Is Your Patient Data Secure?

January 12, 2011
Sara Michael

It’s a question practices should be asking in the wake of the news that a server containing personal patient and billing information was breached at a radiology practice in Rochester, N.H. It’s the latest security breach made public under the HITECH Act’s security breach notification rules.

How secure is the patient data at your practice?

It’s a question practices should be asking in the wake of the news that a server containing personal patient and billing information was breached at a radiology practice in Rochester, N.H. It’s the latest security breach made public under the HITECH Act’s security breach notification rules.

The HITECH rules require organizations covered under HIPAA to report the breach to the affected patients, and in some cases to CMS. Cases involving more than 500 people are posted publicly by the Office of Civil Rights, which is why we’ve been seeing some large incidents in the last several months.

In the case of this radiology practice, Seacoast Radiology, the breach occurred in November 2010, and access to the server was disabled immediately, according to a release. An independent investigation concluded that unauthorized use of the data - which included names, addresses, Social Security numbers, dates of birth, diagnosis codes, and billing information - was unlikely. Radiology reports weren’t stored on this server.

Data security continues to be a major health IT concern for physicians. A study last year by the Healthcare Information and Management Systems Society (HIMSS) found that 34 percent of respondents named security breaches as a top concern, and 23 percent said their organizations experienced a breach in the last year.

So what can you do to protect your practice?

One control measure is disk encryption, which uses software to protect data on the hard drive should it be accessed by an unauthorized user. The software makes it difficult for someone to remove the hard drive and read its contents on another computer. Password protection isn’t always enough when it comes to protecting sensitive data. It’s also a good idea to physically secure the hardware at the end of the day.

Has your practice experienced a security breach? Or do you have a best practice to share for protecting data?