Healthcare is continually one of the most targeted sectors for cybercriminals.
The average cost of a breach in the healthcare industry, according to IBM, is nearly $11 million, or a 53% increase since 2020.
"With medical records as leverage, threat actors amplify pressure on breached organizations to pay a ransom," IBM states. "In fact, across all industries studied, customer personally identifiable information was the most commonly breached record type and the costliest."
That’s why following HIPAA requirements is so important.
Organizations that violate HIPAA face civil and even potentially criminal penalties.
That’s why it’s essential to do an assessment at least once a year, or whenever a significant change in policies and procedures is implemented.
Any healthcare provider, insurer, or business associate is included in this requirement because all of these covered entities handle protected health information.
PHI covers:
If any of this information is stolen, it can be sold on the dark web or held hostage through ransomware until payment is received.
The biggest weakness in any business of any size, according to Coalfire, is people.
People make mistakes, whether they fall for social engineering hacks or make some other error.
Healthcare organizations must train staff annually on effective cybersecurity controls, such as keeping workstations and networks up to date with antivirus protection, software updates, and secure passwords.
Staff must also understand how to be on alert for phishing schemes.
These vulnerabilities must be addressed throughout the year.
The HHS provides a great overview of what’s needed for a risk management plan.
This plan will help you identify where to implement security rules, as well as how to evaluate and maintain them.
As projects are completed and vulnerabilities are mitigated, document them and update the plan.
The risk management plan that you create should have a number of controls in it. These include:
Any “person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity,” is what HIPAA considers a business associate.
A business associate may be “a CPA firm whose accounting services to a health care provider involves access to protected health information,” or “an attorney whose legal services to a health plan involve access to protected health information.
These associates must have a business associate agreement (BAA) in place, which “must define definitions, obligations/activities of the business associate, and the permitted uses and disclosures by the associate.”
With some exceptions, BAAs are required in all instances.
Complying with HIPAA is critical, but it can be daunting. Consider working with a healthcare IT support partner to ensure your business is meeting these annual requirements.