Physical Thefts Threaten Patient Health Information Too


While hacking has captured the headlines on data breaches of health care information, more than half of the data breaches in health care settings are a result of devices being physically stolen from a practice, car, home or elsewhere. Data breaches can result in big costs for doctors who fall victim to such a breach should unencrypted patient health information be stolen.

According to the attorney general's 2016 California Data Breach Report, the health care industry continues to be vulnerable to physical breaches, "although malware and hacking breaches are starting to increase as the sector's transition to electronic medical records progresses," the report said. Patient records and Social Security numbers are a top target for thieves. The report goes on to state that in 2012, 68 percent of health care breaches were the result of stolen or lost equipment, compared to 21 percent of breaches in all other sectors. In 2015, 39 percent of health care breaches were of this type, while in other sectors it accounted for just 13 percent.

While there has been some improvement with stronger encryption practices to protect medical information in recent years, the report states, "There is still a long way to go in addressing this preventable type of breach."

Some recommendations to help protect data include:

Encrypt data at rest.
Encryption is an "addressable" technical standard under the HIPAA Security Rule, which means it is not required, but is considered a "best practice".  If a doctor's system is capable of encryption, he or she should do it. Doctors can double check with their practice management software vendors about the ability to encrypt data.

Strengthen the physical security of the server and hard drives if encrypting the data is not an option.
Check for ways to secure the drives to something difficult to move. Or, add additional barriers to impede access to the system as well as access to the office and/or patient files or computers.

Encrypt portable devices, such as laptop computers and flash drives.
A dermatology practice lost an unencrypted thumb drive and recently reached a resolution agreement with Health and Human Services that called for the practice to pay $150,000 and comply with a corrective action plan. If doctors cannot encrypt these devices, they should consider using cloud backup services. If using a cloud backup service, have a business associate agreement with the company.

Purchase a cyber liability coverage policy.
PICA now includes cyber liability coverage in its medical professional liability policy in California at a $50,000 limit of liability.  Additional coverage -up to $1 million - can be purchased through Pro Assurance Agency.

For more information on cyber liability coverage please contact PICA at (800) 251-5727