A recent ransomware attack on a Texas clinic shows why caregivers have to make sure their data retention practices are just as clean as their treatment areas.
The ransomware attack that hit Urology Austin in January of this year was notable for two reasons: first, it was one of the few ransomware attacks listed on the HHS wall of shame for data breaches; second, it involved data on patients who hadnt received treatment at the Urology Austin practice in decades.
The Urology Austin attack affected nearly 300,000 patient records, including patients who hadnt received treatment from their staff in more than 20 years. The Urology Austin team was forced to notify those patients about the attack, and those patients were then sent on the rabbit chase that is monitoring for identity theft.
Ransomware attacks are not going away anytime soon, and will in all likelihood only increase in frequency and intensity. And the larger your patient dataset is, the greater the risk for your practice both in terms of actual patient data and reputation.
So what do you do to balance the data retention needs of your patients and practice against protecting all that data against attackers?
Make sure your data is adequately protected, of course, but also that youre only keeping the data you need to provide quality care while protecting your patients identities.
All personal data, such as protected health information (PHI), should be protected at the same levels, regardless of how long youve had it. As the experience of the former Urology Austin patient demonstrates, those associated individuals can have the same consequences and harm as current patients.
Every provider absolutely needs to have a data retention policy and supporting procedures in place, which should include how to irreversibly destroy/delete data when it is no longer needed to support legal requirement and patient care needs. Its crucial employees responsible for this data are aware of and following policies and procedures. Frequent training and reminders are critical.
This should become a provider mantra: When you dont need data, eliminate it.
If you need older data for research purposes, de-identify the data so you can still get the research benefits. Doing so will significantly reduce the risks to associated patients, not to mention your practice.
Your duty as a caregiver is not just to care for your patients physical health and safety, but also the safety of their personal data. Give both of these things your care and attention, and make sure youre protecting the whole patient – both physical and digital.