Health information in your facility is a potential source of problems, depending on a variety of factors. HIPAA requires healthcare providers to establish effective safeguards to protect patients’ health information. You might think that everything is done for the sake of compliance, but you may be more exposed to serious issues than you realize. A breach can incur HIPAA violations.
In a recent press release, the U.S. Department of Health and Human Services reported that two entities collectively paid a handsome $1.9 million to the Office of Civil Rights (OCR) to resolve potential violations of HIPAA privacy and security rules due to an incident wherein a laptop containing personal health information was stolen.
These breaches may happen without warning or without your knowledge. Awareness can help you address these threats.
Examples of incidents that can compromise the security of health information in your facility:
Stolen unencrypted computing devices
Nearly everyone today has bits and pieces of personal health information at their fingertips through mobile phones, tablet computers and mini-computing devices. These devices make health information easily accessible for the provider and the patient. There are even features like patient portals that help providers link to their patients and provide medical care. These features are convenient, until someone steals your device.
Susan McAndrew, the OCR’s deputy director of health information privacy, says, “Covered entities and business associates must understand that mobile device security is their obligation.”
Mobile devices containing health information must be given the same protection as mainframe computers used to store data. In addition, covered entities must find ways to reduce the risk of revealing health information in the event that devices are stolen. One way to enhance security is to encrypt all information on computing devices. Encryption can help secure health information in case of human error or a malicious attack.
Digital health information can be accessed without authorization, or stolen or erased in a cyber attack. Providers who do not invest enough in security can become vulnerable to cyber attacks. However, providers who have experienced a health information breach through a cyber attack can be liable in a violation of HIPAA rules.
Cyber criminals may choose to target a provider using a direct brute attack, or take advantage of loopholes in security thanks to existing bugs, human error or negligence.
To avoid violations in the event of a cyber attack, providers must use adequate security to protect health information, perform regular checks and updates on the system, and run multiple risk analyses to determine threats and vulnerabilities. Restricted access, contingency plans, and internal audits are a few adequate security measures that can help you avoid or reduce violations of HIPAA rules in the event of cyber attacks, as well as reduce the chance of a security breach in the first place.
Many providers have security systems that are below standards
Healthcare providers have good reason to make health information secure, aside from abiding to HIPAA regulations. Health information is valuable to criminals who can use it for financial fraud and identity theft.
Financial and retail centers usually have better security than the healthcare sector. However, the recent attack on Target Corporation shows the vulnerability of any organization to data breaches. Action needs to be taken, because the Internet brings a new reality — perpetrators escape punishment, patients become exposed to risk when private information becomes public, and healthcare providers are required to pay for the resulting damages.
Get HIPAA and other medical compliance training online from US Bio-Clean