Go to AAD Home
Donate For Public and Patients Store Search

Go to AAD Home

Protecting patient privacy

DermWorld offers six key tips for cultivating habits to improve cybersecurity in your practice.


By Andrea Niermeier, Contributing Writer, February 1, 2024

Banner for protecting patient privacy

Viruses, infections, safety plans: these days health care workers not only use these words to discuss patient wellness but also to protect patient privacy. Protected health information (PHI) collected by health care practices and institutions is a treasure trove of high-value data. While last month we discussed the allure of physicians for identity theft schemes, the health care institutions they work in are also profitable targets for cybercriminals. In fact, cyberattacks on health care institutions are becoming increasingly problematic. In 2023, over 560 health care data breaches have been reported to the United States Department of Health and Human Services’ Office for Civil Rights (OCR) — up from 280 in 2022.

Eric A. Packel, JD, a health care privacy attorney at Baker & Hostetler LLP, highlighted the appeal of PHI to criminals. “Unlike other points of information, health information is sticky. While a credit card can expire, PHI stays with the individual.” In addition, Packel noted that while physicians work hard to protect a patient’s privacy, their primary focus is on patient health and not necessarily the technical aspects of information security, something that cybercriminals can exploit. With more digital health technologies than ever before, Faiza Wasif, MPH, associate director of AADA Practice Management, explained that ransomware attacks have become more popular because physicians and health care entities need immediate access to patient data for care. “They are more likely to pay to regain control of their system, making it a lucrative endeavor for cybercriminals.” How can health care practices boost their immunity against cyber risks threatening both practices and patients?

Tip 1: Evaluate risks

Daniel Shay, Esq., health care attorney at Alice G. Gosfield and Associates, P.C., sees the benefit of operating from a position that something will go wrong and planning defenses accordingly. “Given the state of health care, the requirements of HIPAA, the way technology advances and human nature being what it is, physicians ought to assume that there is going to be improper disclosure at some point, even if it does not rise to the level of a breach from a legal perspective.” He noted that while a practice cannot reduce its chance of a breach to 0%, it can reduce the likelihood and minimize financial and reputational damage by having a plan in place.

For health care practices and institutions, this begins with a security risk assessment. Shay commented, “The OCR has taken the position that the security risk assessment is the foundational document for security compliance with HIPAA. If you do not have one in place, any policies and procedures that you have developed are based on hunches and gut instinct, not actual analysis.” A security risk assessment evaluates a practice’s physical space as well as IT infrastructure, including hardware, software, network, and operating systems.

While many practices get an initial security risk assessment, Shay explained that often businesses operate on outdated evaluations. He suggests redoing the assessment any time the security environment or infrastructure changes, for example, when updating operating systems, switching electronic health records (EHR) software, or adding a new type of mobile device. Changes in the physical space, such as security for onsite servers or the layout of the front desk area, are also reasons to reevaluate a practice’s security risks.

After the security risk assessment, a practice can then effectively develop policies and procedures based on the findings in the assessment. These may include personnel PHI access limitations, strong password policy, as well as procedures for logging in and out of EHR and secure platforms.

Tip 2: Prevent infection using a firewall

Unless a small practice uses an EHR system totally disconnected from the internet, part of the policy developed after the security risk assessment will include firewall requirements. Similar to the way physicians stress prevention to keep patients healthy, cybersafety begins with thwarting infection. Firewalls prevent intruders from entering a system by inspecting all messages that come into it from either a local network or the internet. This layer of security decides, according to predetermined criteria, whether the message should be allowed in or blocked.

Firewalls come in two forms: a software product and a hardware device. Pre-configured software products can be downloaded with basic settings. Many times, this software is included with popular operating systems, so it is activated when technology is installed. However, practices can also purchase separate firewall software. Hardware firewall devices require IT expertise and are often used by large practices that have a Local Area Network (LAN). The hardware is established between the LAN and the internet, providing centralized management of firewall settings, and ensuring that these settings are uniform for all users.

