Cyber Security and HIPAA

2017 Alliance Sponsor feature article by MedMal Direct

Cyber Threats have become a serious issue in healthcare IT over the past few years. Every day there are attempts to break into secure computer environments in order to either ransom the owner’s information to themselves or just to steal that information and sell it to someone else. Medical records go for about $60 per record (that’s what the hacker is paid by the buyer) whereas simple credit card records go for about $10 per record. The reason that medical records are so valuable is simple – the information doesn’t change. A person cannot turn off their medical record or change their birth date, however we can cancel a credit card and render it useless.

HHS and OCR have provided guidance on the topic of breaches and response to breaches and requires covered entities to have a breach notification and response policy and procedure in place. This policy must include the following:

  1. Definitions
  2. Notifications in the event of a breach
  3. Discovery
  4. Content of Notifications
  5. Methods of Notification
  6. Arrangements with Business Associates in the event of a breach by BA
  7. Law Enforcement Delays
  8. Administrative Requirements

In the event of a suspected breach it is imperative that the organization conduct an assessment to identify the exact nature of the breach. Some organizations are capable of conducting the initial assessment themselves and others may need an outside consultant to assist. OCR rule 45 CFR 164 includes specific guidance on what is required in order to investigate, mitigate, and remediate a breach.

Organizations must develop clear privacy and security guidelines in order to avoid the risk of a true breach. These policies must include how an organization secures its data. Guidelines are provided in the rule for the specific methods that are acceptable for encryption of data and OCR relies on NIST as the expert to provide the standards for which an organization must meet.

A Covered Entity can purchase insurance to protect itself in the event of a breach. This ‘risk transfer’ shifts the financial burden of a breach from the CE to the insurance carrier who also is then responsible, under most policies, for the investigation, notification, remediation, and fines or penalties (see your policy for exact details on coverages).

Guidance on policy and procedure is available to insureds through MedMal Direct’s Risk Management Department and increased limits for cyber liability coverage can be purchased at the request of the insured.