Part 4: HIPAA Provides the Framework and We must act to prevent a Cyber-Attack

Part 4: HIPAA Provides the Framework and We must act to prevent a Cyber-Attack

Data security

It was recently reported that cyber-attacks against doctors and hospitals are on the rise. These cyber-attacks are costly at over $6 billion per year for the U.S. healthcare industry. According to a report by the Ponemon Institute:

  • In just five years, cyber-attacks have more than doubled.
  • An average data breach costs a hospital $2.1 million.
  • Nearly 90 percent of healthcare providers were hit by breaches in the past two years half of them criminal in nature.

What does this data tell us?

Anyone involved in the healthcare industry needs to take this real threat of cyber-attacks seriously. However, for some individuals and organizations, the threat of cyber-security is placed on the back burner until a security incident or breach occurs.

In this fourth segment of our HIPAA series, we will offer recommendations for making cyber security a high priority. We would also emphasize that this is a continuous process, not a one and done left to simmer on the back burner.

Once a year if we need it or not

Both the HIPAA Privacy Rule and HIPAA Security Rule provide us with a framework to protect health information. It is not uncommon for organizations to interpret this framework as HIPAA is a process we must do once a year if we need it or not. To reasonably address cyber-security and adequately safeguard protected health information (PHI) once a year is simply not enough.

Cyber criminals are constantly thinking of new ways to compromise information most likely because information contained in medical records is extremely valuable on the black market. Whatever their reason may be, we need to be thinking of ways to make cyber-security an ongoing high priority.

Recommendations for making cyber-security a high priority continuous process

The following list is by no means all inclusive; rather, they are three important recommendations for all organizations to consider:

1. Perform an initial Security Risk Analysis (SRA) and HIPAA Walkthrough, develop an action plan to address deficiencies, work on those deficiencies through the year, and make improvements; then repeat.

In our opinion identifying deficiencies is a good start when followed up by the creation and implementation of a reasonable action plan. An action plan that is worked on throughout the year, instead of worked on at the time of a SRA and/or HIPAA Walkthrough is one of the best ways to proactively prevent cyber criminals from attacking your organization.

2. Maintain an inventory of what devices and individuals are allowed to access information. Review logs and reports to ensure appropriate access.

An organization should be able to review logs and/or reports that show what information has been accessed, by whom and when. Your inventory should include a list of all approved devices that are allowed to access PHI. Most EHRs have the ability to print out a report that shows who has accessed a patient medical record, when the record was accessed, and what information was reviewed and/or modified. These logs should be reviewed on a regular basis to ensure only authorized individuals and devices have accessed sensitive information.

3. Create a culture of compliance in the workplace.

Compliance isn't just something that should be completed once a year or whenever there is an incident compliance is an ongoing process. Creating a culture of compliance is as easy as periodically changing a password, reporting suspicious emails and/or not accessing the internet for unauthorized purposes. We all have a responsibility for creating a culture of compliance. Adherence to policies and procedures that are in place to ensure the privacy, security and integrity of sensitive information by all employees, is essential for cyber-security to be a high priority continuous process.

If it is true that nearly 90 percent of healthcare providers were hit by breaches in the past two years, it is not a question of if your organization will encounter a cyber-attack, but when. HIPAA does a good job providing us with the framework to adequately safeguard health information, and we have the responsibility to do so. If we are proactively creating a culture of compliance, reviewing access logs, and working on action plans that address deficiencies, we can do our part to minimize, and potentially prevent, a cyber-attack.

In case you missed it, here are parts 1-3 of our HIPAA Multi-Part Article Series:

Part 1: Clearing up the Confusion "HIPPA" vs HIPAA

Part 2: Permission Disclosures under the HIPAA Privacy Rule

Part 3: Mobile Device(s) Policy and Procedures

If you have any questions or concerns about our recommendations for preventing a cyber-attack or have any other questions, please feel free to comment below, send us an email at, or reach us toll-free at 855-427-0427.