Tip 3: Control infection with anti-virus and HIPAA-compliant software

One way that cybercriminals compromise computers is through viruses and other code that exploit vulnerability on a machine. Installing and maintaining anti-virus, HIPAA-compliant software on all phones, tablets, and computers can help stop a breach from reaching PHI. Medical staff should never use unsecure Wi-Fi or communicate information with general texting or email applications as these do not usually have the required level of encryption. Common HIPAA-compliant text software includes TigerConnect, OhMD, DrFirst, and Spok. To encrypt emails, Office 365, GoDaddy, or Vitru add-on extensions for Gmail or Microsoft Outlook can be used. G Suite by Google is also a possibility if used with a third-party vendor to make it HIPAA compliant.

With several software options available, medical practices need to ensure some minimum requirements. Access to PHI should be limited to authorized users who require the information to do their jobs, and those with authorization must authenticate their identities with a unique, centrally issued username and PIN. In addition, a system should be implemented to monitor the activity of authorized users when accessing PHI. To make PHI unusable if it is intercepted in transit, data transmitted beyond an organization’s internal firewall needs to be encrypted.

Some practices, especially smaller ones without an IT department, may contract with third-party providers to supply the hardware and software protection they need. However, Packel warned, “A practice really needs to be aware of who they are hiring and what services they provide. For example, are they responsible for doing regular updates or backups? Is their job just to keep the network running? Do they have recommendations for upgrading the system? Practices should not let business agreements with those vendors operate on autopilot.” While updating software and equipment can come with hefty price tags, Packel emphasized that budgeting to maintain minimum best practice standards such as encryption and multi-factor authentication is essential to protect both patients and practices.

Reporting a breach

With the increase in security breach attempts, it may not be an “if” but “when” you experience a breach of unsecured protected health information at your practice. Follow these guidelines to minimize damage and ensure you are meeting the requirements of the HIPAA Breach Notification Rule:

  • As a HIPAA-covered entity, the practice must notify affected individuals in written form within 60 days of discovering a breach of unsecured PHI. This can be by first-class mail or email, if the affected individual has agreed to electronic notices. The notice should include a brief description of the breach, the types of information involved in the breach, the steps individuals should take to protect themselves, as well as what the practice is doing to investigate the breach, mitigate the harm, and prevent further breaches. Contact information for the practice should also be added.

  • If the breach involves fewer than 500 records, the practice must report it to the U.S. Department of Health and Human Services (HHS) within 60 days of the end of the calendar year by electronically submitting a breach report form. Small breaches usually do not trigger HHS investigations, and they are not publicized by HHS.

  • If the breach involves 500 records or more, the practice must report it to the secretary of HHS within 60 days of the breach discovery by electronically submitting a breach report form. HHS will then post a public notice of the breach on its reporting portal. The practice must also inform local media, which is often a press release to appropriate media outlets servicing the affected area, within 60 days following the discovery and include the same information required on the individual notice.

  • If the number of individuals affected by a breach is uncertain at the time of submission, the practice should provide an estimate. If it discovers additional information, it should submit updates via the same electronic notification process.

Tip 4: Develop a culture of safety

While technology certainly can help prevent data breaches, protecting PHI is ultimately about developing a culture of safety. Packel believes that this culture begins with top administration modeling and valuing this priority. He noted that appointing someone to foster and build this value — whether a compliance officer, internal legal representative, or office manager — is important for a successful program. Wasif agreed, commenting that “a dedicated compliance officer ensures a committed and expert approach to navigating the complexities of health care regulations while fostering a culture of accountability and continuous improvement meeting regulatory requirements.”

One important reason for a point person is to combat complacency, Shay said. “As a general matter in the world of compliance, most of the time people will say that you should have policies and procedures in place. What they don’t often say is that you should also be living by them. While this is assumed, people often do not follow procedures.” These policies and procedures are only as effective as the workplace training that accompanies them. “That is where you really build a culture of safety, or rather a culture of awareness.”

