The rule also required self-reporting of all breaches to the US department of Health & Human Services as of 2009. (More information can be found a https://www.hhs.gov/hipaa)
If you are a medical facility (hospital, clinic, health care plan, pharmacy or small provider) here are some statistics about enforcement by the Department of Justice (DOJ) Office of Civil Right (OCR) for December of 2016.
The OCR imposed fines of over $58.5 million dollars in December of 2016.
What this means to you
If you are a CEO, board member or executive leader in a medical facility, you are probably sitting on a ticking time bomb. In 9 out of 10 facilities we visited, some form of internal or external security breach existed.
Just letting employees know there is a security review happening will send a staff scrambling. 75% of security breaches are made by internal employees that go unreported. Eventually these weaknesses are found by external hackers.
The most common and best case scenarios include:
Worst case scenarios:
How do they get in?The following is a quick checklist of failure points specific to the medical industry and HIPAA compliance.
20 years ago we only worried about user passwords and accessing servers in the same building on a closed network. Today we have employees, contractors and vendors located anywhere in the world. New software security patches are distributed on a weekly basis proactively or in response to new security breaches.
10 years ago hacking a stolen laptop was the biggest worry. Today smart phones are the in the top three of the most frequent security breaches along with stolen laptops.
There are also the new cloud server offerings. Cloud platforms can be even more secure than servers maintained in a server room. The best cloud offerings carry HIPAA and PCI certifications.
The cost of these systems require no upfront capital costs and are maintained by a battalion of IT experts. Cloud providers can afford, and do, hire top level experts in each individual technology. Plus they can afford to continually upgrade the training of these experts. Most importantly they can afford to provide the experts, firewalls, routing, virus, malware and intrusion software.
At a security level, not taking advantage of the new cloud technology is like keeping your money in your mattress vs in a bank vault. It feels good to sleep on your cash, but a fire or a burglary can make a lifetime of savings disappear.
Let’s face it. Technology is changing fast. Both business and hackers have new tools and software available every month. If you aren’t spending the money to keep up, you will eventually be hacked. In fact almost everyone gets hacked eventually.
In our experience, two out of three CEO’s reading this article have been attacked, been breached or have hackers living in their systems right now.
Fortunately fixing the problem is actually quite simple.
Start with our new 15-Minute Technology Self-Assessment >
About the Author