Part 6 of 7
The cost of a security breach: Lapses in security measures can quickly cause irreparable damage with financial penalties, reputational harm, and loss of business. If a patient’s ePHI is breached, healthcare organizations are potentially looking at the following consequences:
• Costs for excessive legal fees
• Public relation expenses
• The loss of business
• Expenses for assessments and ongoing investigations to protect the organization
• Setting up and maintaining a mandatory Compliance Program
• Credit monitoring services for consumers. In addition to those costly business exposures, healthcare organizations may also have to devote time and resources to develop their Written Information Security Policies (WISP), which define a set of procedures and policies that ensure the confidentiality, integrity, and availability of the organization’s information against malicious activity. When developing cybersecurity and HIPAA compliance programs, organizations must pay particular attention to the following: Other federal and state regulations in addition to HIPAA requirements in regards to ePHI and PII. Data breach laws for mental health and substance abuse, because there are specific guidelines established to protect against how and when ePHI and PII are shared in these situations, whether with or without the patient’s consent.
YOUR GOAL IS BREACH PREVENTION
No organization wants to find itself in the position of having to defend a breach. Preventing a breach is ideal and being proactive is necessary. Take these ideas under serious consideration:
• Hire a Managed Service Partner to monitor and manage your IT environment.
• Have regular consultations with a HIPAA knowledgeable attorney.
• Hire a HIPAA Consultant.
• Pay a professional to conduct a Comprehensive Risk Assessment.
• Mitigate the results of a Security Vulnerability Assessment.
• Implement and enforce HIPAA Security Policies/Procedures.
• Get Cyber Insurance and implement a full HIPAA Compliance Program.
• Invest in industry-standard encryption solutions.
• Have an Organizational Policy for addressing and monitoring mobile devices.
• Use Active Directory and Group Policies to enforce User Rights and Security Controls.
• Ensure that medical devices have up-to-date security patches and are malware-free.
• Implement and maintain strong firewalls with subscription services and an Intrusion Detection System (IDS).
• Cultivate a strong, ongoing Security and HIPAA Awareness Program.