Because of the increasing number of third parties who must touch – or, because of poor security, can touch – patient data, healthcare security has become a vexing challenge.
Advocate’s record $5.55 million Health Insurance Portability and Accountability Act (HIPAA) settlement in 2016 related in part to its failure to “obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession.”
In the first eight months of 2016 alone, 30 percent of reported hospital breaches came in through third parties, according to research done by Protenus. Many of these breaches occur because offices of small private practices can present special risks.
... 30 percent of reported hospital breaches came in through third parties.
Consider this scenario:
While working with a new patient, a physician downloads data from the patient’s wireless medical device.
To be HIPAA compliant, your organization should already have established rules for clinics to tie into your networks.
Physicians’ offices should conduct regular IT risk assessments. And securing your hospital’s network will ensure that data flowing in and out – from associates and anywhere else – will be tracked.
The question is whether relying on associate contracts and minding your own store is sufficient.
“I’ve seen cases where a doctor’s high school-aged son was managing the IT infrastructure from his PC,” says Axel Wirth, healthcare solutions architect with cybersecurity giant Symantec. “Especially among one- or two-physician practices, security seems like a luxury. This is why we are seeing smaller organizations move towards hosted or managed services to minimize their on-premises infrastructure –and exposure.”
Financial pressures on small clinics exacerbate the problem. Clinics may do the bare minimum to meet HIPAA privacy requirements, but miss gaping security holes.
“Many [doctors’ practices] purchased a HIPAA security manual online or from a salesman, but a lot of times the book sits on the shelf gathering dust,” says Christopher Allman, director of risk management, compliance and insurance at Garden City Hospital in Garden City, Mich., who frequently assists newly allied practices in conducting assessments.
In such offices, HIPAA-mandated training often is lacking or non-existent. Simple risks – such as thumb drives left lying around – are commonplace.
“When you explain to physicians what you’ve found [after a risk assessment], they kind of get the deer-in-the-headlights look,” Allman says. “But when you break down what it may cost them if they do have a breach, they generally get on board pretty quickly.”
Looking beyond the boundaries of your enterprise is the only way to truly mitigate risk.
Work with private practices to develop an action plan based on risk factors uncovered, and ensure that all groups make progress over time. The manpower for offering this guidance may not be accounted for in your staffing, and you need to be cognizant of Stark Law rules against providing financial assistance to physician practices.
Download the Cybersecurity Handbook for Healthcare CEOs to learn more.
Share this with others
READ MORE ARTICLES ON:
Sign up for the AT&T Business newsletter
Your feedback will help us to improve AT&T Business so you continue to have a great experience when visiting us!
This survey is conducted by an independent company ForeSee for AT&T.
Yes, I’ll give feedback!
Please provide the following information to access your document:
* To access your content, please check your browser settings to make sure pop-up windows are allowed.