LAS VEGAS — A data breach that exposes patients’ personal health information or identity information can cost health care businesses, including those in the O&P profession, not only a fortune in bad publicity and its customer base, but also HIPPA fines, insurance rate hikes, audits and accreditation, according to presenters at the American Orthotic & Prosthetic Association World Congress.
Dan Nelson, who holds a “certified ethical hacker” certification, and Jeffrey Schultz, both partners and co-chairs of the data security and privacy practice group at Armstrong Teasdale, a law firm with offices across the United States, joined Becky Snell, director of information technology (IT) at Dankmeyer O&P, in Baltimore, to educate attendees on their responsibilities and options regarding cyber security.
“The reason we have to care about this — the reason we have no choice but to care — is because of HIPPA, and that the [HHS] Office for Civil Rights (OCR) has been aggressive in this area,” Schultz said. “OCR requires us to plan and prepare, and maintain certain steps to protect the personal health information. In addition, the American Board for Certification in Orthotics, Prosthetics & Pedorthics, requires you to have some sort of plan in place, and do some sort of risk assessment, in order to maintain that certification, or you are going to get ‘dinged’ when they come in.”
According to the presenters, the five biggest mistakes businesses make in response to a data breach are failure to plan ahead, putting their IT department in charge of the response, lack of any centralized control, delayed response and solely relying on self-investigations afterward.
“We’re not ‘dogging’ on IT folks, but there is a tendency to put too much responsibility and too much burden on them. This is not what they need to be concerning themselves with,” Schultz said. “Also, if you don’t have centralized control, then people are just going to be running around everywhere. You need someone who is a team leader to take control of this.”
In addition, they advised against relying solely on internal investigations in the aftermath of a breach, and instead recommended consulting with an outside group.
“What if it was the chief executive officer who clicked on the phishing link?” Schultz said. “You may need outsiders to get to the bottom of what happened.”
According to the presenters, the five steps businesses should take to help protect patient and proprietary information are:
- Train employees to be aware of the information they need to protect — such as personal health information or intellectual property — and how to avoid phishing attacks;
- Develop a breach response plan, involving senior management as well as IT, legal, human resources, risk management and public relations departments;
- Categorize potential data risks by threat level, as over-reacting to a perceived threat can be just as damaging as under-reacting to a real one;
- Review supplier contracts to ensure that customers’ data is well-protected when in the hands of suppliers or vendors; and
- Encrypt data, with special attention paid to information stored devices that are most likely to be lost, such as mobile devices, laptops and thumb drives.
“Everyone here is a patient-focused entity, and patient satisfaction is your number-one concern,” Schultz said. “However, a lot of people look at this as a distraction from providing good service to their patients. But preparing for this is indeed providing a good service for your patients because you want to make sure their data is protected.” – by Jason Laday
Nelson D, et al. Cyber security: Is it safe? Be prepared. Presented at: American Orthotic & Prosthetic Association World Congress; Sept. 6-9, 2017; Las Vegas.
Disclosures: Nelson and Schultz report employment with Armstrong Teasdale. Snell reports employment with Dankmeyer O&P.