Counselors are Doomed:Client Privacy and PHI in the Electronic Age
Last week, my wife, daughter and I visited the Smithsonian National Museum of American History, in Washington, DC. In taking a history tour of U.S. presidents, an exhibit about Richard Nixon stood out. On display was a metal filing cabinet that had been pried open. An explanation nearby read, “The Nixon administration established a secret-operations unit known as the Plumbers. On September 3, 1971, they broke into the office of Dr. Lewis Fielding, Daniel Ellsberg’s psychiatrist. They were looking for damaging information…”
As I looked back at the torn filing cabinet, I thought, “back then, before everything was electronic, someone could break into an office and steal a patient’s file. Today, someone can break in to a database and steal millions of patient files.”
- We Are Doomed…Because Data is Electronic
- We are Doomed…Because 2011 Brought the Worst Data Breaches of All Time
- We are doomed…Because of Standard Operating Procedures
- We Are doomed…Even if we’re Flawless
- We are Doomed…Because We Use Passwords
- We are Doomed… Because Even Google is Hacked!
- We are Doomed…Because of Social Penalties
- We are Doomed…Because of Civil and Financial Penalties
- We are Doomed…Maybe…
As Counselors, we care about our clients, and protecting client privacy is a priority. We make sure that our offices are soundproofed, we received signed permission for any Personal Health Information (PHI) being released, we challenge subpoena’s for client records, and we dutifully “can neither confirm nor deny” whether so-and-so is a client. The trust we keep with our clients is sacrosanct. However, counselors today are facing a new challenge, which includes securing electronic data and communications. And while counselors are responsible (and held accountable) for securing this electronic information, the resources available with which to defend it are inadequate.
A decade ago, people were worried about online security. Some even thought that electronic data would jeopardize people’s privacy, and increase susceptibility to identity theft. They were right! Today, it is estimated that 1 in 5 persons in the U.S. has been a victim of identity theft.
In 2009, Steve Ballmer, Microsoft CEO, described the need for better cyber security, stating, “The president needs to use his ‘bully pulpit’ to make sure businesses and local governments are protecting their data.” Despite new legislation that penalizes companies (and clinicians) who suffer a data breach, the situation poses a dilemma for clinicians because—while penalties are securely in place—ironclad methods for ensuring security are not available.
A report from the Privacy Rights Clearinghouse (PRC) notes 535 breaches in 2011, involving 30.4 million sensitive records (that’s a low estimate, as many data breaches go un-reported). Here are some highlights:
Sony. Sony suffered more than 12 breaches in 2011, effecting over 100 million customer records, including passwords. Hence, any customer who reuses their passwords is at future risk, as hackers can use his/her stolen password to access said customer’s non-Sony accounts.
Sutter Physicians Services. Data from Sutter Physicians Services was breached when a thief stole a desktop computer, which contained about 3.3 million patients’ medical details.
Epsilon. Moderate estimates reveal 60 million customer email addresses were stolen from Epsilon.
Tricare. The data of 5.1 million people were stolen from the car of a Tricare employee (medical and financial information). The breach has led to a $4.9 billion lawsuit.
Nasdaq. Hackers accessed a cloud-based Nasdaq system called “Director’s Desk” that facilitates boardroom-level conferences for 10,000 executives. By monitoring communications, hackers had access to valuable insider-trading information (wouldn’t you like to be a fly on the wall during those conversations?).[i]
Some of the above breaches were the product of negligence (as in the case of unsecured data), and some were the result of sophisticated attacks. Still, both pose an important question: If Sony, NASDAQ, and Tricare can’t protect their data, can counselors in private practice be expected to do better?
Today, a clinician can be vigilant about PHI security, and still fall short. One small error: losing a flash drive, failing to logout of a program, or forgetting to “blind carbon copy” an email can lead to a serious HIPAA violation.
Indeed, even standard practices are risky. For example, if a practice receives an electronic fax that contains PHI, that fax is unencrypted and therefore at risk. If a client sends an email asking for confirmation of their appointment time, a simple “yes or no” response could lead to a HIPAA violation, as you are identifying the person as a patient (and email communication is not encrypted). According to Nancy Wheeler, JD, while it isn’t illegal to use email to communicate with clients, the clinician is liable if there is a security breach.[ii] Put simply, many of us are rolling the dice every day.
If you commit to never send an email, never receive an electronic fax, and to surgically attach your laptop to your, well, lap, therein making it impenetrable to theft, sorry…you’re still doomed.
The most common way that hackers get into protected systems is by guessing the password (By the way, the most common password for businesses is “Password1,” which satisfies the industry-standard complexity rules—9 characters including an upper-case letter and a number). Today, hackers can use brute-force techniques to simply cycle through all possible character combinations. Even eight-character passwords, with more than 6 quadrillion possibilities, are short work. Using a $1,500 computer built with off-the-shelf parts, it took Trustwave (a security company) just 10 hours to harvest a cache of 200,000 passwords. Also, as part of Trustwave’s “2012 Global Security Report,” they tried to crack 2.5 million passwords. They came close, successfully cracking more than 2.1 million in their study.[iii]
What do we do? Passwords are intrinsically flawed as a security method, but they are—in practicality—what we are dealt to protect our, and our clients, most private information. More advanced solutions such as biometric authentication, smartcards, and one-time key generators show greater promise,[iv] but they are all but unavailable for general consumer use.
Not even the almighty Google is safe. In March of 2012, a Russian university student hacked into Google’s Chrome web browser. The good news is that this was a contest, and the student won $60,000 for the exploit.[v] The bad news is that the hack was so good that all a user needed to do was to visit an infected website using Google Chrome. Without so much as downloading a malicious plug-in, the hacker gained complete access to the victim’s computer!
Such attacks occur in the real world. Moreover, a Verizon study revealed that hackers are often inside victims’ networks for months or years before being discovered; and more than two-thirds of companies learn they’ve been attacked only after an external party notifies them.
Penalties for clinicians who fail to protect client privacy are severe. According to the U.S. Department of Health and Human Services, “As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches. Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers…”[vi]
Simply put, if there is an attack on your system and the information of 500 or more individuals is compromised, not only do you need to notify effected clients (which, appropriately so, needs to be done with any breach) your practice also gets added to the “hall of shame.” Moreover, this list is available on numerous websites across the web.[vii]
The “American Recovery and Reinvestment Act of 2009” has established a tiered penalty structure for HIPAA violations.
For example, in the case of a HIPAA violation, wherein an Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA, there exists a potential maximum penalty of $50,000 per violation, with an annual maximum of $1.5 million (and a minimum penalty of $100). In addition, penalties get higher in instances of “reasonable cause,” “willful neglect,” and when violations what are not corrected. [viii]
While it might not be possible to guarantee client privacy, we can provide some security—even decent security. Here are some tips:
- Make sure that, if a computer is stolen, there isn’t unsecured data on it.
- Make sure that passwords are at least 9 characters, and include a combination of capital letters, lowercase letters, and numbers. Never use a password for more than one account. Never store passwords on your computer.
- Make sure any paper files are double locked when not under your direct surveillance. Never leave case files in your car, or on your desk.
- Update your computer’s operating system, web browsing programs, and other programs regularly (better yet, make sure they are all set to auto-update).
- And finally, don’t store client records any longer than you’re required: 5 years, 7 years, 12 years—whatever the rule is in your area, destroy old case files accordingly.
[ii] A presentation at the Virginia Counselors Association Conference, 2011.