HIPAA Breach at Care First Blue Cross Blue Shield
When I see these stories of millions of PHI records being hacked I can't help but feel that I am only seeing the tip of the iceberg. This "intrusion" was almost a year old and was only discovered through the expensive efforts of a cyberforensics unit. It goes without saying that the vast majority of covered entities and business associates are not engaging cyberforensic units to examine their systems.
Why would hackers be interested in smaller targets such as clinics, practices, and small business associates such as billing and transcription companies? Well, first of all they are much easier targets. They have been focused on putting in EMRs, setting up SaaS business models, building cloud based software, and giving lip service to being HIPAA compliant. This complacency has been exacerbated by lax enforcement by HHS. The HITECH act passed congress in 2009 and was to go into effect in February or 2010. Instead HHS announced that they were "delaying enforcement" until they could write the rules. This eventually became the Omnibus Rule which did not become effective until September of 2013. 90% of the business associates who would be required to be HIPAA compliant did nothing. HHS announced they would start auditing business associates in 2014, then 2015 and we are still waiting for that to happen.
So we have literally millions of soft targets in healthcare who have data worth millions to hackers. Is it any wonder that hacking became the number one cause of HIPAA breaches in 2014?
If you are a small covered entity or business associate that would liike to know how to protect your data and your business for a couple of hundred dollars a month give me a call at 866-984-3573, ext 709, or email me at Jack@compliancehelper.com