We’ve heard many arguments for not addressing your HIPAA compliance by healthcare covered entities. Honestly, it’s appalling to think a person that provides care for a living does not care about protecting their patient’s personal information, preventing them from experiencing emotional and financial suffering and potential ruin. The first issue for the healthcare covered entity is to understand it’s not about the HIPAA audit but about being breached, losing ePHI and then being forced to be audited by the OCR. We thought we’d share the rebuttals we’ve heard even about cyber-breaches and the industry’s response based on experience and facts. On behalf of your patients, employees and livelihood, please reconsider your position on HIPAA and cyber-security.
“We’ve never been breached.”
Actually, you probably have suffered a breach based on statistics, you just don’t have any way of knowing it. Can you state with absolute certainty that one of your employees has not walked out with ePHI (or PHI) on a thumb drive (or in their bag)? What about one of them plugging in a thumb drive to load their music onto a work computer, which could easily have installed malware, which leaked out data. But, remember, cyber criminals use bots to find “open” networks, then they focus on locating the valuable data (ePHI). So, even if you’ve been VERY lucky and actually not been breached, you still need to beef up your security, to prevent being breached. Stats show that 97% of companies in the U.S. have been breached.
“Well, if we’ve already been breached, what’s the use to secure things now?”
Can I just respond with “Are you crazy?” If someone robs you on the street and takes all of your money and credit cards, do you repeat the same act again to be robbed again? Even if someone has stolen 100% of your ePHI, it may never be used inappropriately and cause pain and suffering to your patients. Therefore, you should work to prevent it from happening in the future.
“We’re small, no one cares about us.”
FALSE, if you’re in healthcare as a covered entity or business associate, you are now a TARGET. It doesn’t matter your size, brand or popularity. Cyber criminals use bots to crawl the web searching for vulnerable healthcare networks and computers. Once they find them they focus on finding the ePHI. Once they find it they start retrieving it. And remember, many breaches occur because of a corrupt or careless business associate or unhappy, corrupt or careless employee. You may read about the known brands being breached but most breaches happen in small and medium “unknown” businesses. Remember, if you’re connected to the Internet, you’re NOT invisible to cyber criminals.
“This is highly unlikely, I’ll take my chances and save the cost.”
This is like arguing that you won’t have a car wreck because you’re a good driver therefore you don’t need auto insurance. You’re not in control in traffic of all the moving parts (cars), on the Internet it’s far worse odds, so taking cyber-security defensive actions to prevent a breach is cheap insurance that could save you a disastrous wreck (breach) that ruins your business.
We often hear this about addressing HIPAA compliance, but it’s not about taking your chances of being audited by the OCR, it’s about taking your chances of being breached and then being forced to respond to the OCR within 10 days with all of your HIPAA compliance body of evidence.
“We have cyber-breach insurance.”
Two major issues to consider:
1. Cyber-breach insurance usually does not pay for all costs related to a breach.
2. Cyber-breach insurance may not pay for a breach if you did NOT have standard or reasonable cyber-security in place. You need to read the fine print. Remember, if you think you’re going to transfer the liability to the insurance company you most likely will need all of your ducks in a row; proof of HIPAA compliance, proof of reasonable cyber-security practices.
Hopefully, this helps doctors, owners, boards, execs, office managers and compliance management personnel to think about their arguments for not beefing up their cyber-security and also addressing their HIPAA compliance.
Whether or not you have performed steps for HIPAA compliance, we suggest you take the HIPAA Quick Check to see if you’ve taken care of business.