For MSPs with healthcare clients in their portfolio, there is an ever-growing and sometimes onerous list of rules, regulations, and laws that must be followed. Failure to do so can result in reputational ruin, hefty penalties, or both.
Failure to follow the rules can be costly
One example of this is the Oklahoma State University Center for Health Services, Recently, the organization was ordered to pay $875,000 in penalties for a data breach. These types of fines are often as much as $25,000 per incident, but each “incident” can be considered one piece of compromised data, so the cost of a breach can add up quickly.
In this case, a hacker installed malware on one of the Center for Health Services’ web servers that contained electronically protected health information. More than 275,000 individuals were affected by the breach, which resulted in the unauthorized disclosure of their names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and medical treatment information.
OCR’s investigation found potential violations of the HIPAA Rules, including impermissible uses and disclosures of PHI; failure to conduct an accurate and thorough risk analysis; failure to perform an evaluation, failure to implement audit controls, security incident response and reporting, and failure to provide timely breach notification to affected individuals and HHS.
But, as Physicians Weekly pointed out in a recent article, a HIPAA violation doesn’t necessarily stem from a sophisticated cyberattack such as the one experience by Oklahoma State University’s Center for Health Services.
“Physicians must also remember that cybersecurity can be compromised without a data breach. For instance, a seemingly harmless email sent in plain text from a medical practice may be a HIPAA violation, unbeknownst to the practice. “
New NIST resources provide a roadmap for MSPs
Smarter MSP asked an expert about some of the latest healthcare best practices and additional government guidance that is forthcoming.
“Healthcare data is about so much more than just HIPAA. It’s a complicated labyrinth, and most MSPs, unless they specialize in healthcare, don’t have someone on staff that knows all the rules, and this can lead to trouble,” says Jeff Blevins, a healthcare and cybersecurity specialist in Rochester, New York.
Newly updated cybersecurity guidance for the health care industry from the National Institute of Standards and Technology (NIST), could be helpful for MSPs. “Anytime clarity can be added to the web of rules, that is a good thing,” Blevins adds.
NIST’s new draft publication, formally titled Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, is designed to help the industry maintain the confidentiality, integrity, and availability of electronically protected health information, or ePHI. The term covers a wide range of patient data, including prescriptions, lab results, and records of hospital visits and vaccinations.
“It used to be that PHI might consist of some charts and maybe bloodwork, but with IoT, wearables, electronic vaccination records, and more, the whole scope of PHI has grown,” Blevins notes.
The new HIPAA resource guide should provide a road map for MSPs, CISOs, and other organizations that deal with PHI. “One of our main goals is to help make the updated publication more of a resource guide,” reports Jeff Marron, a NIST cybersecurity specialist.
NIST also has some tips and advice to go with the updated guidebook, tips that Blevins says are good ones. Among the tips he recommends that MSPs implement:
Look for leaks: Some companies think they have an airtight seal on PHI, but a deeper dive can reveal unknown vulnerabilities.
“If you deal with any sort of PHI, your team needs to brainstorm ways in which PHI can be inadvertently leaked and, if so, how and what the ramifications of it are,” Blevins advises.
Assess: What if a threat actor does somehow manage to scrape PHI from one of your clients?
“Your team should simulate the ramifications. Some PHI leaks are worse than others, so you need to assess which are worst-case scenarios and which breaches you can live with,” Blevins recommends.
Remote risk: So many companies went remote almost overnight and never put proper protocols in place.
“We are now more than two years into the pandemic, and I still see some companies with Fort Knox-like security in their offices, but remotely they are very sloppy. I’ve seen health records scattered around in the background on Zoom meetings and best practices not being followed,” Blevins recalls.
Email encryption: This is cybersecurity 101, but, Blevins says, many healthcare entities still don’t fully embrace it.
“PHI should never be sent via unencrypted email, you are just asking for trouble,” Blevins says. He recommends that any business that collects PHI have monthly meetings between all relevant stakeholders for the sole purpose of checking to make sure all best practices are being followed.
“Prevention is stressed in medicine, and its powers are just as strong in cybermedicine,” Blevins asserts.
Preventing a mess is far less costly than cleaning up one after it happens. Just ask Oklahoma State University.
Photo: REDPIXEL.PL / Shutterstock