Danger, Will Robinson!

CBS Television. [Public domain], via Wikimedia Commons

Have you read the FBI Cyber Division warning to the healthcare industry?  There really isn’t anything surprising in there to many of us who work in the medical industry.  The report itself kind of acknowledges it will fall on deaf ears. Hence the title of this article because the catchphrase comes to mind when I read the report.

If you check it out on Wikipedia you will see they mention the following:

In everyday use, the phrase warns someone that they are about to make a mistake or that they are overlooking something.

The FBI report references a recent SANS report saying (emphasis added):

….health care security strategies and practices are poorly protected and ill-equipped to handle new cyber threats exposing patient medical records, billing and payment organizations, and intellectual property. ……………..The biggest vulnerability was the perception of IT health care professionals’ beliefs that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise.

The report goes on to include other tasty treats of data from additional studies.  (emphasis added)

45% reported that their organizations have not implemented security measures to protect patient information

Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR………   EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.

I have people tell me every week how they know they need to do more to meet just the minimum requirements for HIPAA Security.  I appreciate their confidence when they say “If something happens I will be calling you!”.  I do not feel comforted by that at all.  I would much rather be involved in just doing the work to prevent attacks or at least notice them quickly.  That isn’t easy but it sure is easier and less stressful than dealing with an actual theft of data.  I am always certain there is going to be a cyber attack.  I watch them trying to break in all day every day.  The enemy is constantly at the gates of my networks and every network out there.  No one is immune and no fortress is truly impenetrable.

If you do believe you have it all covered, you really need to be doing a Risk Analysis and Audit of what is happening on your network.  You should never feel that comfortable to say you have it covered.  You should be in the place that says, ‘we are doing everything we can to Protect Health Information and we know we need to be vigilant with our efforts’.

If you have not implemented security measures (read HIPAA Security Rule) you really should pay attention to this information.  They aren’t kidding when they say it can take twice as long to detect as normal identity theft.  You could be sharing all your data right now and have no idea at all it is happening.  By the time you do know, it will be much too late.  The damage to your systems, patients, clients, reputation and bank account will not be minor.

Filed under: HIPAA Tagged: Breach Notification, Compliance, Enforcement, HIPAA, Security, Security Rule, Small Provider