Feature Article: July 2020 – Current Cyber-Security & HIPAA Issues

Current Cyber-Security & HIPAA Issues

Jeff Morris

At its core, age management medicine is a preventative approach to health, in which optimum human function and quality of life are preserved through proactive measures—an effort to modulate the process of aging prior to the onset of degenerative aging.

In the same way, if you are an age management medicine practitioner, it makes sense to take a proactive approach to preserve the health of your practice. Just as steps can be taken to prevent degenerative conditions that can threaten human health, there are steps that can be taken to stave off identifiable threats to the life of a medical practice. And, like health regimens you prescribe for your patients, these are solutions that amount to common sense.

Cyber security

There are genuine threats to medical practices right now—threats about which doctors need to be aware. “The healthcare industry is basically being attacked,” said Jeff Broudy, CEO of PCIHIPAA, a provider of solutions to help keep protected health information private and secure. “What we see is that the patient data that health providers have, is very valuable. And often compliance is focused around the office manager, and the responsibilities for cyber and compliance fall on her shoulders—or if it’s a sole provider and they’re trying to run the practice, it falls on the physician’s shoulders. And they’re sitting on names, addresses, social security numbers, dates of birth; everything that someone wants to use for identity theft.”

Broudy said they are using hackers that want to monetize that data. “We’re seeing a huge increase in the number of URLs that are related to COVID-19, spam messages, fishes, and they’re all used to steal that information and sell it on the dark web.” Some may be worth $50 to $100 per record, he said. “Some may even be worth $1000 per record. If your practice has even 100 patients, that’s a lot of money.” He said there are many examples of small providers who are being attacked.

Broudy said HIPAA was designed in the 90s to help to protect the privacy and security of patient information. But the proliferation of mobile technology, even though it’s making access to information more efficient, is not protecting that patient data. Now, on top of that, we have the COVID-19 pandemic.

“There is increased risk because of COVID,” said Broudy. “Bad people do bad things; they tend to take advantage of our mindset. As a society we’re in an uncertainty and fear mode. Everyone is going and trying to get information about how to keep themselves safe. And they’re using fishing emails and malicious URLs and driving people to phony websites, leveraging COVID-19 because of our susceptibility.”

Also, said Broudy, many people are working from home. “The security piece,” he said, “is, how the network is structured, how are you connected to the internet, do you have a firewall and router at your house? We’re all more susceptible because we’re using our business databases and software at home, and typically a home environment is not as secure as a business environment.”

Another issue is the sudden increase in the use of telemedicine. “Under HIPAA, they said you can use whatever method you need to and whatever device you need to, and relaxed the HIPAA requirements,” Broudy said. “So security is more relaxed under COVID-19, when it needs to be more secure. Practitioners may be less susceptible to a  fine, but more susceptible to their own privacy issues because of telemedicine.”

Broudy said a lot of smaller businesses, if they’re hit with an attack, can go out of business. “One way a victim of hacking will know if they’ve been hacked, is a hacker will let them know, with a ransomware attack,” he said. In that case, your system and all your data are actually held hostage unless you pay. “Usually you’ll know, even if there’s no ransom,” he said. “Sometimes there will be an incident that could potentially be a data breach, such as losing a cell phone. When something like that happens, it must be reported.”

Sometimes, a data theft can come from inside, said Broudy. “We had one instance where an employee stole information from a client, and opened an account at Best Buy under that person’s name.” He noted that data can be used for all kinds of things, including filing tax returns and getting refunds using that person’s ID. “If the source of that loss is from the practice, you’re at risk,” Broudy said. “A practice that gets hit has to notify all their patients, and they have to notify HHS. It’s a costly, time- and labor-consuming process.”

Broudy recommends a cyber protection policy that firms such as his offer. “We have a whole incident response team; we become the incident response team for the client. They would report an incident to us if that were to happen.” He thinks that today, you are much more likely to need a cyber policy than a malpractice policy. “Malpractice is at least controllable; it’s something you do yourself,” he said. “Cyber is a third party coming at you. Nobody can eliminate the risk.”

HIPAA compliance

The cost of HIPAA compliance depends on many variables, said Broudy. He identified some of the key factors to consider:

  • Your organization type: Are you a privately-owned healthcare provider, hospital, or business associate? Your organization will have varying amounts of protected health information (PHI) and risk levels.
  • Your organization size: The more employees, programs, computers, PHI, and departments that your practice has will increase the number of vulnerabilities you might encounter.
  • Your organization’s culture: If data security is management’s top priority, you have most likely invested in a cybersecurity program.  If not, HIPAA Compliance costs will increase due to the additional training and policy requirements for your staff.
  • Your organization’s environment:  If cybersecurity was considered when purchasing, implementing, and maintaining devices, the costs to comply with HIPAA should be lower for your practice. This includes computers, software, firewalls, servers, and more.
  • Your organization’s dedicated HIPAA workforce: A dedicated HIPAA team or third-party provider will help to determine what requirements your practice needs. In fact, the American Dental Association has published guidelines to help healthcare providers determine criteria for a 3rdParty Provider.

Broudy said that, if HHS’s estimate of compliance seems daunting, the costs related to non-compliance are even greater. For not protecting Patient Health Information, a practice can face the following fines and penalties:

  • Health and Human Service’s fines: up to $1.5 million per violation per year
  • Federal Trade Commission fines: $16,000 per violation
  • Class action lawsuits: $1,000 per record
  • State attorneys general/potential fine assessment: $150,000 – $6.8 million
  • Patient loss/not returning to doctor due to breach: 40%
  • Free credit monitoring for affected individuals: $10-$30 per record
  • ID theft monitoring: $10-$30 per record
  • Lawyer fees: $2,000+
  • Breach notification costs: $1,000+
  • Business associate changes: $5,000+
  • Technology repairs: $2,000+

Broudy said that the high costs of noncompliance are meant to penalize those who don’t adequately protect patient information. He noted OCR Director Roger Severino announced during a 2018 HIPAA Security Conference that the next round of examinations will be focused on enforcement, and upcoming audits will use harsher investigative tools to hold bad actors accountable.

“With an increase in audits, HIPAA compliance is more important than ever,” Broudy said. He recommends protecting your practice’s finances and reputation by becoming HIPAA Compliant. This is another area in which his company, and others, offer solutions that can be turnkey, thereby eliminating many of the added costs and headaches. That can be a particularly attractive prospect for practitioners who thought they were getting out from under mountains of paperwork by moving to a non-insurance environment.