By Jack Anderson
October 30, 2014
The healthcare industry has not taken the precautions that banks and other financial institutions have taken because they didn’t think that hackers would be interested in their data. That is no longer true as hackers can get 10-20 times as much for a medical record as they can for a credit card record. Medical identity theft pays very well and the hackers see lucrative opportunities. Privacy and security experts warn that any organization that has electronic medical records should plan on getting hacked. They also recommend that they take all precautions such as HIPAA compliance to protect their organization from class action lawsuits if and or when the hack occurs. In general a class action lawsuit will ask for $1,000 per patient in damages. Here in California institutions such as Stanford Hospital have settled these cases for millions of dollars. Multiply the number of patient records you maintain by $1,000 and ask yourself if you could pay that or just the legal fees to defend your company. There is at least instance of a California billing company that declared bankruptcy rather than dealing with the results of a HIPAA data breach.
Another reason hackers are targeting healthcare organizations is that the breaches often go unnoticed for long periods of time. This gives them extra time to sell their goods without worrying about law enforcement. Many of the larger breaches listed on the HIPAA Wall of Shame went undetected for months or even years and it is a safe bet that many smaller breaches have never been discovered.
Smaller orgnizations such as physician practices have been encouraged to switch to EMR or EHR systems which create pools of medical records that are very poorly protected. Audits have shown a greater risk in smaller organizations that have chosen to rely on their “invisibility” rather than spend the money to get HIPAA compliant.
If you haven’t done a HIPAA risk assessment in the last 12 months you probably don’t even know where your risks might lie. While it is not a replacement for a HIPAA risk assessment out free HIPAA Compliance Checklist will give you a general idea of the level of risk in your organization. You can get a free copy at www.compliancehelper.com or if you have questions contact me at Jack@ComplianceHelper.com