How costly can a simple IT Security mistake be for a clinic?
Here is a true example that happened recently:
The UW Medicine had 974,000 patients’ Protected Health Information exposed online due to accidental removal of protections on a website server. As a result, internet searches allowed “sensitive patient information to be accessed by unauthorized individuals... Ironically the exposed database was used by UW Medicine to keep track of the patient health information disclosures.”
According to the Chief Medical Officer, just the required mailing of “breach notification letters has cost UW Medicine around $1 million, not including the cost of investigation and identifying patients impacted by the breach.” This does not include penalties, credit monitoring and other expenses. The article goes on to report, “the breach has prompted a review of policies and procedures, which have now been updated to prevent similar incidents from occurring in the future.”
I’m Not a Big Hospital... This Doesn’t Apply to Me, Right?
A Security policy should address the types of safeguards you have in place for ALL information systems that face or access the internet. It should include checks and balances through monitoring of devices and antivirus reports. More importantly it should include a sign off process if your system is worked on by an IT Specialist. Many times, a work ticket has resulted in once enabled protections to be disabled in order for the IT person to correct an issue. Unfortunately, if policy and procedure are not in place, there is no one to confirm that all protections are enabled prior to closing the work ticket. Human error is one of the most preventable causes of breaches.
Not sure if you have a proper policy? Maybe you have a general security policy that addresses HIPAA requirements. What does your policy say about having your server or network worked on by an IT Specialist or Internet Service Provider (ISP)? If you are not sure what your IT Security policy says, it is quite likely you have not implemented it. This can cost you greatly!
What Should I Do?
With this in mind, we encourage you to seriously consider your position. OCR announced “that 2018 had been a record year for HIPAA enforcement. OCR’s HIPAA fines and settlements totaled $28,683,400 in 2018, beating the previous record of $23,505,300 set in 2016 by 22%. 2018 also saw the largest ever HIPAA settlement agreed.”
At KMC University we realize that HIPAA is not just a manual full of policies sitting on a shelf. The policies must be implemented, followed, and updated. Employees must receive specific training related to policies. And someone must be responsible for double checking that ALL policies are being followed. Take time today to locate your HIPAA policies and audit your current process. If you feel you need assistance, consider joining our HIPAA Training Course, where we do it with you. Call us today at (855) 832-6562 for a consultation. Don’t be one of those statistics!
Call (855) 832-6562 now or click to schedule a 15-minute Solution Consultation at your convenience.