Cybersecurity should be at the top of the list or priorities for anyone working in the healthcare industry. Unfortunately, cyberattacks in healthcare are a growing concern. A cyberattack occurs when a hacker gains access to your computer network or system in an attempt to destroy or corrupt data. The amount of sensitive information or personal health information (PHI), used in a healthcare setting is vast.
Protect Your Patients
As such, the Department of Health and Human Services (HHS) through the Health Insurance Portability and Accountability Act (HIPAA), mandates that the following security standards must be implemented to safeguard PHI:
- Physical Safeguards: these are the safeguards that a business puts in place to protect the physical security of their offices where PHI or ePHI may be stored or maintained. Common examples of physical safeguards include alarm systems, security systems, and locking areas where PHI or ePHI is maintained or stored.
- Technical Safeguards: these are the safeguards that must be put in place to protect ePHI from the threat of cyberattacks. Examples of technical safeguards include firewalls, data encryption, and data backup.
- Administrative Safeguards: these are safeguards that must be implemented to ensure that staff members are properly trained to execute the security measures you have in place. Administrative safeguards should include policies and procedures that document the security safeguards you have in place, as well as employee training on those policies and procedures to ensure that they are being properly executed.
HIPAA law also requires covered entities to have business associate agreements in place before the transmission of any PHI. Business associate agreements are intended to confirm that all parties handling PHI are doing so properly. In addition, business associate agreements legally protect covered entities from breaches by their business associates. According to the HHS a business associate is, “[A] person or entity, other than a member of the workforce of a covered entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A [BA] also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another [BA].”
Business Associate Agreements Protect Covered Entities
The American Medical Collection Agency (AMCA), experienced a cyberattack that compromised its payment system on August 1, 2018. Their system continued to be vulnerable until March 30, 2019. The AMCA is a third-party collection agency for organizations in the healthcare field, including, hospitals, laboratories, physician groups, and medical providers. This massive breach is thought to have affected more than 20 million patients, including 11.9 million from Quest Diagnostics and 7.7 million from LabCorp. Quest Diagnostics and LabCorp are considered covered entities under HIPAA law, therefore, to be compliant with HIPAA law, they must have business associate agreements with AMCA.
Since the proper business associate agreements were in place, AMCA is responsible for notifying affected individuals, “AMCA informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed.” AMCA must also provide free credit monitoring and identity protection for two years to the victims.