Lessons Learned Article Series â€" Breaches Risks Outages Part 2
In part one of the article series we discussed electronic communications, including the use of third party email providers such as Google and Hotmail.
In this second and final part of our series, we will address what steps should be taken when an email gets sent to the wrong recipient, including the breach notification process and determining the probability PHI has been compromised.We will cover security breaches, data loss, unplanned outages, and also discuss security risk analysis and risk management.
#LessonsLearned â€" incidents demonstrate importance of risk analysis and risk management
Recently it was announced that a covered entity has agreed to settle potential HIPAA violations with the U.S.Department of Health and Human Services (HHS), Office for Civil Rights (OCR), by agreeing to pay $218,400 and to adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. According to the announcement, workforce members of the covered entity used an internet-based document sharing application to store documents containing electronic protected health information (ePHI) of at least 498 individuals without having analyzed the risks associated with such a practice. Additionally, the covered entity failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.
In a separate incident, this covered entity submitted notification to HHS OCR regarding a breach of unsecured ePHI stored on a former workforce memberâ€™s personal laptop and USB flash drive, affecting 595 individuals.
Security breaches, data loss and unplanned outages
Incidents such as security breaches, data loss and unplanned outages are very costly.Recent results from a survey of health information technology executives are alarming.It is estimated that the combination costs hospitals alone approximately $1.6 billion per year!
- Security breaches are real, and are costly.It is estimated that nearly one in five healthcare organizations has experienced a security breach in the last 12 months.A security breach isnâ€™t cheap: the average cost of each incident is just over $800,000 per incident.The culprits of security breaches include malware, computer viruses, outsider attacks, physical security, and user error.
- Data loss occurs more frequently than a security breach.One in three healthcare organizations has experienced data loss in the past 12 months, also costing over $800,000 per incident.Common causes include hardware failure, loss of power, and loss of backup power.
- Unplanned outages happen more frequently.Forty percent of healthcare organizations have experienced an unplanned outage in the last 12 months.The average cost of each incident is over $400,000.Unplanned downtime over the 12 months has cost each healthcare organization, on average, 57 hours of productivity.The most common cause is hardware failure, followed by loss of power, software failure and data corruption.
The possibility of an email being sent to the wrong recipient
When setting up a new email address or username, isnâ€™t it interesting how many names are already taken? For this reason, it is entirely possible an email could be sent to the wrong recipient; all it takes is typing one additional letter or one additional number to send an email to the wrong recipient.For example, [email protected] may be a different person than [email protected]Â Also, many email programs come preset with auto-fill features where you begin typing an email address and the program remembers any previous email address that start with those same letters or characters.This auto-fill feature has led to many accidental emails being sent to the wrong recipient.
If patient information is sent to the incorrect person, or a message is intercepted, it could be a breach under HIPAA and possibly, state laws.
Prepare for the unexpected
In our previous article, we discussed the use of a disclaimer notifying the recipient of the insecurity of electronic communications, and provided instructions in case of a misdirected message.In addition to a disclaimer, there are other steps you can take.
- Have patients sign an agreement that they have agreed to receive electronic communications, such as email or facsimile.
- Include in the signed agreement an explanation of potential risks to patients.State that their information could be intercepted or received by the wrong party, to ensure patients understand the risks and still agree to receive electronic communications.
Further, as a result of HIPAA Omnibus Rule, covered entities must assess the probability that protected health information has been compromised based on a risk assessment that considers at least the following four factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.
- The unauthorized person who used the protected health information or to whom the disclosure was made.
- Whether the protected health information was actually acquired or viewed.
- The extent to which the risk to the protected health information has been mitigated.
What if you breach an individualâ€™s PHI?
If you determine that a breach has, in fact, occurred, you must notify the affected individual(s) in writing of the breach.It is appropriate and expected to notify an individual if it is suspected their PHI has been viewed, intercepted or received by unauthorized recipients.
The HITECH Act provides for both actual written notice to affected individuals, as well as substitute notice to affected individuals if contact information is insufficient or out-of-date.The statute requires breach notifications to be sent by first-class mail at the last known address of the individual or next of kin if the individual is deceased, or by electronic mail if specified as the preferred method by the individual.
It is extremely important to make sure you have the correct mailing address and correct email address, including the correct spelling.
What needs to be provided when notifying an individual of a breach?
Using Omnibus as a guide, the following are required to be included in a breach notification:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
- A description of the types of unsecured protected health information that were involved in the breach.
- Any steps individuals should take to protect themselves from potential harm resulting from the breach.
- A brief description of what the covered entity involved is doing to investigate the breach, mitigate the harm to individuals, and to protect against any further breaches.
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, Web site, or postal address.
#LessonsLearned â€" identify, mitigate and document
Remember the covered entity who agreed to pay $218,400 and to adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program?Â An important lesson learned in this settlement is in the event of a breach â€" large or small â€" it is extremely important to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.
What if the covered entity had proactively identified deficiencies in its HIPAA compliance program?Â Could have they prevented these incidents by mitigating these deficiencies?Â Keep these questions in mind while reading the next section.
Security Risk Analysis and Risk Management
A security risk analysis can be thought of as a seat belt for an organization.Properly used seat belts provide safety for drivers and passengers from the risks of an accident.A security risk analysis used properly is essential to safely protect patientsâ€™ ePHI, due to the risk of a breach.
A security risk analysis and security risk management have common steps.It is important to review the existing security infrastructure, identify potential threats to patient privacy and security, and assess the impact on the confidentiality, integrity, and availability of your ePHI.Risks should be prioritized based on the severity of their impact.
The risk analysis should be used to create an action plan.The action plan should have five components: (1) administrative safeguards; (2) physical safeguards; (3) technical safeguards; (4) policies and procedures; and (5) organizational standards.Once the plan is created, you should begin implementing the plan.
Risk management includes managing and mitigating risks with up-to-date policies and procedures, workforce education and training, communicating with patients, and last but not least, updating your business associate agreements.
The risks of a breach are real.A breach can be costly to any organization. Effectively creating a plan and managing the plan is essential to adequately protect health information, and to provide protection for your organization.
According to OCR Director Jocelyn Samuels â€śIn order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure incidents are reported and mitigated in a timely manner.â€ť
We are here to help. Please make sure to contact us so we can help you with any or all of these processes.
If you have any questions about this #LessonsLearned article series, please feel free to comment below or send us an email at [email protected] or reach us by phone toll-free at 855-427-0427.