Choosing the Right Cybersecurity Partner for HIPAA Compliance

Reduce the Cost of HIPAA Compliance with a Cybersecurity Partner

HIPAA compliance can cost so much that the result is a greater vulnerability to cyberattacks. But the right cybersecurity partner reduces both cost and risk.  

HIPAA Compliance Is Difficult without the Right Cybersecurity Partner.

Many medical professionals have an ambiguous attitude toward HIPAA. As President Russell P. Branzell and CEO Shafiq Rab of the College of Healthcare Information Management Executives (CHIME) wrote in a letter to Congress:

“Significant advancements in healthcare technology have been made possible through policy, however, often overly stringent prescriptive mandates have added to healthcare costs, impeded innovation and increased burdens on clinicians.”

Medical practices, clinics, and hospitals are exposed to cybersecurity risks of two kinds. They are vulnerable to phishing, malicious use of AI, cyberattacks on mobile devices, and attacks on data in cloud storage. But healthcare providers that experience cyberattacks are also at risk of expensive adverse regulatory action for failure to meet HIPAA standards.

How costly can it be for healthcare organizations to be found in non-compliance with HIPAA rules? Just in 2019:

• The University of Rochester Medical Center was fined $3,000,000 for failure to encrypt mobile devices.
• Cottage Health was fined $3,000,000 after it was discovered that 62,525 patient names, addresses, dates of birth, diagnoses/conditions, lab results and other treatment information had been available without password protection to anyone who had access to their server.
• Touchstone Medical Imaging was fined $3,000,000 for a data breach resulting from an insecurely configured server.
• And Jackson Health System was fined $2,175,000 for losing hard-copy records of 1,471 patients, including a player for the NFL.

HIPAA fines can range from $100 to $50,000 per violation or record, up to a maximum of $1.5 million per incident per year. This lowest level of fines is applied even when the covered organization did not know and could not reasonably have been expected to know of the data breach. Fines increase when covered entities fail to exercise reasonable diligence or act with willful neglect.

OCR requires payment of fines within 30 to 90 days. Most monetary penalties come with similarly immediate demands for risk analysis, new training programs, and a system for informing OCR of new reportable events.

Fines and administrative costs of correcting non-compliance are significant for large healthcare providers. They could be devastating to a small practice. But compliance also comes with a significant downside.

The cost of HIPAA compliance without a cybersecurity partner increases the risk of rule violations.

It is not news to IT managers that HIPAA compliance is complex. It requires significant resources. The underappreciated problem is that complying with HIPAA’s minimum standards may not deter serious threats. HIPAA compliance requires so many resources that healthcare organizations may not be protected from the latest generation of cyber threats. HIPAA-compliant healthcare organizations may find they have less protection from cyberattacks, not more.

The attitude of OCR toward compliance audits and breach investigations is likely to continue to be punitive, rather than restorative. Ideally, healthcare entities would learn from the experiences of other organizations that have had to recover from cyberattacks. But the truth of modern cybersecurity is that every health organization, no matter how small, needs to implement:

• Business/emergency continuity plans.
• Endpoint protection.
• End-to-end encryption.
• Firewalls.
• Full disc encryption.
• Internal monitoring and auditing.
• Secure communications.

The largest healthcare providers can afford dedicated IT departments, but smaller providers more focused on patient care need a cybersecurity partner. But how do healthcare organizations recognize the right cybersecurity partner?

Choose the Right Cybersecurity Partner for Cost-Effective Compliance with HIPAA and New York Law.

The days of protecting data with antivirus programs and antimalware are over for healthcare providers. Data security requires specialized expertise.

The right cybersecurity partner will provide data security, email security, end-user security, and secure infrastructure. This cybersecurity partner will protect on-site and cloud-based email systems, stop cyberattacks launched by malicious websites, stop drains of bandwidth, stop exposure of data at insecure sites, extend security to devices the healthcare provider does not control, centralize visibility and control, detect malware quickly, secure infrastructure to include remote sites, protect mobile users, block malicious traffic, prevent intrusions, and keep up with the implications of HIPAA rule changes as well as the latest cyberthreats.

And if you operate in New York, you need a partner who can help you with the unique challenges of cybersecurity in New York:

• Your cybersecurity partner should have updated on you on the broad new requirements of New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The new law, which comes into effect on March 21, 2020, requires new measures to safeguard data and networks.
• Your cybersecurity partner should provide meaningful employee training. Your employees need to comply with both HIPAA and New York state laws.
• Your cybersecurity partner should help you integrate cloud computing at every level of your IT needs. Cybersecurity companies that cannot help you utilize cloud computing do not have the up-to-date security expertise your organization needs.

Network Outsource can empower your company to operate securely while taking advantage of new technology. To get the best in service, reach out to Network Outsource to find out how we can help.