Fines for lax privacy/security
Breaches of patient records have consequences that include being investigated by federal or state authorities for potential HIPAA privacy and security violations and fines. Recently, the HHS announced a $1.5 million settlement – the largest to date – with Athens Orthopedic Clinic, PA, in Georgia, for not complying with the HIPAA rules.
When breaches of 500 or more patient records occur, medical groups are required to notify the HHS Office of Civil Rights (OCR) within 60 days, as well as all the affected patients and the media. Some organizations offer free credit monitoring and identity theft protection services to their patients.
Information about the breaches, including company names and the number of affected individuals, is posted publicly on what cyber experts often call “OCR’s wall of shame.”
Strengthen your defenses
The FBI and the HHS warned health care professionals and organizations in 2020 about the threat of increasing cyber attacks and urged them to take precautions to protect their networks.
Here are five actions you can take:
- Back-up your files to the cloud or off-site services and test that the restoration works.
- Implement user training with simulated phishing attacks so the staff will recognize suspicious emails and avoid actions that could launch malware attacks.
- Ensure strong password controls and that systems are regularly patched.
- Require multifactor authentication for remote access to IT networks.
- Set anti-virus/anti-malware programs to conduct regular scans of IT network assets using up-to-date signatures.
A version of this article first appeared on Medscape.com.