If you work in the medical field or for a health care provider, chances are you’re very familiar with HIPAA guidelines and how they pertain to patient care. But are you familiar with how HIPAA affects your IT environment? When it comes to HIPPA and patient care, most people are already familiar with the HIPAA Privacy Rule, but how familiar are you with the HIPAA Security Rule? Due to recent events regarding ransomware and the Erie County Medical Center, HIPAA compliance – along with data security – has become more important than ever.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the use and disclosure of Protected Health Information (PHI). This applies to (but is not limited to) health insurers, medical service providers, health clearing houses, and employer sponsored health plans. From April of 2003 until January of 2013 there were over 91,000 HIPAA complaints, which led to 22,000 enforcement actions. As if going through legal litigation isn’t bad enough, violators also pay a pretty penny per HIPAA violation. In 2010, Cignet Health of Maryland was fined 4.3 million dollars for simply not providing patients copies of patient medical records when requested.
How can HIPAA compliance affect your daily operation?
Now that we’ve established how important HIPAA is, lets break down how this may affect your operations on a day-to-day basis. To do this, I’m going to refer back to ECMC. When ECMC was initially hit with the cyberattack, they were given an option to settle for 1.7 bitcoin (which is the equivalent of $4,644 U.S. dollars). This may not seem like an astronomical amount of money; however, the $4,644 dollar figure was in reference to each infected machine. If you take into account how many machines a small- to medium-size office may have (likely around 10 to 15), you’re looking at a starting point of around fifty thousand dollars and up (now the fee seems a bit more severe). On top of the monetary losses, you also must take data security, HIPAA fines, down time, productivity loss, and reputation into account.
Hopefully now we see how the consequences from not being HIPAA compliant, but how does HIPAA compliance help protect your data?
The first step in becoming HIPAA compliant, from an IT perspective, is to have an audit of your environment completed. This way a managed service provider can provide a detailed scope of your environment, along with an IT roadmap, which will help you to plan for future expenses and potential issues. During the audit, multiple scans of the environment will be run. Some of the scans will make sure your hardware and software is up to date, and will also check for any security vulnerabilities or possible holes in your infrastructure configuration management.
After the audit has been completed, an engineer will sit down with you and explain his finding and recommendations. Sometimes the recommendations may be very minute in scale and will be able to be implemented in a very short amount of time. On other occasions the engineer may find larger holes or more serious issues which may need to be addressed in a more urgent matter. As an example, a main part of being HIPAA compliant is having a full off-site backup. If the audit is completed and no backup is found, an engineer will sit down with you and provide you with a detailed proposal which will help you protect your data in the event that you are ever attacked by a malicious software and data loss does indeed occur.
As technology continues to advance and hackers become more sophisticated, data security increasingly becomes a top priority for organizations like yours. We’ve seen foreign countries/governments “hack” U.S. computers with the explicit interest of stealing intellectual property and extorting money from U.S. business. A HIPAA security audit is great way to make sure this doesn’t happen to you.