Cybersecurity for Medical Practices: Addressing the HIPAA in the Room

Nezar Habhab, Kathleen Westfall
Kerr Russell
Contact
LinkedIn
Facebook
X
Send
Embed

Kerr Russell

      Cybersecurity attacks, such as malware, phishing emails, and password attacks, are a growing threat to patients and medical practices. Cyber attacks can significantly disrupt patient care, including by exposing confidential data, interfering with access to records, and/or damaging operations systems. The HIPAA Security Rule has long required medical practices to develop and implement reasonable administrative, physical and technical safeguards to protect the confidentiality, integrity and security of electronic protected health information (ePHI). However, medical practices should also evaluate their risks and exposures beyond ePHI and take proactive measures to mitigate risk and protect the practice and its patients. For this purpose, the following is a summary of some of the key steps medical practices can take to prevent and mitigate the risk of cyber attacks.

Risk Analysis

      The HIPAA Security Rule requires medical practices to conduct a risk analysis to identify vulnerabilities and weaknesses within the medical practice that can impact the confidentiality, integrity and availability of ePHI maintained by the medical practice. Although the HIPAA Security Rule does not impose a specific methodology, the risk analysis must be commensurate with the medical practice’s size, complexity, and capabilities. In addition, while the HIPAA Security Rule requires a risk analysis only with respect to ePHI, medical practices should also assess risks and vulnerabilities that can impact all areas of the practice, not just ePHI.

Written Policies and Procedures

      After conducting a risk analysis, medical practices must establish and implement written policies and procedures which incorporate the following data privacy and security safeguards:

  • Administrative Safeguards: These are administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect the practice’s ePHI and other data and to manage the conduct of the medical practice’s workforce.
  • Physical Safeguards: These are the physical measures, policies and procedures to protect a medical practices’ electronic information systems (such as electronic medical record or e-prescribing systems) and related buildings and equipment from natural and environmental hazards, but also unauthorized intrusion, such as cyber attacks.
  • Technical Safeguards: These are the technology and policies and procedures for its use that protect the practice’s ePHI and other data and control access to it. For example, medical practices may implement a policy which utilizes proper encryption software, such as OpenPGP (Pretty Good Privacy).

To assist medical practices, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have created a HIPAA Security Risk Assessment (SRA) Tool which medical practices can use for purposes of conducting a risk analysis and implementing appropriate polices and procedures consistent with the HIPAA Security Rule.

Incident Response and Disaster Recovery Plans

      Medical practices should ensure that their policies and procedures include a plan for responding to disasters such as cyber attacks, extreme weather or system outages that can result in data breaches or interruptions or loss of access to data. This includes a data backup plan to ensure that data can be retrieved and/or restored without compromising the integrity of the data, a plan to enable continuation of critical business processes, as well as policies for periodic testing and revision of such plans.

Training

      As part of or in addition to HIPAA compliance training, medical practices must ensure that all staff, including all medical and non-medical personnel, receive training on the practice’s HIPAA policies and protocols as well as general cybersecurity best practices.

Business Associates

      Medical practices should ensure that their business associates, including any vendor or entity that accesses or uses protected health information or other sensitive data on behalf of the medical practices, have and implement their own policies and procedures which are consistent with the HIPAA Privacy and Security Rules and cybersecurity best practices.

Cyber Insurance

      Cyber insurance protects medical practices and other business from losses caused by data breaches, theft, hacking and other cyber attacks. Medical practices should review their existing insurance coverages to ensure that they are covered in the event of a cyber attack or similar incident.

Consult with Legal Counsel

    Medical practices which fail to appropriately safeguard its data in compliance with the HIPAA Security Rule and other data privacy laws may be subject to penalties (including fines) and other enforcement actions and liabilities. Medical practices should consult an attorney with experience in health care law and cybersecurity to review the medical practice’s policies and protocols to ensure compliance with applicable laws and best practices.


This article first appeared in the First Quarter 2023 edition of the Detroit Medical News.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kerr Russell | Attorney Advertising

Written by:

Kerr Russell
Kerr Russell
Contact
more
less

Kerr Russell on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide