Before the beginning of 2017, Experian predicted that the healthcare sector would be the most targeted sector for cyber criminals to exploit. In May of this year, that prediction came to life when the malware known as WannaCry caused 37 of the health trusts in the UK’s National Health Service to shut down, eventually spreading across 150 countries. Unfortunately, this is just one of many cyber attacks that healthcare organizations have recently faced. Today, these organizations are seeking aid with HIPAA compliance and increased security, causing them to look to managed services providers (MSPs) for help.
Protecting the Healthcare Sector
Cybercriminals have concluded that healthcare organizations are their ideal target because of the massive amounts of personal health and financial information they store. This, in conjunction with the rise in cyber attacks towards the healthcare sector, is a major cause for concern for MSPs servicing the industry. As regulatory requirements for healthcare organizations become increasingly more stringent, it now falls upon the MSP to fully understand all regulations and requirements and ensure that clients have all of the proper safeguards in place.
HIPAA compliance can be difficult to comprehend, but with this in mind, I recently took a course that that included a HIPAA Awareness segment and a HIPAA security segment, both of which satisfied the requirements to become HIPAA certified. In my next two blog posts, I will go over the key takeaways from this course and discuss what MSPs need to know to better protect their healthcare clients.
It’s important to note that becoming HIPAA certified is a requirement for medical professionals who have access to protected health information (PHI). The term "medical professionals," is surprisingly not just pointing at doctors and nurses—it also encompasses all business associates working in healthcare, which can include doctor's office managers, health insurance staff, medical data storage employees, or anyone who has regular access to PHI.
HIPAA Security Requirements
Under the HIPAA security rule, meeting compliance requires certain technical safeguards to be implemented and maintained for the safety of electronic PCI. The technical safeguards consist of the following standards:
- Access Control
- Audit Controls
- Person or Entity Authorization
- Transmission Security
These standards can be met by implementing a set of features, functionalities, and software in the healthcare organization's security infrastructure. Some examples of technical safeguards include username and passwords required to gain access to internal systems, security log reporting, access controls, firewalls, anti-virus software, data encryption, and backup and disaster recovery (BDR). Properly implementing these requirements requires extensive IT and security expertise; and therefore, doctors often outsource these activities to an MSP.
Most doctors are well aware that they must comply with these rigorous HIPAA standards; however, it can often be the case that they don't fully understand why. The fact of the matter is, cybersecurity threats to healthcare organizations (both small and large) are becoming increasingly prominent as hackers become more sophisticated. Therefore, security rules must be followed to decrease the likelihood of a hacker being successful at infiltrating a doctor's office or any healthcare entity.
HIPAA Security in the Real World
As part of the course, many real-life case studies were presented that clearly demonstrate why such security regulations need to be in place. One that stuck out the most to me was regarding a medical records storage company and a hacker that was successful in infiltrating their security network.
A medical records storage company had all of their clients’ medical records stored on their computer systems. One day, a malicious virus infected one of their computers and quickly spread across their network. The data on the infected computers was confiscated by the virus, and because the company did not have a backup and disaster recovery solution in place, it was not recoverable and healthcare providers lost access to their patients’ records. These records dated back for many years—ever since the storage company started their business.
What Could the Company Have Done Differently to Avoid This Disaster?
First of all, a standard antivirus solution should have been installed and running on each computer and throughout their entire network. Additionally, a backup and disaster recovery solution should have been part of their IT infrastructure, and the company should have been conducting regular backups of all critical data. Lastly, they should have had documented policies and procedures outlining how to handle such a common security situation.
Not only did this company face severe consequences from the regulatory agents of HIPAA, they also managed to damage their reputation and lose the trust of their clients, which resulted in significant financial loss. The financial and regulatory consequences are not even the worst outcome that this successful hack yielded. The worst part is that doctors lost medical records for their patients and therefore were unable to provide high-quality care. The information in these records were being used by doctors to assess their patients’ health and form suitable treatment plans. Had the data storage company complied with the HIPAA Security Rule in the first place, this could all have been avoided.
When doctors and other medical professionals learn about these types of case studies, it becomes more and more clear to them why they need to follow all the sophisticated security requirements that HIPAA demands. With this newfound concern, they are relying heavily on MSPs to help them achieve their HIPAA compliance needs, which means that MSPs need to have the necessary security offerings in place to serve the needs of their medical clients.
Stay tuned for part two of this series, where I will be talking about the Health Information Technology for Economic and Clinical Health (HITECH) and its impact on both the regulations of HIPAA and the consequences of non-compliance.