HIPAA and Cybersecurity: Five Basic Questions Every Healthcare Organization Should Ask Itself Today
Provided by OSMA Corporate Partner for Legal Assistance,
Brennan Manna Diamond Law Firm
As a health care attorney, one of my roles is to assist healthcare clients who have been the subject of a cybersecurity incident—whether it’s a devastating ransomware attack, a phishing attack or one of many other types. Every physician practice and healthcare organization is a target for cybercriminals. No business is too small. When these events occur, we help our clients to take prompt and meaningful action to help mitigate legal, financial and reputation risk.
Based upon my experience, I know that it is smart for my clients to proactively address data privacy and security issues before an incident occurs. Doing so requires both legal, compliance and technical expertise—often a partnership between attorneys, compliance officers and information technology professionals. When dealing with cybercriminals and other bad actors, the best offense is often a strong defense. Fortunately, in this space, legal compliance and business interests are aligned.
Here is a simple list of some of the most important questions that my clients often ask themselves when focusing on their data and privacy security.
- Awareness. Education and awareness is key and compliance starts at the top. Does the organization’s leadership understand the business and legal risks of having an insufficient data privacy and security program? Do they understand the facts and the statistics—the actual cyber threats in this environment? Do they understand the laws in this area? Do they understand the risks of non-compliance?
- Infrastructure. Resources must be dedicated to data privacy and security matters. Has the organization appointed a HIPAA privacy officer and security officer who have a firm understanding on the laws and best practices? Does the organization understand the data it has and where it is located and how it is used? Has the organization conducted a risk assessment to identify vulnerabilities and to begin to address them sufficiently in accordance with industry and legal standards.
- Policies and Procedures. Policies and Procedures should be thoughtfully adopted, implemented and updated. Does your organization have strong HIPAA policies that match the actual practices of the organization? Are they living documents or a dusty binder on shelf? Have they been periodically updated to reflect changes in the law and best practices?
- Security Safeguards. There are simple safeguards that your organization can quickly implement to significantly protect its data. What is the low hanging fruit? For example, has the organization enforced multi-factor authentication for all? Has it installed a data encryption solution? Has the organization run through a security incident to test its Incident Response Plan and Disaster Recovery Plan. Has your organization practiced a cyberattack simulation—engaged in table top exercises? Do you have a healthcare attorney and a data security professional on speed dial in the event of an emergency, such as a ransomware attack.
- Workforce Training. Has the organization adopted a robust staff training program, including data privacy and security training upon hire and at least once a year thereafter? Is the training consistent and is it documented? Studies show that compliance information is best absorbed when part of a culture where information is conveyed in tidbits over time. Consider placing cybersecurity tips and reminders in the company newsletter and covering the topic at monthly or even annual workforce meetings.
No one wants to spend significant money, time and resources on defending against a cyberattack. However, the reality of today’s world requires that such measures be part of an organization’s overall business plan. Such attacks will happen, and their consequences can be catastrophic. Implementing an adequate defense, through appropriate infrastructure and protocols, is no longer an option. It has to be a priority.