Reported data breaches show that HIPAA violation settlements are on the upswing, both in terms of the number of individuals affected and financial cost. We’re not done with 2017, yet OCR’s updated breach portal shows that nearly 4 million individuals have been affected by over 200 healthcare data breaches as of mid-September.
Looking back just two years, and the analysis of HHS and OCR publicly reported breaches indicates an increase of 320% in 2016 over 2015’s hacking related healthcare data breaches. It helps to understand that reported breach types can range from hacking to unauthorized access or disclosure of ePHI, to theft of devices. Also, while business associate and health plan breaches are affected as well, healthcare providers represent nearly 78% of the incidents reported, an overwhelming majority.
What can we learn, and apply, from this? 3 things:
- A Security Risk Assessment is one process that every organization needs (and a HIPAA requirement) from top to bottom, at least annually. We strongly suggest you conduct one more often if you change or add any systems, experience a merger or acquisition, or have a significant change in business operations. The risk assessment process can help reveal areas where your organization’s security and privacy is at risk. Ostendio’s MyVCM offers a high-level control audit which is a good place to begin. Alternatively, take this quick 10-question quiz for a high-level overview of where your organization stands today. It may surprise you.
- Revisit (or create) your Risk Management Plan. Risk exposed by the Security Risk Assessment is meant to be corrected, not just documented. To comply with HIPAA, you need to continuously review, correct, modify and update your security measures and processes. Granted, some risks are higher priority than others, so mitigate those first, and have a plan in place to keep them from re-occurring. That may entail a compliance training plan, documentation check and re-check, security patch oversight and myriad other items. Knowing that a risk exists is only the first step.
- Know who to call and when after a data breach. The key word in security incident response is “response.” Get ahead of the game with a tested security incident response plan and a reliable team. You’ll avoid looking unprepared and possibly save your business’ reputation.
Finally, when taking any and all of the above steps, don’t underestimate the value of transparency between business partners. Covered entities (providers, plans) and their business associates (digital vendors, third-party services) are interdependent. If one isn’t secure and compliant, the foundation is faulty. Transparency in monitoring and tracking actions strengthens data security, organizational compliance, and the business relationship. Contact us today to learn more about how Ostendio’s MyVCM can help you manage the security and privacy of your organization.