“Compliance with HIPAA and HITECH is not about whether your IT is working, but if your patient data is at risk. It’s kind of an invisible issue,” says Drew Braden of Aligned Tek. “Unless you know what you’re looking for, you could be non-compliant.” Breaches from violating HIPAA protocols have cost healthcare entities hundreds of thousands, and even millions of dollars in penalties. And now hackers are finding medical data ten times more valuable than credit card data. According to Reuters, the cyber criminals use provider and patient numbers to buy and then resell medical equipment or drugs and file false claims with insurers.
Many medical offices are strewn with unintentional HIPAA violations. “An office sent me a photo of their monitor to help with an IT problem,” says Braden with Aligned Tek. “It showed all the sticky notes around the monitor that listed passwords. They had just unintentionally given me access to everything.”
A more hidden violation of HIPAA lies in unsupported software. The most recent will occur this year on July 14th when Microsoft will no longer support their highly popular Windows Server 2003 software. After that date, Microsoft will no longer issue security patches to protect against new viruses or malware.
“Which means all the hackers of the world are waiting for that day when they can go in and find those open gateways into servers running that software,” says William Sester with TekLinks.
Anytime patient information is shared outside the practice or accessed from outside the practice, HIPAA has requirements. To create secure remote access, practices need to require a different user name and password to access patient health information (PHI) when offsite, employ 128-bit AES encryption, allow passwords to be changed immediately, and activate an automatic log-off of the connection after a short period of inactivity.
“Audit the usage log, too, so you can review when people log on,” Braden says. Logs reviewed at one practice revealed that the husband of a front-desk employee signed in from their home every few days. Her remote access was cut.
Even on cloud-based data, the same vulnerabilities exist. “You can cut your exposure by setting it so nobody but the physicians have access after seven pm or only certain usernames have access from certain IP addresses,” Braden says.
“A lot of times administrators overlook the importance of passwords,” Sester says. Even laziness in devising passwords can be a violation. HIPAA requires that passwords contain eight to nine characters and include uppercase and lowercase letters along with non-alphabet characters, like exclamation points. “Avoid common phrases and current crazes too,” he adds.