When Congress passed the Health Insurance Portability and Accountability Act, or HIPAA, more than 20 years ago, the internet was still relatively new to most people. In fact, in 1996, there were only 10 million active users worldwide. People who used email topped out at 35 million. The HIPAA guidelines were relatively easy to follow.
Those numbers pale in comparison to today’s users. Many people have multiple email accounts, and with smartphones and tablets, the internet is right at the touch of a finger. When HIPAA guidelines were issued in 1996, there weren’t concerns about cyber attacks, ransomware, and online theft of secure patient information.
As we’ve seen over and over this past year, hackers have focused their attention on attacking businesses, hospitals, and medical facilities. Patient files have been subjected to ransomware or theft. Each breach has to be reported, and the U.S. Department of Health and Human Services Office of Civil Rights (OCR) determines the extent of the violation, and the subsequent fine.
Due to the increase of cyber attacks, the OCR has started cracking down harder on medical facilities. The push for stricter HIPAA guidelines enforcement means hospitals, doctor’s offices, and any other medical facility that keeps patient information need to increase their cyber security and conduct more training for their staffs, or risk paying hefty fines.
Earlier this year, a surgery center in Florida was hit with ransomware, which potentially breached the records of 34,000 patients. Because they waited to report the issue to OCR, they could be looking at a fine of close to $500,000.
In Georgia, hackers have breached more than a million patients’ records since 2016. Medical facilities throughout the state were impacted. Each could face fines for failure to follow the HIPAA guidelines.
There are many, many more stories just like these of medical facilities across the country having their files breached by hackers. Most of these stories end with the facility paying severe fines for HIPAA violations.
Today, it’s no longer good enough to follow the bare minimum HIPAA requirements to secure your practice. In order to avoid fines for violating HIPAA guidelines, your practice needs to be proactive. That means the focus of your practice’s cyber security should include:
This is a good start to make sure your information is secure, but there are many other things to do.
While hackers are sometimes able to access your information by themselves, more times than not, it comes down to someone on your staff clicking on the wrong link or downloading the wrong file. With one stroke of the mouse button, your system becomes a playground for would-be attackers.
Your practice can have all the protective software in the world, but it can be undone by the human element. Unfortunately, hackers have gotten more sophisticated when sending infected emails – making it seem as though the email is coming from someone the user knows. There are ways to detect these spoof emails, which is why constant staff education is vital.
Using social media or leaving passwords on Post-It notes are obvious no-no’s. These things are important to know, and should be covered, but that’s not the main reason for frequent training sessions. In fact, there are two reasons why these sessions should be scheduled on your calendar.
The first is staff turnover. How often do people come and go at your practice? This includes staff, nurses, and doctors. While these people are very good at their jobs, they probably aren’t experts when it comes to cyber security. Consistent training sessions teach staff members (the new ones and the ones who’ve been there for a while) what to do, what not to do, how to respond if they think something is wrong, and what are some of the latest security threats for which they should be on the lookout.
Fully understanding all of the HIPAA guidelines can be difficult. Making sure hackers don’t cause your practice to be in violation of those guidelines – which results in large fines – is even more difficult.
It might seem like a hopeless endeavor, considering the tips mentioned above only scratch the surface of what your practice needs to do. The important takeaway here is that your practice doesn’t have to do this alone. In fact, if you want to be completely sure your practice is safe, it’s best to work with managed services providers who are also experts when it comes to HIPAA guidelines.
Swift Systems has helped medical facilities throughout Maryland, just like yours, protect themselves from hackers, viruses, ransomware, and everything else that threatens your practice. Swift Systems understands your needs and works with you on any compliance concerns.
Not only does Swift Systems offer educational sessions for your staff, they can also help your practice with cloud storage needs that are HIPAA approved.
IT systems are foundational to modern businesses. Too often, that foundation is unsteady. Unpredictable outages, insecure networks, and unreliable performance from mission-critical systems can jeopardize your entire business.
There’s a better way. Learn how.
Get in touch with us for a free consultation with one of our technical experts. We'll review your current systems, assess your needs, and identify the coverage options to best meet them.