The majority of physicians in the United States have experienced some sort of cybercrime in the past few years. A study by the American Medical Association (AMA) revealed that over 80% of doctors have experienced some sort of attack in recent years.
And the troubling part to me is the fact that most of these attacks could have been easily prevented if IT Support had simply implemented comprehensive and sustainable support aimed at HIPAA compliance (for more details on this, see my recent book on making HIPAA compliance and healthcare cybersecurity attainable).
Of doctors who reported having cyber incidents, many fall into all too common classifications:
Phishing—55%
Malware Infections—48%
Improper electronic Personal Health Information access—37%
Network Breaches—12%
Ransomware Attacks—9%
Why should you be concerned?
If you’re like most healthcare professionals we talk to, you’re concerned about future cyberattacks, because they can and will directly interrupt your business operations. You’re especially worried about patient safety and security of patient records, you’re concerned of any civil or criminal liability coming from data breaches, you don’t want your reputation to be impacted from a breach, or have to worry about the hundreds of thousands to millions of dollars that might result in re-mediating a cyberattack.
And if you’re the patient, you’re especially concerned that your identity is safe (criminals are selling medical information on the dark web, selling patients’ medical identities, that have in many cases resulted in increased health premiums, denial of service or bankruptcy for patients that have fallen victim to serious medical fraud).
If attacked, your business may be shut down for days!
Another big concern is giving patients the immediate care they need. In the event of a cybersecurity incident, most healthcare businesses are shut down between half a day to over a week! That doesn’t just mean that your patients aren’t getting emergency care from you and your team, but they are having to seek other providers for that care!
Patients may move to other providers!
How many patients are going to have sustained trust in your practice if you lost even a handful of medical records? Your office is a safe place where people can let their guard down so they can get care that actually helps and heals. If they lose confidence in your ability to provide a safe environment (which includes protecting your PHI), how many will jump ship for another provider down the street or in the next town?
How can you ensure your records are safe?
Most healthcare offices that I audit have no idea where to start when it comes to securely managing their IT infrastructure and sensitive data.
Most, if not all medical practices fail to implement practical and effective security policies that meet compliance standards, few educate their entire staff on security practices and even less understand how business associates and colleagues handle your patient data.
Effective Security Policies— IT security administrators often create policies without user buy-in. These policies often force users to make insecure work arounds just to get their work done. IT Security experts recommend user participation when creating and maintaining security policies—this will ensure practical security measures that will be effective at keeping staff and patient data secure.
Educate Users on Security Practices— The majority of healthcare practices and offices assume that users know how to be safe online. The problem with making assumptions like this is that there is always someone who is mis-informed. Users turn out to be the biggest reason healthcare gets hacked! The easiest way around keeping users safe is with proper hands on training.
How Business Associates Handle Your Patient Data— The majority of healthcare offices I’ve met with and performed HIPAA risk assessments have admitted that they simply assume other business associates, third party vendors and healthcare colleagues are doing their due diligence to keep their patient data secure. The reality is that more than half of vendors fail to comply to even basic HIPAA standards. Making sure you have signed Business Associate Agreements AND performing annual audits of your vendor’s healthcare security management (at minimum) will ensure your patient data is safe.
And even more worrisome, is that most IT Support teams fail to understand healthcare security requirements. Few have experts with HIPAA experience. Few implement policies and processes around keeping your users compliant without creating major roadblocks or hurdles impeding patient care.
And most IT Support teams fail to make it easy for medical staff to share sensitive information (PHI) with colleagues, impacting the speed at which a patient can get the attention he or she needs.
Here is a list of places that medical information often goes. Are you sure that all of your PHI is secure?
Labs?
Pharmacies?
Payers?
Outpatient or Other Practices?
Clinical Data Registries?
Hospitals/ Inpatient?
Health Departments?
Medical Billing?
Phone Systems?
Electronic Charts?
Wherever you store protected information—internally or externally, audio, print or image data—you are responsible for all of it! Your patients trust you to keep them safe. Are you doing your best to do so?
While many third party vendors, including outsourced IT Support capacities, assure healthcare offices that your data is secure, safe and in compliance with HIPAA standards, the majority don’t understand how to secure data and comply with HIPAA regulations.
On top of this, even many IT companies fail to understand what is and isn’t considered PHI or sensitive information and many managed services companies have no or little experience specifically with healthcare information.
For many healthcare professionals, there does not seem to be one silver bullet that cuts through HIPAA compliance and cybersecurity. With an ever-changing landscape and growing regulatory pressures on compliance, and expensive piecemeal solutions that are too pigeon holed to comprehensively keep your patient data safe, I’ve seen a demand for better IT support going beyond just the basics of keeping healthcare up and running.
My solution is this: Fixed Health IT: comprehensive security that focuses on keeping healthcare users productive (treating patients) while complying to strict healthcare security standards in the process. Where most IT Support teams miss the mark when it comes to security is applying knowledge, experience and process all into one comprehensive solution.
We’ve developed Fixed Health IT based on how healthcare users work (their jobs demand so much of their time and focus, they cannot sit idle while a tech fixes their device or computer). They need routine and systems to keep their minds focused on patient care (we’ve implemented processes that make cybersecurity attainable and HIPAA compliance easy).
You need to start worrying about your core mission rather than reeling about your cybersecurity.
Are you worried that your security is not getting the attention it needs? Are you being kept up at night because you don’t know if your patient data is secure or if your office will be the next cyber victim? Contact us TODAY!
