By William A. Ruskin
The smart players in the health care industry are being pro-active in seeking to prevent data breaches from occurring before hackers strike. Once a security breach has occurred, even the best litigation team cannot put the genie back into the bottle.
In the world of health care, data is going digital, devices are going mobile and technology is revolutionizing how health care is delivered. As health care organizations continue to digitalize their operations, they know to guard against typical risks such as lost laptops and thumbdrives. However, possibly unbeknownst to them, hackers may be looking for ways to infiltrate their networks to surreptitiously peruse confidential financial records and sensitive patient information.
Cybersecurity breach may be the new toxic tort because a single breach can potentially affect the lives of thousands of people. Experts estimate that when electronic protected health information (“e-PHI”) is compromised in a cybersecurity breach, it can cost an average of $233 per patient record to clean up the problem.
There is a thicket of state and federal statutes that regulate the protection of e-PHI. Both the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Health Act (“HITECH”) impose obligations on health care entities in the cyber security arena.
Significantly, there has been increased scrutiny of data breaches by the Office of Civil Rights (“OCR”) at the Department of Health and Human Services, which generally responds to data breaches by aggressive HIPAA enforcement. Recent amendments to the HIPAA breach notification rules require the health care industry to increase breach reporting, which will likely result in increased enforcement for non-compliance.
In a recent article in Law360 titled, “A Framework for Beating Health Care Hackers,” my colleague Alaap Shah observed that cyber risk analysis is key in preventing emerging cyber threats. “Hackers benefit when their activity goes undetected. Auditing helps to identify and assess system vulnerabilities. Using audit logs and tracking capabilities effectively can help organizations safeguard their systems from intrusion by hackers.”
Shah notes that an audit control framework exists under the HIPAA rules, which “require entities to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use e-PHI.” Standards developed by the National Institute of Standards and Technology (“NIST”) can help organizations detect unauthorized activity within systems. Gaining this insight is necessary in identifying effective risk management solutions and strategies.
As health companies continue to avail themselves of 21st century digital technologies, security has naturally become a growth area within these organizations' operations and corporate executives are becoming increasingly involved in the management of privacy concerns. As such, the responsibility for protection against hacking has stretched beyond its traditional purview within the IT department and into the highest levels of the executive suite.
To avoid the cost of data breach recovery with all of the attendant adverse publicity and possible regulatory sanctions, health care companies are utilizing HIPAA risk analyses and the NIST cyber security framework to implement effective controls to identify and monitor e-PHI risk.
For more cutting edge commentary on developing issues, visit Toxic Tort Litigation Blog by William A. Ruskin of Epstein Becker & Green.
For more information about LexisNexis products and solutions, connect with us through our corporate site.
Health care, Cybersecurity Breach, William A. Ruskin, health care hackers, HIPAA, privacy, Health Insurance Portability and Accountability Act, Health Information Technology for Economic and Health Act, HITECH, Office of Civil Rights, Department of Health and Human Services