This week’s news of a major California-based health insurer, Anthem Inc., being the latest victim of a corporate cyber attack makes anyone in healthcare take pause. Hackers broke into the Anthem database, which contains the personal information of several million customers and employees. The company is working with the FBI to determine how the attack happened and by whom, as well as exactly how many records were stolen. Early estimates are that 80 million accounts were compromised yet the company is stating that credit card information and medical records were not part of the stolen data.
According to the Cyber Security Intelligence Index, there were over 1.5 million monitored cyber attacks in the U.S. in 2013. The key word is ‘monitored.’ How many more attacks are unknown? Here are some more sobering numbers: 40 million debit and credit card numbers were stolen by hackers from Target’s database, resulting in company profits dropping 46 percent the quarter after the breach. The company is now reportedly spending $100 million on upgrading their payment terminals with new technology that can curb future attacks by using embedded chip credit cards.
In the healthcare industry, cyber security goes far beyond commerce and compromised credit cards. In healthcare, medical data must be kept confidential as mandated by the Health Insurance Portability and Accountability Act (HIPAA) by health care providers and any institution that manages health records. The degree of data breaches can vary greatly. A security breach can run the gamut from a simple, inadvertent error entered into a patient chart to millions of records being compromised by sophisticated hackers. Although profoundly different, both are considered breaches.
The most recent change to HIPAA, the final Omnibus rule, further enhances a patient’s privacy protection. While the rule offers more options for patients in sharing their own personal data, noncompliance penalties were increased for businesses, business associates and subcontractors of healthcare providers. According to the U.S. Department of Health and Human Services (HHS), the rule broadened the reach of HIPAA compliance and increased fines associated with HIPAA violations, with a minimum fine of $100 to a maximum fine of $1.5 million per violation.
With healthcare profit margins under pressure from economic and regulatory factors, a costly HIPAA violation is likely not one a healthcare provider wants to risk. What are some cyber security risk mitigation steps healthcare providers can take?
- Go paperless. Minimize the chances of data accidentally getting into the wrong hands. If you do use paper, have a shredder and shred all documents after scanning.
- Make sure the software you’re using is secure and HIPAA-compliant. The right software can help manage and nearly eliminate your agency’s cyber-security risk.
- If you have a Local Area/Agency Network, have a professional IT consultant do a security audit, to update your compliance with the HIPAA statute and determine your risk posture towards cyber security.
- Never put patient health data on a thumb drive or movable backup drive. Store data with secure HIPAA-compliant software.
- Lock office doors, cars and any other area you may be using laptop or mobile device that includes data.
Being vigilant means always being aware and keeping watch so that security measures are in place and continuously enhanced, preventing the breaches of the future from happening, or least keeping them from creating significant impact.
