By David McHale
Cybercrime drains as much as $140 billion and half a million jobs from the U.S. economy each year, and requires organizations to devote substantial time and resources to keeping their information secure. This is even more important for healthcare organizations because they are the most frequently attacked form of business.
Did you know that 51 percent of all cyber security breaches occur within healthcare entities? Cybercriminals target healthcare organizations for two main reasons: 1) healthcare organizations fail to identify cyber security threats and upgrade their cybersecurity as quickly as other businesses, and 2) criminals find personal patient information more valuable to exploit than credit card information because it contains details that can be used to access bank accounts or obtain prescriptions for controlled substances.
The threat of a security breach is higher than it has ever been, with new threats to computer systems and other attempts to steal information increasing exponentially. Almost daily, media reports on another data breach or that hackers have infiltrated another data storage system and exploited personal information. Just 10 months ago, Target announced it had been hacked and 40 million credit card numbers had been stolen. The Target disclosure was met with weeks of news coverage and calls across all industries for increased security measures for consumer data. Most recently, Home Depot announced that it had a breach involving 16 million more credit card numbers than the Target breach. These regular announcements of security breaches clearly suggest that the question to any organization, large or small, has turned to a matter of when – not if – a breach of their data will occur. All industries should recognize that there will be no patience for an entity, especially a healthcare organization, to complain that it didn’t know about the threat of security breaches or the basic steps that should be taken to avoid a breach.
In fact, the repercussions of security breaches for healthcare organizations can be daunting. A healthcare organization that suffers a breach of more than 500 records of unencrypted personal health information (PHI) must, within 60 days of discovery, report the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). This is the federal body with the power to enforce the Health Insurance Portability and Accountability Act (HIPAA) and issue fines. While all breaches of PHI must ultimately be reported to the OCR, those totaling over 500 records are much more significant. To date, the OCR has levied over $25 million in fines, with the largest single fine totaling $4.8 million. A healthcare organization’s brand and reputation are also at stake. The OCR maintains a searchable database (informally known as a “wall of shame”) that publicly lists all healthcare entities that were fined for breaches that meet the 500-record requirement.
To help healthcare organizations safeguard their systems, it’s important to know and understand the most common ways a breach can occur. The most common methods of cyber attacks across all industries in the U.S. are: Theft of unencrypted electronic health records (29 percent), hacking (23 percent), and public distribution of personal records (20 percent).
In order to mitigate cyber threats and help ensure that your health organization is fully compliant with HIPAA privacy and security rules, The Doctors Company, the nation’s largest physician-owned medical malpractice company, recommends the following precautions:
- Train your staff on how to protect PHI. Conduct information and cyber security awareness trainings to help identify all areas of potential vulnerability.
- Develop procedures for the handling and destruction of PHI and preventing unauthorized data transfer.
- Create policies detailing which devices are allowed to contain PHI and under what circumstances those devices may leave the office.
- Prohibit the transfer of PHI using unencrypted public networks and devices.
- Audit and test your physical and electronic security policies and procedures regularly, including what steps to take in case of a breach.
- Confirm that your practice has insurance to assist with certain costs in case of a breach.
For more cybersecurity tips, visit www.thedoctors.com/cybersecurity.
David McHale is The Doctors Company’s Chief Legal Officer. He holds a law degree from the University Pacific’s McGeorge School of Law and an MBA from the University of Illinois. He is a Certified HIPAA Compliance Officer (AIHC) and a regular presenter before insurance trade organizations and the National Association of Insurance Commissioners (NAIC).