensure the security of their patient data. These steps include the following:
• Install antivirus/antimalware and intrusion detection software. Keep these programs up to date, and ensure licenses are active (i.e., renew them before they expire).
• Ensure hardware is safe and secure. Limit the use of laptops, pen drives and tablets — which can easily leave the ASC — to hold patient records.
• Make sure staff are trained in HIPAA rules and regulations, including recent revisions, and make sure these rules are followed by staff. An ASC should also take steps to confirm — to the best of its ability — that any business associate and business associate subcontractor that handles the ASC's patient health information is following HIPAA rules. (Note: Read more about how to achieve and maintain HIPAA compliance here)
• Immediately cease use of unsupported operating systems and software, such as Windows XP.
• If you're selecting an EMR system, make sure it includes all recommended security features, such as defined access privileges and data encryption.
• Develop a password complexity policy and make it a requirement.
• Any accessing of patient records from outside the ASC should only be done securely. Ensure your center has an encrypted method of being accessed remotely.
• Do not use Social Security numbers as a patient's unique identifier.
• When staffing changes occur and staff members leave the facility, immediately remove these users from the system or change their status to inactive. Add an IT termination checklist to your current employee termination policy and procedures
• Conduct regular security IT audits. A security IT audit is a comprehensive review and examination of IT used within an ASC. The audit is primarily intended to detect security and compliance gaps. IT security audits should be conducted by a qualified third party, regardless of whether or not an ASC has an IT provider in place. A third party is more likely to provide a truly objective report.
Q: What operational and financial challenges are there for ASCs if their patient records are hacked?
NG: There are many challenges an ASC may face if its patient records are hacked. As the ASC's patients and community learn of the hacking, the ASC's reputation as a trusted provider of services will likely suffer. As a result of its tarnished reputation, the ASC may need to incur public relations expenses to try to rebuild trust in the organization. Breach notification rules state, as required by section 13402(e)(4) of the HITECH Act, the Secretary of Health and Human Services (HHS) must post a list of breaches of unsecured protected health information affecting 500 or more individuals. Your ASC will appear on the HHS "wall of shame." Note: Learn about the HIPAA Breach Notification Rule and its requirements here.
The ASC may incur costly expenses associated with making the individual, media and HHS secretary aware of the breach and the steps the ASC has taken to address it. There are also costs associated with notification of affective parties. This may involve calling patients, sending out certified mailings or, if a substantial breach occurs, establishment of a call center.
Other expenses associated with a breach may include the following:
• Investigative costs. When a breach occurs, an ASC must identify the cause, which patients are affected and need to be notified, and the steps that need to be taken to prevent future breaches.
• Legal fees. These are associated with the guidance provided by a lawyer on how to respond to the breach and any need to respond to a government investigation.
• Regulatory penalties. An ASC can be assessed $100-$50,000 for each HIPAA violation, depending on the type of the breach.
• Credit monitoring costs. An ASC may be required to provide credit monitoring services if the breach includes theft of Social Security numbers or financial information.
Q: Where do you see electronic patient record trends heading in the future? How can ASCs prepare?
NG: The adoption of electronic health records is not as commonplace in the ASC market compared to in the hospital and practice market because ASCs are not yet eligible for EHR incentive payments. However, the trend of EHR adoption is growing with ASCs, particularly in those that are partnering with local hospital systems. Hospitals are requiring ASC partners to adopt EHR so they can capture patient clinical data.
The best way for ASC leadership to gain an understanding of the state of the center's IT and security is by performing a detailed security risk assessment. The report should detail the ASC's current IT environment and identify security gaps. The report should also include best practices, recommendations, benefits of new investments in technology, key initiatives to consider, and a remediation plan and solutions (if gaps exist).
More articles on surgery centers:
Are bundled payments worth it? An ASC case study
4 recent moves towards ASC price transparency
PODs under attack—5 things to know