HIPAA and Cybersecurity
Are you practicing good “Cyber Hygiene”?
by Jodie Cannon, BS, OSHA/HIPAA Consultant
It’s no secret that HIPAA regulatory compliance can be very time consuming and substantially increase costs. Confusing, obtuse regulations written in difficult to understand language can be bewildering and overwhelming for healthcare organizations, especially small to midsize organizations with limited management resources. HIPAA compliance is no exception. According to the Office of Civil Rights, covered entities must make a ‘good faith effort’ in the following areas of compliance: 1) Recent Security Risk Assessment; 2) Active Risk Management Process (Work Plan); 3) Current policies and procedures for protection of patient data; 4) Signed Business Associate Agreements; and 5) Employees having been trained within the last year.
At Modern Practice Solutions, we constantly strive to make HIPAA compliance as easy, efficient, and affordable as possible without cutting any corners. We offer our HIPAA Kickstart Turnkey Program that includes the above-mentioned areas of compliance. We also offer an intensive Advanced HIPAA Course designed especially for those of you serving as Privacy/Security Officers to help you succeed in your compliance leadership role.
How are HIPAA violations driven or how are they discovered?
- Patient complaint driven
- Employee complaint driven
- Notification of breach driven
- Business Associate third party breach
- Employee mistake driven
- HIPAA compliance audits
Most regulations, including HIPAA, are created with good intentions. HIPAA was intended to protect the privacy and security of sensitive patient health information whether written, oral, or electronic.
The HIPAA Security Rule was enacted to prevent the unauthorized disclosure of patient information, and compliance became mandatory in 2006. Then, the Internet was relatively new, and spam, ransomware and phishing emails were largely unheard of. Today, ransomware and phishing run rampant and present a huge threat to your organization. The top 5 Cybersecurity threats to the health care industry are as follows: 1) Phishing email; 2) Ransomware; 3) Loss/theft of data or equipment (such as mobile devices); 4) Internal threat (accidental or intentional data loss; and 5) Attacks against connected medical devices. Nearly all breaches occur through email and the file server. The Department of Health and Human Services issued Ransomware guidance around 2016 when Ransomware was the most common cause of breach in the health care industry.
In response to the Cybersecurity threats, the Department of Health and Human Services issued an urgent advisory and guidelines on Cybersecurity Practices for small and large health care organizations late in 2018:
- Cybersecurity Practices for Small Health Care Organizations
- Cybersecurity Guidelines for Mid-Large Health Care Organizations
No organization is too small to be targeted and victimized, and many have been subject to cyberattacks. You just might not hear about it because it does not normally make national news. For example, here is a case of a small two-provider practice that was recently hit by ransomware and decided to close its doors:
What can you do to minimize the real and tangible cybersecurity risks to your organization? Here is your
prescription:
- Train your employees to understand and recognize threats
- Send your employees fake ransomware/phishing emails to test them
- Perform an annual security risk assessment
- Use reputable antivirus software and firewall and keep them up-to-date
- Employ content scanning and filtering on your mail servers
- Ensure all systems and software are kept up to date with relevant patches
- Have a comprehensive cyber insurance policy in place to mitigate against massive potential financial expenses
If you have any questions or would like Modern Practice Solutions to assist you with your HIPAA compliance, please contact us at [email protected].