NIST | North Carolina Medical Group Management Association Blog

NCMGM News

NCMGMA News is an official news resource of the North Carolina Medical Group Management Association (NCMGMA).

Articles published in NCMGMA News contains the expressed opinions and experiences of the authors and do not necessarily represent the position of NCMGMA.

NCMGMA News may contain links to websites that are created and maintained by other organizations. NCMGMA does not necessarily endorse the views expressed on these websites, nor does it guarantee the accuracy or completeness of any information presented there.

Cyber Security and HIPAA

Posted on August 29, 2017 by ncmgm

2017 Alliance Sponsor feature article by MedMal Direct

Cyber Threats have become a serious issue in healthcare IT over the past few years. Every day there are attempts to break into secure computer environments in order to either ransom the owner’s information to themselves or just to steal that information and sell it to someone else. Medical records go for about $60 per record (that’s what the hacker is paid by the buyer) whereas simple credit card records go for about $10 per record. The reason that medical records are so valuable is simple – the information doesn’t change. A person cannot turn off their medical record or change their birth date, however we can cancel a credit card and render it useless.

HHS and OCR have provided guidance on the topic of breaches and response to breaches and requires covered entities to have a breach notification and response policy and procedure in place. This policy must include the following:

Definitions
Notifications in the event of a breach
Discovery
Content of Notifications
Methods of Notification
Arrangements with Business Associates in the event of a breach by BA
Law Enforcement Delays
Administrative Requirements

In the event of a suspected breach it is imperative that the organization conduct an assessment to identify the exact nature of the breach. Some organizations are capable of conducting the initial assessment themselves and others may need an outside consultant to assist. OCR rule 45 CFR 164 includes specific guidance on what is required in order to investigate, mitigate, and remediate a breach.

Organizations must develop clear privacy and security guidelines in order to avoid the risk of a true breach. These policies must include how an organization secures its data. Guidelines are provided in the rule for the specific methods that are acceptable for encryption of data and OCR relies on NIST as the expert to provide the standards for which an organization must meet.

A Covered Entity can purchase insurance to protect itself in the event of a breach. This ‘risk transfer’ shifts the financial burden of a breach from the CE to the insurance carrier who also is then responsible, under most policies, for the investigation, notification, remediation, and fines or penalties (see your policy for exact details on coverages).

Guidance on policy and procedure is available to insureds through MedMal Direct’s Risk Management Department and increased limits for cyber liability coverage can be purchased at the request of the insured.

Filed under: News | Tagged: CE, Cyber Security, HIPAA, IT, MedMal Direct, NIST, OCR | Leave a comment »