Inexpensive Actions Against Expensive Data Breaches

Although numerous data breaches have exposed sensitive patient information over the past year, few gained as much attention as the 2017 incident that compromised millions of electronic health records (EHR) in the United Kingdom. That data breach came as the result of the WannaCry virus, which effectively blocked hospital staffs from getting into their EHRs at a number of British hospitals and medical practices, holding the information for ransom. The snafu created panic among practitioners as they attempted to manage patients’ conditions without having access to vital details on medications, allergies, surgical histories, and so on.

The UK’s National Health Service computers were vulnerable to this type of attack because so many of them were still running Windows XP, an outdated operating system. But it needn’t have happened if decision makers responsible for the security had installed a security patch from Microsoft that had been issued a few months earlier. This mishap is only 1 of many that could be prevented if hospitals and medical practices applied some basic preventive measures to shore up their computer networks.

Although these measures may involve considerable costs to healthcare providers, over the long term, it’s far less expensive to invest in strong encryption tools, employee training, and a detailed risk assessment than it is to spend what often amounts to millions of dollars on Health Insurance Portability and Accountability Act (HIPAA) fines, class-action lawsuits, and loss of business from a damaged reputation.

In Protecting Patient Information, I spell out many of these basic precautions, including the creation of easy-to-remember but hard-to-crack passwords.

Clinicians and administrative staff should never be allowed to choose simple words or names as passwords because hackers have password cracking software that can run through virtually every word in the dictionary in a matter of minutes. An alternative is to think up a phrase that’s easy to remember: For example, “I live at 324 Grand Avenue,” and then convert it to initials: IL@324GrandAvenue. Of course, it’s best to choose an old address, not a current one that’s easily found by the public.

And on the subject of passwords, 1 of the things staffers should never be allowed to do is write them on a sticky note that is then stuck to the monitor. If auditors from the Department of Health & Human Services’ Office of Civil Rights ever come by for an inspection, that will spell trouble.

Another key to protecting patient data is training staffers to avoid the phishing scams that let hackers gain access to protecting patient information.

The scammers are tricky, but a few common-sense precautions can help staffers spot the tricksters.

^{Paul Cerrato has more than 30 years of experience working in healthcare and has written extensively on clinical medicine, electronic health records, protected health information (PHI) security, practice management, and clinical decision support. He has served as Editor of Information Week Healthcare, Executive Editor of Contemporary OB/GYN, Senior Editor RN magazine, and contributing writer/editor for the Yale University School of Medicine, and the American Academy of Pediatrics. The Healthcare Information and Management Systems Society (HIMSS) has listed Cerrato as one of the most influential columnists in healthcare IT.}