HIPAA cybersecurity concerns have been on the rise for healthcare organizations over the past couple of years. In response, the U.S. Department of Health and Human Services (HHS) has now issued voluntary cybersecurity best practices and guidelines to manage cyberthreats and help better protect patients.
All healthcare organizations require technology in order to function on a daily basis. But, when you use technology that encounters, collects, transmits, or in any way handles electronic protected health information (ePHI), you are introduced to all kinds of HIPAA cybersecurity risks. If those risks are not properly managed, providers can become exposed to costly data breaches, disrupting healthcare operations and potentially harming their patients.
HHS reported that $6.2 billion was lost in 2016 by the U.S. healthcare system due to data breaches. In addition, four out of five physicians in the United States experienced some form of cyberattack. HHS also determined that the average cost of a data breach for a healthcare organization reached an astounding $2.2 million.
Janet Vogel, Acting Chief Information Security Officer for HHS, stated, “Cybersecurity is everyone’s responsibility of every organization working in healthcare and public health. In all our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle these shared problems collaboratively.”
Addressing HIPAA Cybersecurity
Like Vogel said, “Cybersecurity is everyone’s responsibility.” Healthcare organizations need to take action and ensure that they have security and privacy measures in place to keep their data safe. HIPAA regulation developed strict guidelines for standards that must be carried out in order to keep protected health information (PHI) secure. PHI is any demographic information that can be used to identify a patient such as names, dates of birth, Social Security numbers, financial information, and medical records, to name a few.
Healthcare cybersecurity incidents that have affected PHI can result in a HIPAA breach. Any HIPAA breach that has affected more than 500 individuals is considered a ‘Meaningful Breach’ and must be reported to HHS for further investigation according to the HIPAA Breach Notification Rule. Most of the time, these investigations will result in a HIPAA audit and related HIPAA fines if the auditor concludes that the breach was the result of “willful neglect.”
“Willful neglect” is determined by OCR audits depending on how effective your HIPAA compliance program is as required by federal regulation. All healthcare providers managing PHI must implement an effective compliance program that addresses the full extent of HIPAA regulation. HIPAA fines can range from $100-$50,000 depending on how compliant you are–or in this case, aren’t. Basically, if your organization knows about a risk to your data, but does nothing to address that risk, then you may be found in “willful neglect” and be subject to HIPAA fines.
The guidance and best practices that have been created to help healthcare organizations cost-effectively reduce cybersecurity risks is called the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients. There have been two technical volumes published that outline cybersecurity best practices depending on the size of the organization: One for small healthcare providers such as clinics and the other for medium to large healthcare organizations.
HHS issued this HIPAA cybersecurity guidance and best practices in hopes of helping healthcare organizations reduce their cybersecurity risks in a cost-effective manner, to support the voluntary adoption and implementation of Cybersecurity Act recommendations, and to provide actionable and relevant advice for healthcare organizations of all sizes.
The guidance identifies the following ten practices to alleviate the most impactful cybersecurity threats:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
In the coming months, HHS will be working closely with industry stakeholders to raise awareness of cybersecurity threats and implement best practices across the healthcare sector.
Addressing Your HIPAA Compliance and Cybersecurity with Compliancy Group
Compliancy Group gives healthcare providers and vendors working with healthcare professionals the tools they need to confidently address their HIPAA compliance, all from our HIPAA compliance web-app, The Guard™.
We give healthcare professionals everything they need to address the full extent of their HIPAA regulatory requirements. And to help out with additional HIPAA cybersecurity requirements, for users who may need help, Compliancy Group works with a robust selection of IT and MSP security partners from across the country who can be contracted to handle your HIPAA cybersecurity protection.
Find out more about how Compliancy Group helps healthcare professionals like you simplify their compliance and cybersecurity today!
