UCLA Health announced a breach last week of 4.5 million patient records. This is bad news for the university health system and their patients, and it could be bad news for you if you believe these breaches only happen to big organizations with lots of records. Unfortunately, this is not the case. According to the current “Wall of Shame” posted on the Office for Civil Rights website, only six of the reported 31 breaches of patient data since June 2015 have been in a hospital. The remainder occurred in health plans, clinics and third party service providers.
A data breach is not a case of “if” anymore, it’s a case of “when.” As a clinic practice of two, five or 17 doctors, it can be overwhelming to work through the process of assembling a privacy and security plan for your practice. The good news is there are plenty of resources available, such as an updated guide from The Office of the National Coordinator for Health Information Technology. This guide provides a good roadmap for practices looking to implement a security program. For a starter, here are the seven steps suggested to implement a security management process:
- Step 1: Lead Your Culture, Select Your Team, and Learn
- Step 2: Document Your Process, Findings, and Actions
- Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis)
- Step 4: Develop an Action Plan
- Step 5: Manage and Mitigate Risks
- Step 6: Attest for Meaningful Use Security-Related Objective
- Step 7: Monitor, Audit, and Update Security on an Ongoing Basis
Before you think you don’t have time or the resources for all of the above, imagine the chaos your practice will be thrown into when you discover a breach of your patient’s data. I have been at the table with physicians as they face the reality of this financial and reputational catastrophe and I can say without a doubt, they all would have traded the time and effort spent on the breach for a proactive approach to building out their privacy and security programs.
Identity thieves don’t just go after big hospitals like UCLA Health. Medical identity theft is skyrocketing due to the high value of these records on the international black market. Thus, any vulnerability will be sought and exploited by ruthless criminal syndicates. These aren’t teenage hackers we’re facing. Which means you too must organize a defense strategy and implement it as soon as possible. You already work hard to help protect your patient’s well being—protecting their medical records and their personal information is now part of the job.