For healthcare organizations, when it comes to IT, there is an ever-growing and sometimes onerous list of rules, regulations, and laws that must be followed. Failure to do so can result in reputational ruin, hefty penalties, or both.
Failure to follow the rules can be costly
One example of this is the Oklahoma State University Center for Health Services, Recently, the organization was ordered to pay $875,000 in penalties for a data breach. These types of fines are often as much as $25,000 per incident, but each “incident” can be considered one piece of compromised data, so the cost of a breach can add up quickly.
In this case, a hacker installed malware on one of the Center for Health Services’ web servers that contained electronically protected health information. More than 275,000 individuals were affected by the breach, which resulted in the unauthorized disclosure of their names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and medical treatment information.
New NIST resources provide a roadmap for MSPs
Healthcare data is about so much more than just HIPAA. It’s a complicated labyrinth, and most IT departments, unless they specialize in healthcare, don’t have someone on staff that knows all the rules.
Newly updated cybersecurity guidance for the health care industry from the National Institute of Standards and Technology (NIST), could be helpful for IT departments working in healthcare.
NIST’s new draft publication is designed to help the industry maintain the confidentiality, integrity, and availability of electronically protected health information (ePHI). The term covers a wide range of patient data, including prescriptions, lab results, and records of hospital visits and vaccinations. The new HIPAA resource guide should provide a road map for IT departments, and other organizations that deal with PHI.
From NIST additional tips and advice, we suggest that IT departments should implement:
- Look for leaks: Some companies think they have an airtight seal on PHI, but a deeper dive can reveal unknown vulnerabilities.
- Assess: What if a threat actor does somehow manage to scrape PHI from one of your clients?
- Remote risk: So many companies went remote almost overnight and never put proper protocols in place.
- Email encryption: This is cybersecurity 101, but many healthcare entities still do not fully embrace it.
Taking extra precautions to prevent a breach is less costly than recovering from a breach. We at Access Tech know how secure your personal data should be kept. Let us help you find peace of mind through our expertise in security. Contact us at Access Tech. We can help assess your business’ security and find where the holes are, and how to patch them. We have been helping businesses for years connect business strategy with IT solutions.
For more, you can read here.