What every physician needs to know: Googling your patients

Health care professionals are not immune to the lure of social media or the ubiquity of Google. And like most, turn to the Internet to find answers to questions big and small.

But what happens when physicians go online to learn about their patients? Incidence of “patient-targeted Googling,” (PTG) is on the rise. But should professional standards and privacy prevent physicians from conducting PTG?

Insuring business continuity after a cyber attack

Cyber attacks now occur consistently and typically in detectable forms and are concentrated in particular industries: health care, technology, biotechnology, finance, and legal. (1)

Cyber criminals target health care because they want to steal patient health information. A breach of protected health information (PHI) is a daily business risk. And a simple misstep can lead to an expensive breach incident that includes the loss of business income due to a suspension in operations and extra expenses incurred to remediate the breach.

Accordingly, medical practices need strong cyber security, a tested incident response plan, and comprehensive cyber liability insurance. These strategies can help to mitigate an embarrassing and costly data breach.

Business interruption coverage
Ransomware can cause a business interruption. If a practice cannot access its EMR/EHR because the database was illicitly encrypted, and if they are unable to regain access or do not have a data backup and recovery protocol, the resulting downtime could become costly due to lost productivity and extra expenses to replace the corrupted data.

Some cyber liability insurance policies include coverage for a business interruption loss. So if a practice is partially or totally interrupted by a “covered cause of loss” to its “digital assets” (computer programs or systems), the insurer will pay the projected loss of net income, after a specified “waiting period” and for a specified period of time, plus the continuing expenses to maintain business operations and the extra expenses to help the practice avoid or minimize the suspension. Covered causes of loss typically include accidental damage or destruction, administrative or operational mistakes, and computer crime and computer attacks that cause harm to the practice’s digital assets.

Extra expenses can include overtime pay to staff to restore lost or damaged records and to respond to an Office for Civil Rights (OCR) breach investigation and an extensive Data Request. (If the breach involved over 500 records, the practice must report the breach incident within 60 days to the OCR and to the local media, as required under HIPAA.) In some cases, these extra-ordinary expenses can be greater than the revenue lost from the business interruption.

It is not unusual after a breach notification for a practice to experience a reduction in income due to a drop-off in patient appointments. In most cases, this reduction stops and returns to its pre-loss levels.

Contingent business interruption coverage
More and more practices use cloud computing technology to host their patient and billing data. A practice that is entirely dependent upon a cloud service provider (CSP) to store and access patient information can also suffer an unexpected suspension of operations. If the CSP’s on-demand access is down due to a hardware failure or denial of service attack, this downtime could result in a simultaneous business interruption for the practice too.

Some cyber liability policies also provide coverage for Contingent Business Interruption and Extra Expense to pay the loss of business income plus continuing expenses to maintain business operations and extra expenses due to a suspension in operations caused by a covered cause of loss to a third-party vendor’s operations on whom the practice is dependent upon for its own operations. For example, this coverage may be triggered due to “cloud failure,” defined in one policy, in part, as:

“Cloud failure’ means any unannounced and unplanned failure of a ‘cloud service provider’, located anywhere in the world, to provide you access to the computing resources described in a ‘vendor agreement’ within the parameters described in such ‘vendor agreement.’” (3)

Business continuity coverage
A medical practice’s failure to properly safeguard its PHI from unauthorized disclosure may also result in lasting harm to the practice’s reputation. As one commentator noted, “You can back up your data, but you can’t back up your brand.” (2)

Some cyber liability policies also provide business continuity coverage for reputational harm resulting from a negative media report or notification to affected patients following a security or privacy breach. This would pay the projected loss of revenue or what the practice would have expected to earn. This is additional coverage, beyond the insurer just paying the costs for crisis management, such as public relation expenses to mitigate damage to a practice’s reputation.

It is advisable to check with your medical professional liability carrier or with your insurance broker — prior to experiencing a business-altering cyber attack — to determine if your existing cyber liability policy or business insurance includes coverage for business interruption, contingent business interruption, and business continuity. This financial protection may make the difference in keeping your practice doors open in the event of a security breach.

Sources

  1. eSentire. 2017 Q2 Quarterly Threat Report. Available at https://www.esentire.com/resources/knowledge/2017-q2-quarterly-threat-report/. Accessed October 30, 2017.
  2. Sanger M. Protecting your firm from vendor risks. ALM Law Journal. August 2017.
  3. The Hartford. Business income extension for cloud service interruption. (Form 22 41 84 03 16)

HIPAA and the opioid crisis

by Cathy Bryant

On October 27, the HHS Office for Civil Rights issued guidance on how HIPAA allows information sharing to respond to the opioid crisis.

This guidance explains how health care professionals have broad ability to share health information with patients’ family members during certain crisis situations without violating HIPAA privacy regulations.

