Data Security for HME Providers
“Ransomware is prevalent in the
healthcare industry because hackers
can get a premium price if they know
lives are at stake, especially in a
hospital ER where down systems
mean lives could be at risk. One
defense to traditional ransomware
attacks is to restore files from a backup, which can take hours to complete. Paying a fine is often less invasive when time is of the essence to repair the issues.”
— Jeremy Kauten, VGM Group Inc.
The issue of mobile security is creeping up quickly, according to Kauten.
“More and more, work is being performed on a phone, tablet or laptop,” he says. “As technology evolves, remote work is expected to compete in today’s market place and the portability of patient data on these devices
is at risk. Many companies have not had time to keep up with technology changes in order to elevate their policies and procedures to handle these devices properly.
“BYOD is a technical acronym for Bring Your Own Device,” he continues. “BYOD is referenced when an employee wants to use their own phone, tablet or computer to conduct work for a company. Many times it is argued that an employee doesn’t want to carry two devices. When this is the
case, companies are at risk of what an employee does on a device that the company does not own or maintain security for. This is something that HME providers should address before it happens to them.”
Also, providers need to attend to physical security. We often forget that some of the biggest hacks in recent history began with someone finding useful information after sifting through a dumpster.
“Many companies take time to secure technical items but often overlook the tangible items, such as paper files, access to equipment and the ability for an employee to take pictures of secure software via a smart phone,” Kauten says. “Keep in mind that a data breach doesn’t always mean it took place electronically. Losing patient records during a move or other scenario is just as impactful.”
And in the same way a system can get hacked, so can a person. All it takes is one employee clicking on a shady email attachment to start a whole avalanche of IT trouble.
“Even with all of the proper protection mechanisms, people can be tricked into doing things they shouldn’t do on their computers and phones,” Kauten says, adding that training is critical at his company. “Employee secu- rity training is a must. VGM requires all employees to go through security training. We routinely run tests to see if our employees can be tricked into clicking on an email or phone call. When someone is tricked, it normally means they have not completed all of the security training.”
Best Practices for HME Data Security
So how do providers get started when it comes to protecting their data? VGM’s Kauten suggested that providers start with addressing three key aspects of their security: infrastructure, devices and humans.
“The HME provider infrastructure, which comprises computer systems and computer networks, must be protected by proper firewalls, anti-virus soft- ware, web filtering, email filtering, access levels and software used to store patient data,” he says. “Normally this is managed by an internal IT depart- ment or external IT consultant. Software systems, such as billing software or patient management software, is another element of risk. Most providers use cloud or hosted software and rely on their software vendor for security, which is great, but don’t let it stop there. Your network needs to be able to protect files locally as well as access to your software that is hosted elsewhere.”
Next, each device that connects to a provider’s network is another possible opening, so providers must ensure those devices are secure.
“Phones, tablets, computers and laptops all typically access the infra- structure and at some point contain patient data or access patient data,” Kauten says. “Software updates and proper protection on devices are crucial to protecting data. Many small businesses do not have proper protection on mobile devices, including laptops.”
Next, a provider must focus on its people. Sometimes the issue can simply be bad security habits, other times the issue can be more troubling.
“Unfortunately, the horror stories of data breaches often include employees,” Kautent says. “By simply clicking on an attachment or link in a malicious email, your employees can inadvertently open your business up to a significant financial loss. Another aspect of employees is the temptation to steal or sell valuable data. Background checks, policies and procedures with access levels are necessary to defend against getting breeched from within your own organization.”
Kimberly, director of product management for Information Systems Inc., agrees on the importance of networks being secured by firewalls and encryption.
In addition to ensure assets such as firewalls are secure, or that the right training is implace, Mediware’s Commito says a review of partner- ships and BAA agreements should be performed to address any concerns about the handling and sharing of PHI and appropriate compliance with HIPAA regulations.
She offers several bullet points in that regard:
“It is hard to say how many HME providers specifically have been subject to a breach; however, when the statistics say that a business unaware of how to protect itself against such threats are 60 percent more likely
to get attacked and are furthermore
subject to large fines when this happens, they must begin to put forth effort to protect themselves.”
— Kimberly Commito, Mediware Information Systems Inc.
Additional Security Resources
You can learn more about the VGM Group Inc.’s cyber security training efforts at www.vgmsecure.com, according to Jeremy Kauten, CIO and senior vice president of IT for VGM Group Inc. The member service organization also started offering “cyber liability” Insurance to help protect provides.
“Cyber liability can cover a business’ liability for a data breach,” he says. “We worked with various partners and set up cyber policies specific to the HME industry. Unfortunately, one stolen laptop, one zealous hacker, one virus or even one lost or misplaced document of patient data can create enormous financial and reputational consequences for your business.”
More information about cyber liability is available at www.vgminsurance.com/ specialty-programs/hme-homecare.
20 HMEBusiness | February 2017 | hme-business.com
Management Solutions | Technology | Products