What can we learn from healthcare’s most significant breaches of 2013?
Reading HealthITSecurity.com’s article on the largest and most unusual data breaches of 2013, my head was shaking—not in disbelief, but with an affirmative bobblehead nod. Yes. The all too common trend in data breaches is the theft of unencrypted devices. Yep. There will always be people who steal, snoop and misuse patient information. Yeah. Every one of these companies is glad that 2013 is over because a solitary breach made it a long, painful year.
The list of healthcare organizations reporting major breaches and receiving substantial penalties is growing at an alarming rate. In 2013, the HHS Office for Civil Rights (OCR) reached five major resolution agreements with payments totaling more than $3.7 million. And a recent public announcement from OCR indicates the department is expanding its health information privacy enforcement team.
Here’s the honest truth and 5 critical actions to avoid such pain in 2014…
If case examples and our current enforcement environment can teach us anything about breach it’s this: Never think, “It won’t happen to me.”
As we head into 2014, the best advice we can offer covered entity healthcare providers (and business associates) is to take action on 5 critical requirements:
Regularly conduct and document comprehensive risk assessments for all Protected Health Information (PHI), especially electronic PHI (ePHI).
Take appropriate measures to address identified threats and vulnerabilities.
Ensure that all HIPAA policies and procedures are current, complete, and actually implemented with training so staff members understand what’s expected.
Train and retrain your workforce on the new Omnibus rules, breach notification requirements and increased penalties for non-compliance.
Encrypt all portable media and mobile devices containing PHI, because it’s way too likely that they will be lost or stolen.
Attorney Kelly Hagan, Schwabe, Williamson & Wyatt advises:
“Mobile devices are an enforcement priority for the OCR and justify significant investment in secure technology by the covered entity. If such technology is beyond an organization’s means, then organizations shouldn’t permit mobile device access: it is inherently insecure and may end up costing your organization much more than supplying good technical safeguards.”
The modest cost of encryption to protect your data assets and/or a decision to seek expert assistance from a trusted partner to assist with proper training and precautions is often your best investment and insurance. Whatever it takes, do the work HIPAA requires so 2014 begins and ends with only the happiest of memories.