Current HIPAA regulations allow health care professionals to share information with a patient’s loved ones in emergency or dangerous situations, such as when that patient may be incapacitated due to an opioid overdose. This includes informing those in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.

Misunderstandings about HIPAA can create obstacles to family support, which is crucial for the proper care and treatment of people in a crisis situation, such as an opioid overdose.

Read the HHS guidance

Cyber security: Back to basics

by Cathy Bryant

It seems ironic that we have a Cyber Security Awareness Month. Every day must be cyber security awareness day given today’s threat environment. But, we do and it is in October. And it is a great opportunity to have cyber security awareness conversations with your staff.

Without a doubt, our electronic health information is more at risk than ever. All covered entities and business associates must meet the HIPAA Security Rule to ensure confidentiality, integrity, and availability of electronic protected health information (ePHI).

In the risk assessments we conduct at TMLT, we find that practices are failing to meet the basic requirements of HIPAA security. A recent study found that 73% of medical professionals report having shared their password to allow someone access to the EHR. The Health and Human Services Office for Civil Rights (OCR) offers the following tips for getting back to basics. (1)

Basic cyber security tips

Have a strong password. Make sure you use a strong password (i.e. usually 10 characters or more and includes upper case and lower case letters, numbers, and special characters like #$&*). Recent research suggests users could also consider using “passphrases,” which are sentences that may be easier to remember than a very complex password (e.g. “I got a pony for my 8th birthday!”). (2) Do not use passwords or phrases that would be easy to guess, such as a pet’s name or your birthdate. (3)

Training. Train your staff regularly on important cyber security issues, such as how to spot phishing e-mails and when/who to report possible cyber incidents to in your practice.

Multi-factor authentication. A username and password may not be adequate to protect sensitive information, privileged accounts, or information accessed remotely. As part of its risk analysis, an entity should determine what authentication practices to use to protect its systems and sensitive information. Multi-factor authentication typically includes a password and additional security measures, such as a thumbprint or key card.

Updates and patching. You should update and patch your systems and applications regularly, because updates and patches often fix critical security vulnerabilities.

Lock devices. Limit physical access to devices and lock devices when not in use.

Portable devices. Be cautious plugging a phone, USB, or other portable device into a secure computer or network. Portable storage devices may not be as secure and may contain malicious software that could corrupt your secure network. If the device is needed, be sure to follow your organization’s policies on the use of such devices, which could include prohibitions on the use of personal devices or having IT personnel review such devices to ensure they do not contain malicious software.

Do not wait. Do not wait to report possible cyber security threats to the right people in your organization. Time is often critical during a cyber incident. If you suspect a cyber threat, report it right away.

Cyber security and ePHI

Be aware. Be aware of your responsibilities as a covered entity or business associate under HIPAA. See 45 C.F.R. Parts160 and164. Also, be aware of current threats and trends in cyber security, so you can take action and update security measures as needed.

Plan. Covered entities and business associates are required to have security incident procedures and response plans in place, as well as contingency plans to ensure effective, concentrated, and coordinated means to respond to and recover from security incidents. These policies, procedures, and plans should provide a roadmap for response and recovery activities, be approved by management, and be reviewed and tested regularly.

Respond. Once a security incident is detected, immediately take steps to analyze the incident, contain its impact and propagation, eradicate the incident, remediate vulnerabilities that permitted the incident, recover from the incident, and conduct post-incident activities. (4) You should also take steps to mitigate any impermissible disclosure of protected health information.

Report. Breaches of e-PHI affecting more than 500 individuals must be reported to the OCR, affected individuals, and the media as soon as possible, but no later than 60 days after the discovery of the breach.

Breaches affecting fewer than 500 individuals must be reported to the affected individuals as soon as possible, but no later than 60 days after the discovery of the breach, and to OCR no later than 60 days following the calendar year the breach was discovered. Entities may delay its reporting of a breach if such a delay is requested by a law enforcement official.

The OCR encourages entities to report all cyber threat indicators to federal information sharing and analysis organizations (ISAOs), such as those maintained by the Department of Homeland Security and HHS Assistant Secretary for Preparedness and Response, as well as to private sector cyber threat ISAOs. Do not include PHI in these reports. OCR does not receive such reports from its federal or HHS partners.

Sources

1. U.S. Department of Health and Human Services Office of Civil Rights. Back to basics (Basic cyber security tips. Cybersecurity Newsletter. September 2017.

2. For more information, please see Appendix A-Strength of Memorized Secrets from NIST Special Publication 800-63B Digital Identity Guidelines. Available at: https://pages.nist.gov/800-63-3/sp800-63b.html. Accessed October 3, 2017.

3. For additional tips on creating strong passwords visit: https://www.stopthinkconnect.org/tips-advice/general-tips-and-advice.