The federal government reported the highest number of data breaches compromising protected health information (PHI) in April 2019 (HIPAA Journal, 2019). Data breaches in health care have only been tracked since 2009 with the passage of the Health Information Technology for Economic and Clinical Health Act (Office for Civil Rights [OCR], 2009). In this column, I discuss breach types and how we can prepare students to avoid unsafe practices that set up opportunities for hackers.
The health sector is the most vulnerable to breaches compared to all other sectors in the US economy (Akpan, 2016). Health care data stolen by nefarious hackers are more valuable on the black market than credit cards because they contain so much personally identifiable information, such as name, social security number, date of birth, PHI, and credit card information. These data can be used to commit identity fraud or Medicare, Medicaid, and insurance fraud (Garrity, 2019a). The vulnerabilities of many electronic health records, imaging systems, and medical devices are staggering, putting health care organizations at risk for financial and legal problems.
The federal government tracks and classifies health care breaches into six categories (OCR, n.d.). Table 1 shows the types of data breaches in the last 24 months of reporting. Hacking and information technology (IT) incidents accounted for the highest percentage of breaches, followed by unauthorized access or disclosures.
Data security starts with understanding how breaches occur, learning methods to prevent breaches, and responding quickly in the event of a breach. Because employees are the single biggest contributors to data insecurity, the rest of this column focuses on ways to teach students proper data security practices (Reinicke, 2018).
HACKING/IT INCIDENT
Currently, one of the easiest ways for hackers to gain access to PHI is through phishing attacks on employee email. Phishing emails are sent to thousands of people to fool them into entering confidential information into a legitimate looking website. Once the target of a phishing attack has entered information, hackers use the victim's user IDs and passwords to collect data and sell it to others. For example, an employee at Memorial Hospital in Gulfport, Mississippi, opened a phishing email on December 6, 2018, and exposed 30,000 medical records (Garrity, 2019b). The hospital was required by law to notify patients and offer credit monitoring for free.
The following points are critical for email safety:
* Never open email from unknown individuals or download attachments.
* Hover over a link to see the actual web address rather than clicking on it. If you believe the email may be legitimate, find the website without using the link in the email.
* Beware of calendar invitations and look at the meeting details before letting the invitation access your calendar.
* Delete emails with awkward sentence structure or wording because these are probably written by foreign hackers who are nonnative English speakers.
* Search the Internet for words in the subject line to see if others have posted complaints about the email.
* Contact your IT department immediately if you believe you are the victim of a phishing attack.
A similar intrusion can occur when ransomware takes control of employee computers at work or at home. Ransomware encrypts systems to prevent an individual or health care organization from accessing its own system unless payment is made (Snell, 2016). Students need to be taught the following safe online behaviors:
* Install a trustworthy antivirus software with firewall on all computers, smartphones, and tablets.
* Use a two-step verification step for logging into websites. Watch the video found at https://www.youtube.com/watch?v=UVanCLIx2Aw&feature=youtu.be to learn how to protect your Google account with its built-in authenticator. Learn how to secure your online accounts by following the directions found at https://www.pcmag.com/feature/358289/two-factor-authentication-who-has-it-and-ho (Griffith, 2019) or download two-step authentication software such as Twilio Authy, Duo Mobile, SAASPASS, and LastPass Authenticator.
* Beware of pop-ups asking to log into a site or offering specific software to solve a "security problem" on your computer. Close the pop-up and run your virus protection software.
* Keep all operating systems updated because these patches fix holes in security.
* Keep a current backup of all files and restore data from the backup, rather than paying the hacker to unlock your data.
We need to teach students to avoid public Wi-Fi with their laptops and smartphones because cybercriminals can set up look-alike Wi-Fi. Hackers can take anything that is sent through the Wi-Fi connection, including user IDs, passwords, credit card numbers, and work files containing PHI. The best protection is to use a virtual private network (VPN), which encrypts the data as it is sent and received. A VPN also keeps browsing history, IP address, location, and all devices private, even from an Internet service provider (Swede, Scovetta, & Eugene-Colin, 2019).
UNAUTHORIZED ACCESS/DISCLOSURE
Unauthorized access or disclosure of PHI is still a problem in many health care organizations. The Washington Health System in Pennsylvania suspended six employees for snooping into a medical record of an employee who was killed after being hit by a car (McGee, 2018). Unauthorized access is a direct violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In addition to HIPAA training, nurse educators must teach students about levels of access, audits, and the consequences of violating the laws that protect citizens against unauthorized access into PHI (Swede et al., 2019).
THEFT OR LOSS/IMPROPER DISPOSAL
Theft or loss of laptops, tablets, or smartphones creates another opportunity to expose PHI. It is surprisingly common for employees to misplace their devices that contain work information, including access to cloud-based files (Reinicke, 2018). Even though encryption of laptops is a common safeguard, many organizations do not require encryption of work or home devices.
In June 2019, Chicago city employees found boxes of medical records from the Medical Professional Home Healthcare Center after it failed to properly dispose of the paper documents (Credentialing Resource Center, 2019). Under HIPAA, the health care organization is responsible for ensuring compliance with 45 CFR 164.530(c), including having policies, procedures, and training on disposal (OCR, 2015). Even though most nurses are not typically in charge of record disposal, they should be aware of proper disposal methods.
Today's students must not only be prepared to deliver safe nursing care but must also know how to safeguard PHI. This responsibility is serious, and educators can plan learning activities to embed these skills with other clinical skills or teach data security practices within HIPAA modules.
REFERENCES