Safeguard patient data

Friday, March 11, 2016

LAS VEGAS – The most valuable property an HME provider has today is not physical inventory, but patient data.

“On the black market, personal health information is the most sought after data of anything out there,” said Bill Wilson, vice president of sales and marketing for VGM Insurance, during a session at Medtrade Spring. “With that information, hackers can steal identities.”

When Target suffered a breach in 2014, the hackers didn’t target the retail giant itself; instead, they gained access to customer data through a small HVAC company that Target contracted with. It was easier for thieves to target the company with weaker cyber security, says Rob Duryea, president of VGM Forbin.

A similar scenario could happen in the HME industry, where a provider is linked to a healthcare system and trading patient data through electronic referrals.

“Look at the average HME dealer, with a limited budget to go after strong security,” he said. “It’s a weakness and (hackers) know it.”

While people often associate the idea of cyber attacks with a hacker in China or elsewhere, the biggest risk to the safety of your information is your employees, says Wilson.

“It’s human error,” he said. “An employee opens an email they shouldn’t and they expose us.”

About 60% of businesses hit with a data breach will close within six months because they can’t afford the average cost of $3.5 million to reconcile the breach, said Duryea.

Duryea offered some basic advice to help providers limit risk, including: make sure you’re in compliance with the latest PCI DSS; have an SSL certificate; make sure hosting is secure; and stay on top of domain registration.

For employees, teach them to spot fraudulent emails and phishing attempts; and establish remote access protocol, Duryea said.

And, while it seems obvious, protect vital files by ensuring they are encrypted and restricted, Duryea said. Too often, breaches are the result of lost or stolen devices—even from an employee vehicle.

“Why is that person carrying around that laptop?” he said. “Employees shouldn’t even want that information.”