Remember meForgot password?
    Log in with Twitter

article imageQ&A: When hackers have your healthcare IT department outgunned Special

By Tim Sandle     Nov 30, 2019 in Technology
Keeping on top of regulations is a burdensome task for any healthcare IT department, including HIPAA compliance, especially when cash-strapped or low in headcount. So what can they do? Max Pruger of Kaseya has some answers.
Between quickly evolving U.S. Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) regulations, it’s now more necessary (and difficult) than ever for healthcare IT departments to ensure they’re following their industry’s rules and standards.
Failing to comply with regulations like these could not only result in legal issues and hefty fines but data privacy issues as well. This includes everything from compromising sensitive company credentials to exposing one of the most lucrative jackpots to Dark Web attackers - patient and client data, which is now worth 10 times more than credit card info.
Max Pruger, General Manager of Compliance at Kaseya explains how healthcare orgs can make sure they are up to date on industry compliance standards in the most cost-effective way possible.
Digital Journal: How are privacy rules impacting the healthcare IT sector?
Max Pruger: HIPAA has received blame for burdening health care providers and organizations that need to coordinate care across different groups of caregivers and agencies. It has also been an obstacle to sharing information with friends and family members of patients with mental health and substance abuse problems. Compounding this is a separate law, titled 42 CFR Part 2, that gives higher levels of protections to patients seeking substance abuse treatment.
As part of its initiative to reduce regulatory burdens, the current administration has proposed eliminating the requirement for doctors and hospitals to get written acknowledgements from patients receiving a Notice of Privacy Practices. They see this requirement as unnecessary, with little to no impact on improving patient care.
DJ: What are the consequences of failing to comply with the new rules?
Pruger: There haven’t been any new rules since the Omnibus Rule in 2013. Last year the OCR put out a request for information and comments about modifying the Privacy Rule. Comments were requested and due in February 2019, but so far, no changes have been made.
DJ: What are the risks of patient data being exposed?
Pruger: For a covered entity, exposing patient data through a breach can result in hefty fines, lawsuits, loss of reputation and potential bankruptcy. For a patient whose records have been exposed, their primary risk is identity theft. Cyber criminals with healthcare data can file false tax returns, make false insurance claims, apply for credit cards and take out loans. Unlike a compromised credit card, it’s very difficult for a patient to cancel their medical records. That’s why stolen medical records typically sell for 8 to 10 times more than a stolen credit card on the dark web.
DJ: What types of threats does healthcare IT need to watch out for?
Pruger: Data theft, ransomware, business email compromise, and unauthorized access, whether internal or external, are all common threats to healthcare organizations.
DJ: Where are these threats coming from?
Pruger: These threats are coming from both from internal and external sources. Internal risks can simply be people making mistakes or not being properly trained to recognize phishing emails. They can also be disgruntled or malicious employees who willing compromise and steal patient data in exchange for monetary or personal gain. External sources are usually cyber criminals looking to make money by selling valuable patient records or encrypting data for ransom.
DJ: How can healthcare IT departments keep on top of these various challenges?
Pruger: The best way for healthcare IT departments to keep on top of these challenges is to implement an on-going compliance service and do more than the HIPAA required minimums. There is a misconception that organizations need to do an annual risk analysis because that is a requirement in HIPAA and the MIPS incentive program. However, risks don’t use a calendar. Mitigated risks may go away, but new risks will take their place, and may be hidden from plain sight.
Do-it-Yourself assessments using questionnaires are not effective. You may think you are healthy while you have serious risks under the skin of your network. It takes a technical assessment tool that is specifically designed for healthcare organizations, to find ePHI and identify risks, that can be scheduled to run on a regular basis to validate that cybersecurity efforts are working and identify new problems before they cause breaches.
More about Healthcare, Information technology, Cybersecurity, Hackers
More news from
Latest News
Top News