HIPAA compliance is required in order to avoid large fines from the federal government, but there is another issue you can address when you implement HIPAA compliance – strengthening your practice’s network security.
Your patients’ data is worth a lot of money on the black market, and hacks of medical practices and hospitals are on the rise with the latest trend in cyber-attacks being ransomware. This is malware that restricts access to your computer system and demands that the you pay a ransom to access your data. If you are not prepared for these attacks, your practice could be destroyed.
Most medical practices don’t have a plan for regular backups, or a disaster recovery plan, and choose to pay the ransom to hackers in order to regain access to the data that is vital for their day-to-day operations. In March 2016 alone, more than a dozen medical facilities were attacked. Hollywood Presbyterian Medical Center is one location that decided to pay the ransom of 40 Bitcoin, almost $17,000, in order to restore their systems. The FBI recommends businesses not pay the ransom, because there is no guarantee that the hackers will unlock your systems, and simply decrypting files does not mean the malware infection has been removed from the system.
According to a recent Washington Post article, Sinan Eren, who has worked in cybersecurity for government and healthcare organizations said, “Medical facilities are vulnerable to these attacks in part because they don’t properly train their employees on how to avoid being hacked.”
The threat is not going away anytime soon. March 2016, the US and Canada issued a rare joint cyber alert warning about the recent surge in ransomware attacks. A report from Intel Corp.’s McAfee Labs, predicts ransomware will remain a major and rapidly growing threat in 2016, and will expand to new industry sectors including financial institutions and local government. These groups will want to quickly pay ransoms to restore their critical operations – stimulating more attacks.
How Do I Protect My Data?
HIPAA compliance may be your best bet. The guidelines set forth by HIPAA serve as an excellent road map to protect your information.
Here’s how it works. There are three parts to the HIPAA compliance process:
- Training, and
The first step in the HIPAA documentation process is to conduct a Risk Assessment. The Risk Assessment gathers information about the use of electronic devices in your practice, how you handle and safeguard data, and what procedures your employees must follow. Once the Risk Assessment is completed, you’ll have the foundation for your Privacy and Security Policies and Procedures. You’ll have identified what improvements need to be made in your systems and what procedures to follow to keep them safe. Additional required HIPAA documents can also be completed from data collected in the Risk Assessment.
As the Washington Post article highlighted, a lack of or inadequate employee training makes an organization vulnerable to attacks. HIPAA requires employees be trained annually, not only on the HIPAA law, but specifically on your organization’s security policies and procedures. Developing the two training programs on your own would be daunting; however, when you partner with a compliance company like Total HIPAA the training on the law is already developed for you. We also summarize your practice’s key points – saving you both time and money.
What good is a plan and training without rolling it out to your entire practice? Your HIPAA Compliance Plan isn’t a document that just sits on the shelf and only gets dusted off once a year. Once you have a plan everyone on your Compliance Team can agree on, it’s time to put that plan into action!
Cyber attacks can cost you thousands of dollars when you notify staff or patients of a breach. In addition to these costs, HIPAA fines and penalties as high as $50,000 per violation can be added to your final bill. When you examine the option of implementing HIPAA or waiting until something happens, the choice is clear – meeting HIPAA compliance is only a fraction of the costs you will face if you are hacked. Protect your practice today.