We’re often asked “How likely is it that we will be audited by the government (OCR) for HIPAA compliance?” Our response is “It’s highly unlikely to be selected to be audited by the OCR”. We immediately follow up with, “However, it’s highly likely you will have a breach of PHI or ePHI, which will then trigger an audit by the OCR, and 15,000 audits were started because of someone reporting a practice to the OCR, either a patient, employee, or business associate.” Therefore, take steps to Protect your patients, protect your practice, protect yourself.
AT&T has outlined the primary security threats businesses face both inside and outside of their companies:
- Corporate espionage: Spies looking to steal intellectual property
- Nation States: Groups looking to access information for their own benefit or cause
- Organized cybercrime: Digital criminals that act using malware and hacking to extract information for financial gain
- Hacktivists: Groups of hackers that use cyber attacks to promote social change or impact public policy
- Malicious insiders: Employees or those with internal access that use company information for their own gain
See more at: http://about.att.com/story/cybersecurity_insights_report.html
For small businesses Corporate espionage and Nation States are not as prevalent. However, do NOT think that because you’re a small dentist, optometrist or any other type of practice in small town America that you are not a target of the last three. The organized cyber-criminals don’t care who you are and use automated “bots” to scour the Internet and find vulnerable networks and computers, then search for valuable ePHI.
Hacktivists are much less likely to target you, but they use the same tools as cyber-criminals and thus automation puts you in their cross hairs. Plus, some activists may just want to make a point they can turn off 80% of the pace makers within a 24 hour period and are collecting data to be able to do this in the near future.
Unfortunately, most of us have someone in our circle of friends and business associates (employees) that may be in debt and need a little extra money. No harm intended, just needed to make an extra $1,000 this month – selling your ePHI. And sometimes it’s not even malicious, the employee just forgot to lock their laptop and it walked off, with 2,500 patient records.
So, take notice, think about cyber security in your healthcare shop and begin to implement HIPAA compliance to address securing your PHI/ePHI today.
Start with our free HIPAA quick-check to see where you are and what you need to do.