What is the biggest obstacle to HIPAA Compliance?
Do Nothing! It’s the #1 enemy of HIPAA compliance and Healthcare practices.
Anyone that has checked into HIPAA in the past few years can see that action is necessary to address new requirements and fend off potentially harsh fines. With minimal cost and effort, a practice can deploy cyber-breach detection software and perform a risk assessment that will drastically improve their compliance and greatly reduce their likelihood of losing valuable ePHI. However, it’s interesting how many practices have done nothing.
Would you purchase a new car and drive it without insurance? Of course not, you buy insurance before you start driving it because statistics indicate you have a 1 in 16 chance of being in an accident this year, that’s a 6% chance. You might argue, well, then I just need to buy cyber-breach insurance. The problem with purchasing cyber-breach insurance and then not taking defensive cyber-security actions, the insurance most likely will not pay for all of your damages, including lawsuits or the fines imposed. By the way, your odds of being breached this year are much higher than being in a car accident. Nearly 90% healthcare providers experienced a web-based cyber-attack in the past 12 months with 30% suffering a significant data breach.
What about HIPAA insurance. Well, as far as we’re aware, no one offers specific HIPAA insurance. The best HIPAA insurance is implement cyber-security per the requirements outlined by the HIPAA CFRs. Therefore, TAKE ACTION and protect your practice or DO NOTHING and hope for the best. But be prepared for a cyber-breach, which will trigger a HIPAA audit and likely result in heavy fines and lawsuits for damages to your patient’s identities. So, to close – Doing Nothing = Your #1 Enemy.
What is the Danger of Doing Nothing?
Do Nothing! It’s not safe, usually costly and can ruin your business.
I can’t think of any situations in life where doing nothing is the safe thing to do. If you are sick, you may delay seeking treatment and hope the ailment passes. If the symptoms grow worse, you need to seek competent help or you could suffer permanent injury or death. Not taking steps to protect your home and property from natural and man-made “events” can result in significant negative financial and personal impact to you and your family. In the business world, doing nothing means you become less competitive and unresponsive to your customer’s needs. Unless you have a perfect monopoly on the indispensable widget, your company will wither and fade away.
In the healthcare industry, a large percentage of practices and companies choose that very option, doing nothing when it comes to cyber security and HIPAA compliance. The evidence is overwhelming that cyber criminals are targeting every aspect of the healthcare industry in an effort to steal your electronic Protected Health Information (ePHI). The odds are not in your favor. Recent reports indicate last year 88% of healthcare companies experienced spear phishing attacks while 78% experienced malware attacks. Another industry report indicates that 35% of all cyber-attacks are undetected! Yet companies are not performing risk assessments, the intent of which is improving cyber security. Maybe it is the stigma that HIPAA is a just another government mandated requirement.
HIPAA is now a prescription for cyber security. It’s not well written or easy to follow, but the end result is better protection of ePHI and your livelihood. Is it too big and complex and you just don’t know where to start? Is it the “deer in the headlights” syndrome? It’s big and evil, and if I don’t move, maybe it won’t see me and will move on. But today’s cyber threats are more like a cancer. They are quiet, very few symptoms and without the proper safeguards, your practice may be severely injured, possibly to the point it is terminal; it can’t be saved. Patients leave, audits, fines levied, lawsuits, even criminal charges could be filed resulting in jail time.
Doing nothing is dangerous.
[1] The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data published in 2015 by the Ponemon Institute LLC
[1] The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data published in 2015 by the Ponemon Institute LLC
[1] Threat Intelligence & Incident Response Study: Ponemon Institute LLC February 2014