Cybersecurity for Case Managers: Responsibilities of Individual CMs

Cybersecurity is an ever-increasing reality that every industry is grappling with (banking, business, education, government, and healthcare). In addition, the cyberattacks are getting much more sophisticated and causing more damage than previously. In 2014 healthcare was at the top of the Breach List with 42.5%, while other industries ranged between 5.5% to 33%. In the 2015 Breach study, which was just released this week, business has taken over the top spot with 40.1% of the breaches, while healthcare has dropped to second place at 35.2%. The other industries (education, government/military, and banking/credit/financial) range from 7.6% to 9.2%. While healthcare’s percentage of breaches has dropped, the number of records involved (121,603,514) far exceeds the other industries, which range from 759,600 to 34,220,850 records. Just the 10 largest breaches alone involved 110 million people (1/3 of the U.S. population)!

The cost to handle cyberattacks and security breaches in 2015 is also staggering - $37 billion! That is more than the $30 billion spent to digitalize medical records since the HITECH Act was passed in 2009. Cybersecurity is a critical issue that needs everyone’s attention. For more detailed information on the impact and reasons for the large number of healthcare cybersecurity breaches refer to last month’s article, Cybersecurity for Case Managers: Background and Impact.

What can be done to counteract this disturbing trend? At a national level, the National Institute of Standards and Technology, part of the Department of Commerce, is working on updating the "Framework for Improving Critical Infrastructure Cybersecurity" to make the nation’s critical infrastructure more secure. Each industry, organization, and information technology department is also working tirelessly to improve their infrastructure and security procedures. Smaller organizations are using the "Small Business Cybersecurity Guide" to develop best practices that will keep them, and their patients’ information, safe. But what are YOU doing to reduce the risk of cybersecurity? Many of you may be saying, "What can I do? I’m only one individual. Security is the responsibility of my IT department or organization". WRONG!

A system or network is only as good as the weakest link. The IT department can have the strongest security measures in place, but unfortunately system users are usually the weakest link. According to Experian Data Breach Resolutions, 80% of the incidents occur due to employee negligence. IBM research puts that figure even higher, showing human error accounts for 95% of all security incidents. These can include IT errors or omissions, loss of laptops, providing PHI to an unauthorized individual, etc.

All of us are responsible for a myriad of actions that can impact the security of our organizations. Specific cybersecurity practices must be in place and followed by all staff members to provide the minimum level of protection to mitigate threats and vulnerabilities for a system or network.

Let’s take a look at the Top 3 Security Threats to the Healthcare Industry and specific responsibilities that you have control over.

Theft and Loss (46% of security incidents) – laptops and mobile devices

• Avoid using mobile devices where they can be easily stolen.

• Be extremely careful to guard against loss or theft

                 -Make sure they are out of sight in your locked car or better yet, put them in your locked trunk.

• When leaving in an unattended meeting room or office, turn off the computer, use cables that lock the device to a large unmovable object, and lock the room.

• At night, remove portable devices from their docking stations in offices and lock them in a desk drawer or cabinet.

• Carry laptops and mobile devices in something other than an identifiable computer case.

• When flying, watch your devices closely. If possible, leave them in the bag. This will reduce the likelihood of the device being stolen or left behind in the screening area.

• Place unattended mobile devices in room safes when leaving a hotel room.

• Assure devices are encrypted. If they are not, talk with your supervisor or IT team member to request encryption to protect the PHI, your organization, and yourself. If encrypted, the data is secure, so it is not a reportable breach situation.

• Use software programs that instruct computers to "phone home" to report their location, in case they are lost or stolen, e.g. Find My iPad.

• If you are a member of management:

                -If you need to use mobile devices, refer to the "Mobile Device Security" practice brief for information on legal and regulatory requirements and best practices.

                -Ensure that all laptops and mobile devices are encrypted. That way, if they are lost or stolen, the incident is not considered a breach, since the data is secure. This is a critical factor in securing the data and reducing the number of breach occurrences.

                -Provide carrying cases (that do not look like computer cases), locking cables, alarm systems, tracking devices and remote-erase capabilities.

 

Insider misuse (15% of security issues) – intentional or unintentional actions that damage a system or lose data

• Attend all security trainings and keep yourself updated on security issues. Make sure you can recognize the signs of a potential breach.

• Be aware of and follow all security policies and procedures to assure best practices and reduce risk.

• Develop a strong password and update it regularly. It should contain a combination of upper and lower case letters, numbers, and symbols.

               -Hint: A password is stronger and harder to break, if you use the first letter of each word in a phrase or sentence that means something to you, rather than just a word. Capitalize letters in the middle of the phrase, not the first word, as in a sentence. For example, "When I was 10 I lived on Lakeside in Columbus" becomes "wiw10iloLiC". Use the symbol "!" for the "I" and it becomes "w!w10!loLiC". It looks hard to remember, but it really isn’t.

• Change passwords at least every 60 to 90 days or as required by your organization’s policy. Password changing is a critical factor in maintaining secure systems.

               -Hint: When changing the password, in the above example you could simply change the age to 11 or change the name of the street or city each time. Having a planned process for changing passwords makes it less stressful and easier to remember your password.

               -Use an electronic vault that keeps track of passwords or develop your own system for remembering them.

               -Do not share passwords or write them down on sticky notes on the computer.

               -Do not use anyone else’s password.

               -Request single sign-on authentication that makes it easier for staff to logon, because they only have to remember one password instead of one for each application.

• Update your applications, programs, security software, or devices as soon as the update is available. They usually contain fixes to bugs or known vulnerabilities.

