The HIPAA Risk Assessment: The First Step in a Long Journey

Every year, experts make predictions on what the following year is going to hold in terms of trends in the cybersecurity industry, what new threats we might face, and what impacts those threats might have on the average person. For years we heard about credit card security and the associated breaches that took place and that would continue to take place for years to come. At the end of 2014 we started to hear rumblings about healthcare being a target in 2015 and years to come. Why would that be? Why would hackers and thieves go after the healthcare market and what benefits would they realize if they were successful? 

To answer those questions, we must very quickly look at this from a different perspective than we used to. MONEY. Today, hacking is a big business and generates millions of dollars for criminal enterprises and organized crime entities around the world. Credit card numbers, which would sell for pennies on the dollar in the underground market, were bought in volume because ultimately you would be able to use them one time before the banks were alerted to suspicious activity and shut the card down. Unfortunately, that happened to me twice in the past 2 years at Target and the Home Depot. This is a volume game. But what about medical records and personally identifiable information (PII) such as your driver's license number, social security number, and other identifying information? That is worth far more and can be far more damaging to an individual who has this stolen. The reason is quite simple. Think about how fast you can have your credit card replaced and re-issued. That happens pretty quickly and while it is inconvenient, that pain lasts a couple of weeks to a month and then you are back to normalcy. But what happens if someone steals your social security number? That becomes a lot more challenging as that is not easily replaced and ultimately is the gateway to your life.

In 2015, the top ten breaches on the Department of Health and Human Services "Wall of Shame" accounted for almost 111 million patient records. To put that in perspective, that is roughly 34% of the population of the United States that had their personal information stolen in an IT/Hacking incident in healthcare. In a majority of these instances, there was one common thread that occurred: No HIPAA Risk Assessment was conducted. If there was one conducted, the recommendations were not followed. As a result, Healthcare is a prime target for hackers for a number of reasons, some of which include:

• Limited IT Security Funding - In a recent study by KPMG, 47% of providers said that they felt adequately prepared for a cyber attack. While this is a topic being discussed at the Board level, only 53% feel they have adequate funding for IT Security initiatives
• Compliance Confusion - What does it take for organizations to be compliant with the HIPAA/HITECH regulations? How often does a HIPAA Risk Assessment need to be conducted? These are all areas where organizations struggle in terms of understanding what needs to be done and when.
• "It can't happen to me" syndrome - This is a big one and possibly the most dangerous reason we come across. Organizations of all sizes feel as though a breach cannot and will not happen to them, giving them a false sense of comfort and security. I saw a speech given by the former head of Homeland Security who said that there are two types of companies out there: Those that have been breached and know about it and those that have been breached and don't know about it. Hacking is a numbers game and if you don't have documented proof of the steps that you took to safeguard your PHI and PII you could be in for a very rude awakening!

What can healthcare organizations do about this and mitigate the risks of a breach and the hefty fines that could come with that breach? It's all about the HIPAA Risk Assessment and understanding where the gaps might reside in your people, process, and technology and ultimately how you can mitigate those risks. Another thing to consider is spending some time to understand what is required of you and avoid the Compliance Confusion that we listed above. If you don't know what you need to do and when, how can you possibly be compliant? For example, a HIPAA Risk Assessment needs to be conducted on a yearly basis to update changes in people, process, and technology. The bottom line is be educated about what you need to do to comply and seek expertise in getting assistance. For more information on how Compass IT Compliance can help your organization, contact us!