Healthcare organizations have made significant technological leaps and bounds in recent years, becoming connected to health information exchanges and incorporating electronic health records.
These advances help healthcare professionals and patients gain faster and more comprehensive access to critical medical information, but they add a layer of complexity when it comes to HIPAA compliance. As protected health information (PHI) is made readily available to providers and patients, it is also potentially available to hackers. It is essential for all healthcare organizations to understand what constitutes a HIPAA data breach and how they can limit their (and the public’s) exposure.
According to the U.S. Department of Health and Human Services, a breach occurs “when an impermissible use or disclosure under the Privacy Rule compromises the security or privacy of the protected health information.” The factors that determine a breach include the type and extent of information that was exposed, including identifiers and how likely it would be for re-identification to occur; who accessed or received the protected information; whether the information was indeed acquired or viewed; and the extent to which the risk of the protected information has been mitigated.
The HHS Office for Civil Rights (OCR), which enforces HIPAA regulations, reported that 2018 set a record for HIPAA enforcement activity with a total of $28.7 million levied against healthcare organizations for breaches of protected information, including the single largest settlement ever: $16 million. (That is $16 million for just one organization.)
The OCR maintains a “wall of shame” that lists all reported breaches for the past 24 months, and it appears that 2019 is already a busy year with dozens of reports of hacking, theft and unauthorized access of protected health information by healthcare organizations of all sizes.
So, how can you limit your exposure?
Start with a risk assessment
It is vital that healthcare leaders assess every piece of hardware and software that has any contact with protected health information, whether it stores, processes or transfers it from one place to another. Who has access to these assets? How are they protected from hacking, theft, and natural disasters?
Encrypt, encrypt, encrypt
Need I say more? If critical data is encrypted correctly, it dramatically reduces the chance that a hacker or thief can use it for nefarious purposes.
Train your team
Security starts with the staff. Beginning with onboarding, and at regular intervals after that (we recommend company-wide security training twice a year), make sure every member of your organization knows how to spot a phishing email, how to maintain proper passwords, and how to secure their computers when they step away from their desks.
If a breach occurs, act quickly
Mistakes happen, and sometimes even well-protected organizations find themselves dealing with a breach. It is imperative to have a plan in place to respond and mitigate any data loss as quickly as possible to limit exposure. The OCR provides a Quick-Response Checklist that walks through the steps for responding to a cyber-related security incident.