In 2016, the Office of Civil Rights issued a record $20,000,000 in fines from enforcement actions related to various HIPAA (Health Insurance Portability and Accountability Act) violations. The first quarter of 2017 saw more than $11,000,00 in fines from OCR. This is the most obvious proof that OCR is further stepping up HIPAA enforcement and will be expanding its list of potential targets.
The primary reason for the increased vigilance? The Internet. While HIPAA was enacted in the age of interconnectedness, it was the inadvertent exposures of patients’ sensitive data (a stolen or forgotten laptop here, a mistakenly emailed list there) that drove the various provisions. But with the explosion of global hacking, it’s the potential exposure/theft of this valuable data by nefarious actors anywhere in the world that has both regulators and medical practitioners on edge. So, what’s the solution?
The big-picture answer is fairly straight forward. Like all answers, though, the details are more complicated. As this is a 600-word posting, we’re going to stick with the big-picture answer. (And even these are boiled down to three high-level steps below.)
Step 1: Hire the Right Resource
Just like in medicine, choosing the right provider is key to your health (in this instance, your IT/data health). And like the medical world, technology features general practitioners and specialists. When it comes to your practice’s overall IT/data setup, support, and security, general practitioners are usually better given their more expansive experience with different technologies. That does not mean you don’t/won’t need a specialist, but usually your IT GP will point you in their direction.
Determining the “right” resource takes homework (possibly legwork). The most common route is to ask a follow medical practice. There’s also online research on potential candidates and discussions with other types of businesses, because at the end of the day, most technology is ubiquitous. Definitely interview potential vendors. This is often overlooked, but it’s a great way to vet potential vendors.
Smaller practices will most likely outsource the IT role; larger facilities may have enough work to justify a full-time hire (or hires). You ideally want a resource that can efficiently build and manage your environment, who can support your cadre of users, and keep their head about them if something goes wrong. And don’t believe that voice in your head saying, “It won’t happen to us,” because something will eventually happen to you.
Step 2: Plan, Prepare, Practice
Here’s where the real work begins.
For practical – and sometimes legal – purposes you need a step-by-step game plan detailing how you’ll respond to a cyber event. These are essentially if/then scenarios for probable incidents. So no, you don’t need to build solutions for alien invasions (unless you really want to). If your selected IT resource has been in the tech game for any reasonable amount of time, they’ll already have potential scenarios sketched out. Finish these sketches by adding recovery/continuity steps specific to your practice.
Having a plan does little if you’re not setup to actually implement the plan. Here’s where the practical application of your plan is made real. Hardware, software, cloud services, among various other solutions should be deployed, all designed to meet the requirements of the above-mentioned plan. The entirety of your IT setup should be documented – would recommend a visual diagram to help non-techies understand how it’s all connected. Once in place and tested, you then…
- Practice, Practice, Practice
Just because your plan and systems look good on paper doesn’t mean you get take it on faith. You must put everything and everyone to the test – at least 2x per year. You test for data breaches; you test for systems failure; you test for rogue employees; you test ransomware or virus outbreaks; you test for the simple and the complex. Telling a regulator your plan won’t get you very far if you can’t prove to them that your plan works in execution.
Step 3: Insure
You could have the best plan in the history of plans, spend more money than any of your contemporaries would imagine, and you will still suffer some sort of cyber incident. There is no foolproof-100%-protected solution. That’s why you practice various scenarios. It’s also why cyber liability insurance (CLI) has become such a hot topic.
The costs of cyber incidents are skyrocketing. Even a minor event could cascade into a multi-figure fine/lawsuit/settlement. CLI is designed to minimize – possibly eliminate – the financial impact of most cyber incidents (not all; read your exclusions). Depending on the policy, CLI will pay for lawyers, will pay regulatory fines, will pay for recovery of systems/data, will pay for notifications and credit monitoring services, among a host of other related expenses. Given the proliferation and indiscriminate nature of most cyber incidents, CLI is almost a mandatory coverage for medical providers.
For most medical providers, technology is frustrating. It’s also essential to delivering the best care and staying competitive in the evolving marketplace. Frustrations can’t blind you to the fact that technology requires your constant attention, and not just for the sake of your patients. Your very livelihood is connected to those blinking lights, so focus on building the best, most efficient solution you can, and then be ready when it all goes boom.
Sean O'Rourke is cofounder and former president of Syzygy 3, Inc., a technology consulting and services firm. Sean now consults on Cyber Liability Insurance for Combs & Company, an innovative insurance brokerage located in NYC. Sean's two-plus decades in technology gives him a unique perspective on the cyber risks facing small- and mid-sized businesses and how best to address them through CLI.