• Be sure to report any spam, unusual activity, or "weird things" happening on your computer to your supervisor or IT department.

• Remind co-workers, if you notice they are not following security policies and report any suspicious activity that you may be aware of. Examples include co-workers sharing passwords, viewing records or talking about patients they are not directly involved with, etc.

• Make sure your data is backed up on a routine basis, e.g. daily or weekly.

• Use software that routinely scans your email and computer for threats, e.g. virus or malware.

• If you are a member of management, ensure that the above suggestions, tools, software programs, and processes are available.

 

Unintentional actions (12% of security incidents) – actions that directly compromise patient information

• Do not access any data that you do not have a right to view, e.g. friends, neighbors, co-workers, or celebrities/VIPs.

• Keep PHI out of sight from those who do not have authorization to view it. For example:

                    -Don’t leave records/files or appointment calendars on a desk where others may see.

                    -Position computer screens so they are not visible to others.

• Shut down and lock computers and devices when not in active use. I know this seems like a bother, because you have to sign back in. However it is an essential security safeguard, not only for PHI protection, but for safeguarding access to the system.

                    -Set up a screen saver that activates if the computer is not used within 5-10 minutes.

                    -Use an automated process that logs you out of your computer if not used in "x" minutes, as required by your organization.

• Do not provide patient information via mail, email, fax, or direct communication to the wrong person (address is incorrect) or to someone who does not have authorization to receive it, e.g. family member, significant other, other healthcare provider, or third party entity.

                    -Verify the individual or organization is authorized before sharing any PHI or data.

                    -Do not discuss a case where others may hear you, e.g. in an elevator or hallway.

• De-identify PHI and sensitive information, according to your organizations’ policies and procedures, when sharing hard copy or electronic records for data analytics, auditing, research, reporting bugs with third party vendors, etc.

• Lock hard copy records in a secure location and restrict access to only those who are authorized to view them.

• Double-check to make sure records are saved in the correct drives/folders so they can be found again and others do not have inadvertent access to misplaced files.

• Keep only those records that you need. While healthcare records are usually not deleted, occasionally there may be duplicates or unneeded information. Minimize the number of documents and places they are stored. Develop a process to track what you have and where it is stored.

• Follow policies and procedures when you need to remove patient information, files, or sensitive data from physical filing systems, laptops, mobile devices, media, flash drives, and computer systems. PHI must be rendered unusable, unreadable, or indecipherable.

                  -Shred paper files containing PHI or sensitive data

                  -Use electronic shredder tools to delete electronic files. Simply deleting files is not adequate, as it still leaves information on the computer.

                  -Do not put PHI on your laptop or mobile devices, if possible. If required, request that they be encrypted.

• Strictly follow encryption policies and procedures when sending PHI or sensitive information in emails or saving it to storage devices, disks or flash drives.

• When working remotely, avoid using Wi-Fi networks, whenever possible, since they are more susceptible to data interception.

• Do not post text, pictures, or information about what happens at work on social media or in a personal blog, even if you think it is just generic. It could be considered a breach!

• Do not take PHI from one employer to another. For example, if you are moving to another organization (CM to Home Health) that also handles a specific population of patients and you know your patient will be in that group, do not take any information with you, even if you think it will help you manage the patient’s case. (You are probably thinking, that example would never happen! Well, it did and the organization was fined and the nurse lost her job).

• Do not use a work computer for personal use, e.g. email, checking Facebook, shopping on the internet during lunch, etc. (We will discuss this issue in more detail next month).

• If you are a member of management:

                      -Schedule routine security training sessions. Provide information that is pertinent to them and their role, so they will be more engaged in the training and more likely to follow the policies and procedures. A well-educated staff is the best line of defense.

                      -Monitor the staff’s use of PHI (who is viewing and why).

                      -Do not give access to temporary employees or vendors until you verify they have signed business agreements.

                      -Develop standard policies and procedures describing how to de-identify PHI from records used for analytics, research, or sharing with vendors to resolve bugs. Monitor staff to assure they are aware of and following these procedures.

                      -Immediately inactivate all passwords for employees who have terminated. Breaches have occurred from ex-employees accessing records after they left the organization.

                     -Assure that all data is totally removed from computers that are being de-commissioned or re-assigned to another employee.

                     -Request encryption for all laptops and mobile devices that contain PHI. This is a critical requirement.

                     -Request that mobile devices be set up with a "purge" process that does not store data when the mobile access session is closed.

                     -Develop a new numbering system as soon as possible, if the patient ID contains a social security number.

Have I convinced you yet that security is not just an IT function? Sure, IT does everything it can at a corporate level to develop a secure infrastructure and implement security safeguards that support the business objectives. However, I hope the long list of items above, that you have control over, has convinced you that you are also responsible and accountable for cybersecurity. This realization, that all employees are "stewards of security", empowered and accountable for security, helps create a culture that is essential in raising awareness and reducing security incidents.

Privacy and security experts say the new question in healthcare isn't if an organization will be breached but rather when. In addition, statistics show that system users are responsible in some way for 80-95% of the security incidents. So make sure you are not the one responsible for a breach. Be diligent in following security policies, procedures, and best practices and become a good steward of security.

We’ve looked at a lot of practical items that you can do to follow security policies, procedures, and best practices, but, believe it or not, we are not finished yet. Next month we will discuss ways you can help reduce the potential for incidents related to phishing, the use of electronic medical devices, and the "internet of things" (that should be fun!).

Have a wonderful Holiday Season!