While the nation was shut down and people were suffering, hackers were busy at work. It is coming to light how many organizations have had a data breach and have been hit with ransomware.
Now more than ever all organizations need to make sure their HIPAA Compliance Officer understands what is needed for data security. The FBI has stated cybercrime in 2020 has surpassed 2019 and we still have a few months to go. The problem is the hackers have become very sophisticated in their attacks. Whereas it used to be easy to spot a fake email, that is no longer the case. Between email and text efforts, they are gaining access to our information and we are the ones permitting it. Also, user credentials are compromised and used to gain access to your network or to send false emails to gather personal information. These scams typically involve a criminal that has hacked a legitimate email address. For example, a person would receive a message that appears to be from someone within their organization or a business associate with which that person knows. The message will request a payment, wire transfer, gift card purchase, or even a list of employees with social security numbers that seems legitimate. The compliance officer should be notified, and the transaction verified BEFORE it is completed. Every office needs to have a verification process in place before releasing ANY data.
We have said this before… if a stranger walked up to you and asked you to verify your identity would you give them any information? Of course not, but that is exactly what we are doing when we receive an email or text message from someone or somewhere, we trust. Trust, but verify.
With more and more people working remotely, that brings us to another vulnerability. Covered entities that utilize the services of business associates are required by HIPAA to ensure the business associate is in fact HIPAA compliant. The starting point is to ensure you have a business associate agreement in place with all your vendors that create, receive, maintain, or transmit protected health information (PHI). This agreement should include security requirements to ensure they are protecting your patient data. If a covered entity does not have a BA agreement in place and the vendor causes a data breach, the covered entity will more than likely receive the fine. With a BA agreement in place, it is still typical the covered entity bears the financial burden of the breach but may not receive the fines. That is why a BA agreement should include an indemnification and requiring the business associate to carry cyber liability insurance. Recently, a business associate was fined $2.3 million for a data breach that was caused by a hacking incident. If the covered entities did not have BA agreements in place, they could have been the ones who received this hefty penalty. Also, recently an orthopedic clinic was fined $1.5 million after a journalist notified them that a database of their patient information was posted for sale online. For this reason, we recommend covered entities should carry their own policies as well. “Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino. Many electronic and portable devices are used to process and store PHI. Anyone with access to such devices could potentially have the ability to change configurations, install malicious programs, change information, or access information that are not authorized to. Any of these actions has the potential to affect the integrity of patient information. HIPAA requires covered entities and their business associates to implement and follow policies and procedures to limit access to only those who are authorized.
Risk management should be at the top of everyone’s list. Preventing data breaches and securing patient data is everyone’s responsibility, but the OCR requires someone to be the point person, hence the HIPAA Security or Compliance Officer title. This responsibility is so much more than just a title. HIPAA Compliance Officers responsibilities include creating, maintaining, and enforcing compliance. This includes the staff, management, and even the medical providers. I hear too often that the compliance officer gets push back from the doctors or owners. This is so unfortunate since they are only trying to do their job that is required under state and federal law. They are the frontline defense in keeping your practice alive and well. The owners of the practice may suffer the financial loss, but sometimes everyone does if the practice closes. Let’s all work together to keep patient data safe and secure.
If you need assistance with HIPAA Security training or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.