Why Aren’t You Ready? The First Steps to Protecting Healthcare Data

Recently, I read a statistic that stated 70% of employees in all industries lack sufficient cyber-preparedness. However, in the healthcare industry alone, this statistic is even higher: 78% of employees showed a lack of preparedness regarding common threat vectors and privacy issues.  This statistic, and the corresponding article, is both shocking and, at the same time, not surprising.  It is shocking because with all of the cybersecurity issues facing companies today, and in particular the healthcare industry which is one of the top targets for attacks, the employees in that industry are so ill-prepared.  Conversely, it is not surprising at all because US based companies still do not take cybersecurity and data privacy as seriously as our counterparts in Europe.

Now, you would think with the huge fines levied against healthcare companies that do not follow the HIPAA Security Rule, the most recent being a settlement of $3.5 million, healthcare companies would being putting more resources toward cybersecurity.  And, it is frankly sad that companies are not preparing their workforce. For a hacker, it only takes one.  One employee that is not paying attention or is curious about what would happen if they click on a bad link and the hacker is in.  Companies, on the other hand, have to constantly monitor every employee.  They oftentimes employ technology to block, track or audit employees.

Hackers just love to deploy their little tricks against companies in the healthcare industry.  First, healthcare data is the most valuable.  Putting that aside, healthcare companies have limited budgets allocated to cyber security investments. Symantec, a leading enterprise security vendor, found that healthcare companies are notorious for paltry budgetary investments in cybersecurity. The 2016 HIMSS Analytics Healthcare IT Security and Risk Management Study stated that healthcare companies are under spending on cyber security programs.  Ok, so these companies don’t want to spend money to protect our healthcare records.  Yes, cybersecurity can be expensive.  However, it simply does not make any “cents” that healthcare workers are not trained in cybersecurity best practices.

The simplest things, like training, frequently work the best.  Also, cost aside, HIPAA requires training and educating employees.  Utilizing these technological defenses is not unimportant, nay they are essential to a company’s defense against hacking.  However, if a healthcare company is going to devote little resources toward cybersecurity, education and training is (by far) the biggest bang for your buck. Policies and training alone will not make you HIPAA compliant — far from it! But, starting somewhere, these are the easier — dare we say it cost-effective — steps for a company to “stomach.”

Have proper policies drafted that match your workflow and then train on those policies.  Training should be at least once per year, but once per quarter is better.  Remember, HIPAA allows a company to make a risk assessment and perform a cost-benefit analysis when employing the best technological fit.  And, policies and training are relatively low cost. An attorney who is knowledgeable in both cyber and technology should draft those policies.  You want to ensure that your contractual obligations and liabilities are being addressed by the policies — and only an attorney can assist in that vein.  Once the policies are in place and the training on those policies is done you should test. Test and have accountability for anyone who does not follow the policies.  All the policies in the world will not make a difference unless they your employees are trained on the policies AND you have accountabilities if those policies are not followed.

Creating a culture of security requires a commitment, but it does not have to mean a substantial financial commitment.  Policies and training can substantially decrease your cyber-risks and will have the added benefit of showing the OCR that your company is not putting its head in the sand when it comes to cybersecurity.  Particularly for companies that are protecting such highly coveted and valued information, taking cybersecurity seriously is of paramount importance. A breach is bad enough, a fine from the OCR is worse.  So create the policies and train on them. “Buy in” to a corporate culture of security and you will find that cybersecurity is always a good investment.

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.