On March 24, 2017, Urology Austin sent out notification letters to nearly 289,000 patients informing them of an incident that occurred in January. As quoted by DataBreaches.net:
“On January 22, 2017, Urology Austin was the victim of a ransomware attack that encrypted the data stored on our servers. Within minutes, we were alerted to the attack, our computer network was shut down, and we began an investigation. We also began to take steps to restore the impacted data and our operations.”
Investigators have determined the attack may have compromised affected patients’ personal information, including their names, addresses, dates of birth, social security numbers and medical information (Tripwire, March 28, 2017).
Although it is a good size network of 13 offices, some of which appear to have only one physician, this group would not seem to be a likely target for hackers, but it was. Health providers need to stop thinking they are small and start thinking they are easy. Criminals have shown they prefer to reach for “low hanging fruit” and, although it is never the fault of the victim, assuming your network is safe or too small for anyone to notice is making your practice an easy target. This kind of thinking will eventually lead to the unfortunate consequence of data breach, and when that happens, there are all sorts of ramifications, like the least of which is HIPAA.
Based upon my discussions with all types of practice managers, those with professional degrees and without, there is an unwillingness to tackle the beast. They instinctively know the “cheap” internet fixes with access to tons of forms and hours of videos are not actually making them compliant. Just read the disclaimers—the agreement will say something to the effect that it is “the customer’s responsibility” to “develop their own compliance program.” The information IS there, but no one is accessing it in meaningful way. It takes people and hours of time to complete the forms, follow up with the requirements and make sure they are working. If the workforce doesn’t understand what behaviors are prohibited and why, and if they aren’t caught internally when they are making a mistake, then there is no compliance and you are a “sitting duck.” Most practice managers feel stuck because they want to get the office into compliance, but they are afraid to recommend what it really takes.
So what can be done? Understand that all the information about you, your employees, your patients and your practice is your data. Find someone who can help your people navigate the process and put together a program that actually works. Make sure the procedures really conform to how your office collects, stores and transfers data. Take the time to test the system and revise what doesn’t work. Do not forget to audit, at least annually, and make changes based upon new people or new technologies. Stop blaming your practice manager and make compliance happen.
Julie-Karel Elkin is the Chief Compliance Officer at Spicer Rudstrom and has been practicing law for more than 20 years. She is focused in the areas of HIPAA compliance and data security, and she has developed a full suite of PHI and PII compliance measures for clients, large and small. She is currently providing privacy and security reviews for health care providers and business associates in anticipation of Phase 2 Audit Procedures from the Office of Civil Rights at the Department of Health and Human Services. She is the head of Spicer Rudstrom’s Health Data practice in the firm’s Nashville office.