The most common types of data breaches in nursing and residential care facilities (NAICS 623) are related to misuse or paper copies of records, according to Verizon’s “2018 Protected Health Information Data Breach Report.” The good news is that there are steps the industry can take to lessen the chances of a breach occurring, a cyber security expert tells McKnight’s Senior Living.
“Misuse” offenses could include looking at records without a business need (for instance, because the resident is famous or infamous), sending unnecessary resident records along with necessary ones or not minimizing the data displayed on a screen to just what is necessary to be viewed, said John Barchie, a senior fellow with Arrakis Consulting.
“Misuse is generally initiated with malicious intent — or at least the intent to satisfy curiosity — but some systems over-collect and over-report information, exposing patients needlessly,” he said. “It is possible, for example, to require a practitioner to state the business case prior to opening a patient record, and it is also possible to limit the field a practitioner reviews for a given task, but this requires a level of sophistication that records-keeping software generally does not employ or that is not employed because the custodians or data-owners don’t want it ‘interfering’ with patient care. The level of security necessary to reduce misuse through technical controls is a trade-off between ease of use and security.”
The second-most common types of breaches in nursing and residential care facilities occur in the “physical” category, according to the report. These breaches can happen when someone prints out medical data, prints out extra copies of a record or does not properly dispose of any extra copies that are printed out, Barchie said.
“At this stage, almost everything can be performed electronically, for a cost,” he said. “Where such a cost is undesirable, extra effort, shred bins, locked records rooms, etc., should be amply supplied.”
Barchie said he isn’t surprised that these types of breaches are the most common in senior living and care.
“Background checks and proper technical monitoring can be used to combat this exposure. The technology is there, but it is an add-on to existing records-keeping software,” he said. “Thus, it is an added expense at a time when nursing and care facilities are experiencing other financial stresses. The organizations as a whole need to lobby the software providers for tools to help minimize the ability for records abuse and the need for hard copy.”
Nursing and residential care facilities, Barchie said, may have an increased risk of damage to their reputations when a data breach occurs, compared with other businesses, because they tend to be smaller operations. “The tools are there to combat internal malicious intent, but they may not be cost-effective for organizations in the 623 category,” he said. “This is something the organizations as a whole, through their trade associations, can ask software developers to address.”
Additionally, Barchie recommended that senior living operators follow the HIPAA Security and Privacy Rules and perform background checks. “Generate a risk assessment to identify the areas of greatest risk, and put some controls around that,” he added.