With summertime right around the corner, we hope you have your cyber-longboard and wetsuit ready because the healthcare industry has been tasked with navigating technology swells that would make Oahu’s North Shore (bucket list if you’ve never been!) seem like child’s play. The past year has brought plenty of ‘gnars to shred’ for medical practices, including a rising tide of cyberattacks. And with a 38.8% increase in healthcare data breaches just as of this past March, having a focus on cybersecurity is essential to keeping your practice afloat in 2021.
Now this recent spike isn’t unfounded, especially not after last years’ healthcare breach numbers were up 55% from what we saw in 2019. So what’s causing this cybercrime rip current and when will the coast be clear? Well between the transition to remote operations, expansion of new technologies like telehealth, and the increased reliance on electronic communications – there’ve been many factors to shift the tides for how patients’ protected health information (PHI) is handled and shared. And while each of these things has helped providers ride the surge of social distancing, they’ve paddled patients’ sensitive information right into the data breach impact zone.
It’s not uncommon to place the incidents contributing to all of those statistics in the lineup with the major data breaches and million-dollar fines we see making headlines. And although the first breach-related settlement of 2021 did happen to involve a large health insurer and a fine with quite a few zeros at the end, the idea that hackers are only after big organizations tends to muddy the waters for smaller, independent providers. In all reality, it doesn’t matter the size or specialty – no healthcare organization is guaranteed to ‘hang ten’ against a data breach and cybersecurity should be prioritized all the same. But if you still don’t believe us, just take it from the 83% of all healthcare providers that claim to have experienced some form of cyberattack and the fact that 70% of cyberattacks actually targeted facilities with fewer than 500 employees.
So now what?
Much like learning how to surf, properly protecting your patients’ sensitive data in addition to managing everything else you have on your plate is all about balance. There are many different ways for sensitive data to be exposed, and hackers and those outside your organization with malicious intent aren’t the only sharks in the water to lookout for. Data breaches can and have resulted from accidental disclosures, disgruntled employees, and business associate (BA) mishandlings. So while we often think that the only way to avoid a breach is found in a word that starts with ‘cyber’ and ends with ‘security’ – ALSO having a complete HIPAA program that covers the other areas like staff offboarding and BA agreements is essential to getting your practice past the breakers.
As you’re probably well aware, providers are facing increasing challenges to keep data secured in the uncharted waters of evolving technology and patient needs. But luckily, the new HIPAA Safe Harbor Law brings incentives for those who are taking the right measures to face it. So although it’s looking like the wave of data breaches isn’t crashing anytime soon – having the Security Rule basics down and appropriate safeguards to mitigate identified threats can reduce any resulting fines that might otherwise put a small practice under.
So our words of advice? When the government throws you a life raft, it’s probably best to grab a hold – because having a complete cybersecurity AND HIPAA compliance program in place is sink or swim for your practice especially when it comes to avoiding a data breach wipeout.