Crooks are after your PHI

 As we have been writing lately the value of EPHI has been recognized by crooks and they are targeting the healthcare industry.  A medical record with health plan information is worth more than a record with only credit card information.  We also know from long experience that the healthcare industry lags far behind banking and other industries in protecting data.  This is irrespective of the size of the organizations as we have seen breaches from dentists, dermatilogists, and small business associates as well as massive breaches such as the 80 million records breached at Anthem.  It is estimated that this costs the healthcare industry $6 billion dollars a year but to bring this down to the level of a single business the average cost of a breach is now more than $2 million for a covered entity and $1 million for a business associate.  Can your company withstand this kind of cost?

How do you know whether you are protected or not?  The litmus test is a HIPAA risk assessment based on the NIST protocol.  This is the gold standard for all risk assessments and the only one mentioned by HHS as the "industry standard".  This is not a check list or a consultant with their own standards for risk assessment but a rigorous protocol often employing an SCAP scanner to assess the computer network.

The HIPAA risk assessment report and the Gap Anaysis lead to the next important step; developing a plan to remediate the risks discovered.  Failure to take step two automatically qualifies you for "willful neglect" and the highest fines from HHS and OCR.  Written policies and procedures need to be in place and staff must be trained on implementing these policies and procedures.

All of this is rolled (pun intended) into the Cycle of Compliance.  If you are a MU participant Core Measure 15, which is required, states that you must do a HIPAA Risk Assessment, make a plan for remediation of the risks, and have an on-going risk management program in place.  Now would be a good time to start.

Add Your Comments

(not published)