HIPAA, electronic health records & the data breach waiting to happen
Imagine this--an executive director of an assisted living community is on her way to work today. She stops at her favorite local coffee shop and runs inside. When she returns to her car minutes later with coffee in hand, her passenger side window is smashed, and her laptop is gone.
The community she oversees and all two hundred of its residents just experienced a very serious data breach. Within an hour, the criminal is selling personal and financial information and compromising internal databases. Not only that, but the loss of the laptop is an immediate HIPAA violation. Even if the data isn't compromised, the company is still at fault for breaking the chain of command.
Many providers don't realize the general insurance policy they have in place may not cover HIPPA fines or additional costs. In fact, many policies SPECIFICALLY EXCLUDE the sorts of fines and expenses detailed above. My first piece of advice? Begin inquiring about your current insurance coverage. Most cyber security policies start around $1,500-2,000/year and might cover more than you think.
Having access to medical information is necessary for assisted living communities to provide exceptional care, but it also makes them immediately vulnerable. They have become an automatic target in the digital age and a gold mine for hackers. Also, Electronic Health Records must be managed carefully and without the right training, employees are violating HIPAA left and right.
To prevent a data breach and costly HIPAA violations, companies are investing in credit monitoring, IT forensics and system upgrades. Also, we're beginning to see a rise in tailored cyber security insurance policies.
The theft can come from within too. According to a 2013 survey of 2,000 employees by LogRhythm, 23 percent admitted to having accessed or taken confidential data from their workplace, with one in 10 stating that they do it regularly.
Consider another real life scenario that doesn't involve property theft or ill will. An employee at a community receives a call from an insurance provider asking to confirm date of birth and current medications for a resident. The employee provides the information, not knowing the resident had not signed a HIPPA authorization form. The community is in violation and subject to fines.
And somewhere, right now, this is happening as we speak. An inside sales representative is sitting at his desk and receives an email. It looks like it is from corporate IT and is asking him to reset his password. He enters his password and employee ID. The community has just been hacked and resident information exposed.
Lost devices, employee mistakes and criminal attacks happen every day. Company computers are just the starting point. Mobile phones, tablets and home computers have the ability to access company networks away from the office and if stolen or lost, contain data and passwords. In 2010, Medical ID theft affected 1.42 million Americans with costs rising into the billions.
With an ever-changing regulatory climate in a digital society, it's important to train your staff on federal regulations and protect the infrastructure that houses your data. One minor breach or mistake can cost a company millions and tarnish the reputation that has taken years, decades even, to build.Eugene Solomon is a senior partner at A.G.E. Insurance.