As data breaches become increasingly common, one sector is hit more often than any other: healthcare. According to Healthcare Finance News, “58 lawsuits were filed in 2021, with 43 of them filed against healthcare organizations, the largest percentage among all industries.” How can healthcare provider organizations protect themselves from cyberthreats and their legal ramifications?
Focus on the fundamentals
Healthcare cybersecurity is critical for protecting sensitive patient data and managing the legal risks associated with data breaches. Good cybersecurity starts with the fundamentals: basic protections and best practices to reinforce them.
Security features
Strengthening security is the first step in protecting against cyberattacks. Healthcare organizations can take various measures to strengthen their security, such as:
- Encrypting data at all points in the chain of custody
- Implementing strict data retention/destruction policies
- Minimizing storage of sensitive patient data on servers
- Establishing a comprehensive risk management program
- Vetting security practices of third-party vendors or partners
Best practices
The best cybersecurity features are only as good as the users relying on them. It’s essential to supplement your technology investments with standards and practices such as:
- Access control and monitoring for anyone handling patient data
- Automatic time-outs and two-factor authentication logins
- Regular password resets and password strength criteria
- Routine phishing training and cybersecurity seminars
Together, good security features and best practices to reinforce them are a winning combination for thwarting most of the rudimentary efforts by bad actors seeking private health information (PHI).
Consequences of a data breach
In healthcare, a data breach of any kind has severe consequences, including reputational damage, loss of trust, direct monetary losses, and legal ramifications. Much of the legal liability providers face stems from the inherent breach of HIPAA compliance accompanying a loss of PHI.
In the event PHI is compromised, healthcare organizations must comply with data breach notification rules, which mandate healthcare organizations notify affected individuals, the secretary of Health and Human Services (HHS), and (in some cases) the media of any breach of unsecured PHI. The HIPAA Breach Notification Rule and the Federal Trade Commission’s Health Breach Notification Rule are federal rules governing organizations’ data breach notifications.
HIPAA’s Breach Notification Rule: Under HIPAA, a “breach” is defined as the acquisition, access, use, or disclosure of PHI in a manner HIPAA’s privacy protections do not permit and which compromises the security or privacy of the PHI. Covered entities and their business associates are required to report a breach within 60 days of discovering it. If the breach affects 500 or more individuals, the covered entity must notify the media, the secretary of HHS, and the affected individuals.
The Federal Trade Commission’s Health Breach Notification Rule: This rule applies to vendors of personal health records (PHRs), PHR-related entities, and third-party service providers. It requires notification of affected individuals, the Federal Trade Commission (FTC), and (at times) the media. The notice must be given immediately, within 60 days of discovering the breach.
Understand your level of liability
Anyone interacting with patient health information can be held responsible for HIPAA violations, from IT to providers to payers. Therefore, it’s essential to develop legally compliant data management policies and contracts with vendors and business associates to mitigate the occurrence of a breach.
It’s also crucial for healthcare organizations to understand the scope and requirements of both the HIPAA and FTC breach notification rules, including to whom they apply and what must be reported. By being aware of these rules, healthcare providers can ensure they comply with the legal requirements and reduce the risks associated with data breaches.
In many cases, outsourcing to an experienced third-party company can help healthcare organizations develop data management policies and contracts with vendors and business associates to maintain compliance with HIPAA standards and breach notification rules.
Be proactive about data security
The fallout from a single data breach can last years and span countless legal actions, as well as rack up fines, fees, and penalties for providers. Avoiding cybersecurity failures and the legal liabilities accompanying them is paramount — and it starts by putting data security at the forefront of decision-making. When it comes to sensitive data, are you completely confident in your cybersecurity safeguards?
Learn how to mitigate data risks and legal liabilities at trubridge.com.
