Although malware and cybersecurity raise concerns across all industries, medical practices — a treasure trove of patient health records, Social Security numbers and insurance information — are often the perfect target for hackers and phishing schemes. Experian estimates that a Social Security number can be sold for $1, but medical records can be sold for between $1 and $1,000.
The American Medical Association reports that in 2017, 83% of all physicians’ practices have experienced some type of cyberattack. Hackers utilize a variety of attack methods. For example, ransomware can shut down practices for hours or days, making a patient’s medical history inaccessible and placing patient care at risk through theft of electronic protected health information (ePHI). The vast majority of physicians believe the ability to share ePHI is extremely important when it comes to patient care, however, many physicians are not performing basic steps to improve their security and protect ePHI.
HIPAA requires all covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the covered entity or business associate.” The AMA suggests five basic steps to begin your assessment:
1. Identify the scope. Identify potential vulnerabilities within your internal IT systems, including not only your data at rest (such as databases) but also data in transit moving through your network. Question how data flows through the system, each point of information entry and exit and who needs access to the information.
2. Assess the risk. Understand the hardware you have connected to the internet and how it is protected. Inventory all software, programs and security systems, and know how long it will take to recover data in the case of a data breach.
3. Evaluate the risk. Not every risk is the same, and if you have limited funds to invest in cyber security, focus on addressing those posing the most potential harm.
4. Create a plan to address the risk. The easiest cyberattack on any organization is through unsuspecting employees. Educating and training staff about cybersecurity is the least expensive and most effective defense for any medical practice. Establish cybersecurity policies and enforce them.
5. Periodically review and update. Annual evaluation of your cybersecurity risk is critical. With tremendous advancements in technology, new risks appear daily — but so do new security measures to combat those risks. Stay up to date.
Senior Associate Attorney
Rosenblatt Law Firm
Failure to make a reasonable effort to safeguard ePHI is not only a great way to lose patients, but an unfortunate means to find yourself facing vast fines for violating HIPAA. Federal fines for noncompliance with HIPAA are based on the level of perceived negligence at the time of the HIPAA violation, and can range from $100 to $50,000 per incident — another reason to ensure your medical practice has effective cybersecurity systems in place.
While no system is ever perfect, ePHI is more secure and chances are significantly reduced that an employee will unwittingly release protected information when required policies, procedures and frameworks are followed. Implementing protocols and procedures may seem daunting and time consuming, but it is fundamental to minimizing risk.
Molly Neck joined the Rosenblatt Law Firm in 2014. She is a Senior Associate for the Transactional Section of the firm. For more information, visit rosenblattlawfirm.com or call Rosenblatt Law Firm at 210-562-2900.