Small and mid-sized medical/dental practices are a prime target for hackers and potentially at greater risk of HIPAA violations and fines. Encrypting your data is an absolute must.
When it comes to what organizations hackers target, size does matter--but not necessarily in the way you'd think.
The data breaches we see in the news often involve large, well-known companies like Yahoo!, Equifax Target or Chase thanks to the sheer number of records involved in each incident.
But the reality is that cyber criminals increasingly find small- and medium-sized businesses (SMBs) to be their most attractive prey. According to a 2018 report from Verizon, 58% of last year's data breaches struck smaller businesses. In 2017, 61% of the SMBs who participated in the Ponemon Institute's annual cybersecurity overview experienced a cyber attack.
Thinking that your practice is too small for cyber criminals to go after is a mistake. Since smaller organizations have fewer financial and human resources to put toward security upgrades, policies and implementation, they present irresistible vulnerability profiles. Hungry lions on the savannah don't go after the biggest buffalo with the sharpest horns.
More valuable assets
Healthcare saw twice as many attacks as any other industry sector the first three quarters of 2017. A large part of what makes healthcare organizations so attractive to cyber criminals is the high value of the information they hold.
That's not just in the eye of the beholder; complete medical records can be sold on the Dark Web (part of the internet invisible to search engines and only accessible with an anonymizing browser) for upwards of $20 per record.
The more information contained in the record, the more valuable it is to fraudsters-identifiers like Social Security numbers, dates of birth, payment account numbers, home addresses, employment histories, drug prescriptions, phone numbers and other background information. That's a treasure trove of tools for criminal self-enrichment: fraudulent credit card transactions, health insurance fraud, Medicare fraud, tax fraud, opening new lines of credit, even re-routing prescription drugs to different addresses.
Sinking your bottom line
The more likely your practice is to be attacked, the greater chance your clients' protected health information (PHI) will be breached. If that happens, the consequences for your organization can be devastatingly dire.
A Transunion survey found that 7 out of 10 consumers would consider switching healthcare providers if their current company experienced a data breach. Even if only half of those who considered a move followed through, that could still carve out a significant chunk of your client base. The hit to your practice's reputation would make replacing those lost patients an even greater challenge.
Regulatory fines for failure to meet HIPAA regulatory standards for electronic privacy might well put another large dent in your ability to move forward financially. Health and Human Services Office of Civil Rights has discretion when determining the amount of the penalty for HIPAA violations depending on the nature and extent of the violation and of the resultant harm. Fines can range from $100 to $50,000 per violation or per record. How many exposed patient records can your practice absorb?
HIPAA (short for Health Insurance Portability and Accountability Act of 1996) was enacted to safeguard patients' PHI and to control when and to whom that information could be divulged. It's not just an indulgence of bureaucratic whimsy but rather a fundamental piece of patients' right to privacy.
While technology has made great advances in ease of storage and retrieval of patient information to aid in the efficiency of care, its constantly changing nature complicates healthcare provider efforts to maintain compliance with HIPAA rules. There is, however, a fundamental first step a healthcare provider can take toward protecting their patients and their practices.
Encryption: the difference between inconvenience and disaster
Encrypt your data, plain and simple. Encryption is labeled as an "addressable" requirement. That doesn't mean "optional." Whether at rest-within your secure internal network-or "in transit" to another healthcare entity or patients themselves, if you haven't encrypted the data to keep it inaccessible to anyone who shouldn't have legal access, you've failed to meet regulatory requirements.
If a laptop containing patient records (not a recommended situation to begin with) is stolen or your network hacked into, the difference between being crushed under a load of staggering fines and keeping your patients' information intact comes down to encryption.
Encryption software and algorithms render your patients' PHI data into unreadable text that requires a key to be made readable again. The data is useless to a thief in the event of a breach.
We'll address specifics on HIPAA encryption in an upcoming article, including the importance of email encryption. In the meantime, get a jump on securing your patients' PHI and protecting your practice: contact a reputable managed service provider with electronic HIPAA compliance experience like ELBO Computing Resources.