Healthcare Providers: Here’s What You Need to Know to Avoid a HIPAA Violation
The COVID-19 pandemic has made issues of healthcare data, privacy, and technology top of mind for healthcare providers and patients alike. Increased use of medical technology has improved outcomes for many patients, but can also make it more difficult for healthcare providers to protect the patient data collected, leaving the practice vulnerable to a HIPAA violation in the form of a medical records breach. To a healthcare provider, “HIPAA violation” are two of the scariest words in the English language. Here’s what you need to know to avoid one.
What is a Medical Records Breach?
A medical records breach is any incident in which a patient’s health information is accessed without authorization, compromising a patient’s trust in their healthcare provider and endangering their sensitive data. The scariest part? Medical breaches are more common than you’d think– according to the HIPAA Journal, more than 189 million healthcare records have been stolen or exposed in over 2,500 breaches since 2009. That amounts to nearly 60% of the U.S. population being affected. This is bad news not only for patients, but providers as well. Data breaches in the healthcare industry are reported to cost an average of $6.5 million, over two million more than for other industries.
So how and why do these frightening, costly data breaches happen? Research suggests that hackers were responsible for more than half of medical records breaches in 2019. Hackers often steal patient health data with the intent to sell it on the dark web. Healthcare hacking is a surprisingly profitable business for cybercriminals; patient health information can sometimes be valued more highly than credit card information, and can be used to commit insurance fraud, medical identity theft, and even blackmail. Three of the most common methods of deliberate breach– or hacking– are phishing, malware or ransomware, or data theft.
Phishing is a type of cyber attack in which an email, phone call, or text message is used to pose as a legitimate institution and trick individuals into sharing sensitive data, such as passwords, social security numbers, or bank and credit card information. You’ve likely encountered a phishing message personally– recent scam phone calls about your car’s extended warranty are a prominent example. If you or someone at your organization receives an email, phone call, or text message from an unverified source, delete the message without clicking any links or hang up without speaking or pressing any other buttons.
Malware & Ransomware
Malware is a type of software that cyber attackers can use to steal sensitive information or render the network and computers unuseable. . Ransomware is an insidious type of malware in which hackers hold your data hostage until you pay a large sum to get it back. Never open links or attachments in any message from an unverified source, and delete suspicious messages immediately.
Data theft is a broad term encompassing many ways an individual can steal sensitive data. Overly simple passwords, a lack of encryption, carelessness in digital privacy, and even device theft can leave your organization open to data theft, and worse, lawsuits.
What is at Stake for Your Practice?
Small to midsize healthcare organizations may be more vulnerable than they realize. While large hospitals are often targeted for the vast amounts of data they hold, smaller practices can be a target due to lack of security resources or outdated practices. And it’s not only large breaches that are being investigated and prosecuted– since late 2016, the Department of Health and Human Services (DHHS) has been investigating security incidents affecting fewer than 500 individuals for HIPAA violations. So what is the cost of a HIPAA violation? The DHHS classifies penalties in four tiers, depending on the severity of the breach and the entity’s response.
First tier penalties are those in which the offending entity did not know about the breach and could not have realistically avoided it, even with reasonable care taken to abide by HIPAA rules. Penalty is a fine of $100 per violation or more, up to $50,000. However, the Office for Civil Rights (OCR) may waive a financial penalty at their discretion.
Second tier penalties are those in which the offending entity either knew or should have known about the breach, but still could not have avoided it with reasonable care. The second tier falls just short of being considered willful neglect. These violations carry a minimum fine of $1,000 per violation, up to $50,000.
Third tier violations are the result of willful neglect of HIPAA rules in which an attempt has been made to correct the violation. Minimum fine is $10,000 per violation, up to $50,000.
Fourth tier violations are a result of willful neglect with no attempt to remedy the situation in a timely fashion. Minimum fine is $50,000 per incident.
How to Protect Your Organization
With critical data, patient trust, and potentially millions of dollars at stake, it is vital for healthcare organizations of all sizes to protect their data. But how? The task can seem overwhelming, especially to those with limited knowledge of information technology and network security. There are a few key protections that should be part of every healthcare organization’s cybersecurity plan. For more information on those protections, see our post on the Hierarchy of IT Security.
Hire an Expert
Trying to manage your own organizational IT can lead to greater expense, lower productivity, and increased vulnerability to cyber attacks and data loss. Not to mention, it can be a great source of frustration. A quality managed service provider like iSAFE Complete will take responsibility for the security of your network infrastructure, leading to priceless peace of mind for your organization and your patients. iSAFE offers unlimited support and will ensure that your firewalls, routers, access points, and devices are always up to date and secured.
Train Your Staff
Your managed services provider can offer a lot in terms of data protection and peace of mind. But true IT security is a team effort between your provider and your staff. According to a 2019 analysis by Bloomberg Law, healthcare staff gaining inappropriate access to team members’; or patients’ information is the fifth most common cause of medical data breaches. Further, over 60% of all breaches across industries occur due to user error. Providing continuous training to all staff on security best practices can reduce mistakes. Also, technology like two-factor authentication, secure messaging portals, and automatic log offs can reduce the impact of human error.
Use a Web Filter
Unfortunately, even with the best training in place, user error still happens. Accidental clicks can leave well-intentioned users vulnerable to malware and ransomware. When mistakes happen, web filtering is a first line of defense. A web filter will block sites known for distributing malware, and can even be configured to block time-wasting sites like social media.
In the event that your web filter does not catch a questionable site, antivirus protection is your next line of defense. Antivirus software will block malicious scripts from running on the computer on which it is installed. Any new files downloaded or added to the device are automatically scanned for malware before opening or running. Corrupted files are automatically quarantined or deleted, saving your systems from disaster.
Use a Password Management System
Nearly every digital device and system requires a password to grant user access. You likely know that strong, unique passwords with a diverse set of characters are necessary to protect your systems. However, it can be difficult to remember a long list of passwords. A password management system will allow you to create strong, unique passwords for every site while only remembering one master password.
Conduct Regular Backups
Sometimes, despite our best efforts, data becomes stolen or compromised. For that reason, it’s important to have a plan in the case of a security breach– this is where backups come in. Conducting a daily, off-site backup can allow your managed service provider to restore your computer and data to the date of the last backup. This way, if your systems fall victim to malware or ransomware, you still have access to important data.
Avoiding a medical records breach, and ultimately a HIPAA violation, can be difficult and time-consuming. But it definitely isn’t something you want to leave to chance. Ask how iSAFE Complete Managed Services can help your healthcare organization remain secure and HIPAA compliant, granting you and your patients peace of mind.