Hacks, HIPAA, and Human Error

Astrong online presence can translate into a faster-growing practice. But advances in digital channels also pose new risks for exposing patient information or becoming a target for hackers.

I spend quite a bit of time speaking with doctors about how to boost their digital practice development efforts. Here are a few common threats to be aware of, along with ways to keep your practice safe, secure, and compliant when it comes to protecting patient privacy.

Sharing Photos and Social Media

Online sharing, especially on social media sites, has created a gray area when it comes to practice-patient communication and relationships. Our privacy experts tell us that many of the same common-sense practices you use in real life need to also apply to the digital space.

For all before-and-after photos, you must get patient consent for each and every procedure. Additionally, the patient also must have the ability to remove consent at a later date, according to Mike Sacopulos, JD, who specializes in HIPAA compliance and mitigating risks online, and is the founder of Medical Risk Institute. This includes any before and afters you use on social media, and you should add a clause that includes social use in your consent form, too.

Additionally, be mindful of where you post before-and-after photos. Social is usually not the best platform for this type of media, whereas RealSelf is built for sharing patient photos, as our audience is mostly other potential patients researching your work. Regardless, set solid social media use policies at your practice for your staff to follow, even if you are holding an event at your office, everyone must be OK with their image being taken and used on your social properties.

Mr. Sacopulos cautions physicians about is “scraping,” or others taking images off your site and trying to pass them off as their own. You can do a quick reverse image search (many are free), and see where your images may appear anywhere else.

If any information transmission isn't encrypted (a general email inquiry on your “Contact Us” page or a patient Facetime or Skype consult), you need a disclaimer that it is not completely secure space and need to obtain patient consent, too.

Be Vigilant About HIPAA

“The first and most important mistake I see in healthcare practices is a lack of understanding the HIPAA compliance requirements, particularly as they apply to protection of electronic Protected Health Information, or ePHI,” said Rune Christensen, founder of Rune I.T., Medical I.T. and HIPAA Compliance Experts. “The two most prevalent causes of data breaches are loss of personal devices and hacking.”

If a device is lost or stolen, and it doesn't have the proper encryption in place or access protection, any data on there is fair game. Using public Wi-Fi is also a threat. Mr. Christensen told us about a doctor who had data compromised by using free Wi-Fi in an airport to look up patient information.

Mr. Sacopulos adds that not encrypting hard drives on any device is the “No. 1 mistake practices make.”

Have best practices in place on device usage, including implementing encryption and access security, along with prohibiting staff from using public, unsecured Wi-Fi use in shared spaces.

Watch Out for Hacks

This year, ransomware hit the healthcare industry in a big way. To date, Healthcare IT Newsestimated that about 88 percernt of ransomware attacks in the US targeted healthcare companies.1 Hackers know that security at banks and other major corporations is tight, so they're going after smaller, unsuspecting targets. Cosmetic medical practices are especially attractive, because patients aren't using insurance to pay for services, and their personal information—ripe for identity theft—is relatively unsecured.

As with many breaches, hackers are looking for human error. Ransomware is often triggered by someone in your practice hitting a link they think is from a legitimate email. The average ransomware attack can cost about $200 per patient, according to a recent webinar Mr. Sacopulos gave on “Compliance in a Virtual World.”2

Sacopulos said that to protect against these attacks, the first thing to do is backup your information often. A cloud-based EHR system is generally considered safe and secure, but be sure that your service is HIPAA compliant.

Still, backing up data is far from enough. “Staff needs basic training on cyber hygiene,” Mr. Sacopulos told us via email. “You would never allow a staff member to handle needle and biohazard materials without having basic instructions on safety. Yet practices do this every day with electronic medical records and online communications. Believe me when I tell you that a computer terminal can be as dangerous as a used needle.”

Four Steps to Take for Cybersecurity

The good news is that there are many things you can do to protect your practice online. In my talks on cybersecurity, I tell practices to focus on these four things:

1. Push security requirements onto vendors: Everyone you do business with who has access to your patients' info, even just their emails, needs a Business Associate Agreement.
2. Retain an information security firm: They can help pinpoint vulnerabilities, help train staff, and create an action plan in case of a breach.
3. Train staff to treat security as mission critical: Repeat. Repeat again.
4. Get cyber extortion/data loss insurance: Many practices do not have adequate coverage in case of a hack, and other liability policies might say they include cyber coverage, but it's probably not adequate (think of that $200 times your patient base). Make sure you're covered.

1. http://www.healthcareitnews.com/news/ransomware-88-percent-us-attacks-hit-healthcare-entities

2. https://www.youtube.com/watch?v=VSa2qNCb6xA&feature=youtu.be

Tom Seery is CEO and Founder of RealSelf, an online resource for cosmetic procedures and treatment providers with a growing monthly audience of 9 million consumers. More than 8,000 physicians get in front of the RealSelf audience by providing answers to questions and sharing photos and videos. You can connect with Tom on Twitter @seery.