Published in The Business News on January 9th, 2023
Back in the Nineteen-Eighties, George Carlin made a joke about doctors: “Do you realize that somewhere in the world is the worst doctor? Has to be, process of elimination, sooner or later you’re gonna find the WORST doctor. And the weird part is that… SOMEONE has an appointment to see him TOMORROW.”
I was a teenager when I saw Carlin on Carnegie (1983) and I remember that joke verbatim. Carlin was the best. Of course, the joke is still true today, but today there is a lot more to worry about with the medical industry, than the competence of your doctor.
I received a letter in the mail last week from a law office, informing me that a clinic I visited was the victim of ransomware. And that clinic failed to disclose their data breech. HIPAA’s breach notification rule requires covered entities to notify patients when their protected heath information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI.
HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
Ransomeware: This is where someone infects a computer system, then threatens to publish the data from that system or permanently block access to it unless a ransom is paid.
So, this particular clinic did not establish the proper (and federally regulated) security measures, needed to protect themselves and their patients personal and private health information. They got hacked, chose to hide that they were hacked, then got sued for 3.75 million dollars. George Carlin had seven words (that you can’t say on television) that could be used to describe this medical business’s behavior.
And what’s scarier than someone going to the worst doctor in the world, is that this behavior is not uncommon. Like all businesses, many medical clinics ignore their HIPAA obligations, as to avoid the costs required to keep our data safe. This isn’t about one person, going to one incompetent doctor. This is about all of us, going to many medical facilities, that knowingly choose to put our data at risk, because they don’t want to spend the money to protect us and our data.
What Can You Do?
So, what can you do? That’s just the way it is… right? Sort of… you have to go to the doctor and you can’t exactly ask for a look under the hood, of their IT systems; HIPAA protects against that (ironically). What you can do is ask for a report on when and why your health information was shared. That won’t automatically show if they were breeched so, also ask if they have had a breech and what they did or are doing to protect their patient’s information. Ask them the questions that they should be asking their IT teams or providers:
Do you encrypt electronic patient health information in-motion, at rest, or both?
There should be two answers for this. “In-Motion” means data access while on unsecured networks. For example, the doctor could be reviewing electronic records while at home or on his/her smartphone. At rest data is data that is not currently being accessed or used.
When did you last test your business continuity and disaster recovery (BCDR) plans?
Not only should your medical provider have BCDR plans, but they should also ensure that those plans work effectively.
How do you dispose of electronic patient health information?
A number of data breaches have occurred because the data was not properly discarded or disposed of. Your medical provider should be able to identify how, when, and under what circumstances electronic patient health information is disposed of or destroyed.
How do you identify security breaches?
Most attacks that may result in a data breach are silent and require effort to detect, so what is your medical provider doing to identify them?
When is your next risk assessment?
Few industries move as fast as technology. Hence, the risks come fast and furious. Your medical provider should be performing risk assessments on a regular basis and making adjustments to keep data protected.
Somewhere in the world is the least secure medical clinic? And the scary part is that… someone has their personal health data on file with them RIGHT NOW. Don’t assume that a regulated industry is doing the right things to keep your data secure. As George would probably say, your security is your own $#@&*^%$ responsibility.