Part of the challenge of developing vigilance is instilling the value of thinking twice. Shay recalled a situation in which a health care employee posted a picture of a gift from a patient on a social media account but failed to realize it was sitting on a charge sheet. He acknowledged that impulse control is important to emphasize since health care companies realistically cannot block all websites and apps on employees’ phones. “The technical barriers are not the end of the discussion — the real thing is creating this culture, training people to think about this.”

Even though quickly emerging technology like ChatGPT may be enticing to physicians who want SOAP notes with a few clicks of a mouse, Packel warned that not giving pause to fully understand these kinds of programs can lead to improper disclosures. “In the public version of the program, if you enter PHI into a chat, you are essentially putting the information on someone else’s server, which is a disclosure of PHI to an unauthorized third party. If practices bring an in-house version of this technology into their company, those using it need to be properly trained.”

In addition to vigilance, open lines of communication are another hallmark of a healthy safety framework. Wasif elaborated that “an environment where employees feel comfortable reporting potential security incidents and staying updated on the latest security measures helps to establish a proactive and security-conscious culture.”

Tip 5: Emphasize continuous learning and improvement

Developing cybersecurity literacy in staff is most effective as part of a dynamic and interactive training program. Shay noted that real-life examples are important as employees become less engaged clicking through a HIPAA presentation that they have seen multiple times. “Really try to show problematic (fake) PHI in context, in an office selfie for example. Make it interactive. While some things are going to be obvious to some people, others will realize things that they would miss. Keeping it fresh can help people pay attention and think twice.”

Acknowledging potential barriers to following policies and procedures and addressing those issues are also important during training. For example, the drive for simplicity and efficiency may potentially affect security compliance. Shay recounted a group of health care professionals who had gotten into the habit of not logging out between users in order to save time in a fast-paced practice. “While time management may be something as an organization that you need to examine, from a security compliance perspective, an organization cannot let maintaining efficient workflow bleed to people misusing the system. If the culture of the place is to be lenient with best practice and policy, that organization can expect improper PHI disclosure at the very least.”

Not only is the quality of training important to maintain security awareness, the frequency of training also matters. While organizations often review how to handle PHI once a year, Packel, Shay, and Wasif all acknowledge that this is just a baseline. “We see a lot of our clients routinely send out simulated phishing exercises throughout the year because employees responding to phishing emails are one of the worst problems when it comes to securing data, regardless of your technical security methods in place,” Packel noted.

Shay suggested retraining an employee any time their environment or duties change. For example, new software can bring with it new security risks or ways HIPAA information gets moved around. In addition, taking on a new position may include new responsibilities and different levels of access or permissions. Employees should understand what is appropriate to do with the access they have, the ways in which they will interact with PHI in their position, and how to keep patient information safe in those contexts. Making the effort for more specialized HIPAA training as circumstances dictate may save an organization from a breach.

Tip 6: Use available tools and resources

The Academy provides HIPAA tools and resources that medical practices can use to help safeguard patient data. These include the compliance manual “A Guide to HIPAA and HITECH for Dermatology” as well as part of the eCompliance series “HIPAA Training for Medical Offices,” both available at the AAD Store. Additionally, members have access to the HIPAA resource center for updated information, a HIPAA check-up tool to help assess security deficiencies, and a HIPAA checklist for electronic messaging.

Regular risk assessments and staff training, clear and documented policies and procedures, robust cybersecurity measures, secure EHR systems, a culture of vigilance and accountability, open communication channels, and a commitment to staying updated on evolving HIPAA regulations all can help safeguard patient data. Unlike 20 years ago, PHI is now aggregated in one place on servers and databases. Wasif emphasized, “Keeping up with compliance requirements and prioritizing privacy and safety is more crucial than ever for dermatology practices, especially with the rapid expansion of innovative technologies and their interconnectivity. With the convenience of technology comes the responsibility to ensure robust cybersecurity measures, heightened privacy protections, and continuous compliance efforts.” In a time when high-value personal information is often stolen and sold, helping a patient goes beyond a diagnosis and prevention or treatment plan: It also requires a strong commitment to handle carefully and discerningly all that a patient puts into the hands of their trusted physicians.