By Mathieu Gorge, CEO and founder, VigiTrust.
The COVID-19 pandemic has created a number of personal health data challenges for both healthcare organizations and private businesses alike. From vaccine passport requirements and businesses handling incredibly sensitive information on their employees, to healthcare workers accessing sensitive patient data while working from home, the health crisis has created unprecedented data security and compliance challenges for employers and healthcare providers.
COVID-19’s Impact on Data Security
When COVID-19 first hit, many healthcare organizations shifted to a partially remote workforce overnight. This meant that healthcare administrators were using personal devices and had access to systems and data that they previously could only access on their employers’ network. The focus was on productivity and business continuity, not cybersecurity.
However, over a year later, we are still using this makeshift IT environment and the increased cyber risks have not been addressed. By accessing patients’ private healthcare information from personal devices or home networks, administrators are doubling or tripling the risk of a breach.
Why Do Criminals Want Healthcare Data?
There are several regulations designed to protect personal data, but health data presents unique challenges. For example, if my credit card were stolen, I can be assured that PCI would cover any losses due to my banks’ contractual obligations with credit card companies. However, my health data – including DNA, disease history and medical conditions – are fully unique. No one can reimburse me with a new set of personal health information!
Criminals understand this, which has led to a rise in personal health data being stolen. Many hackers are now breaching health systems’ networks for personal information, and demanding ransom from individuals to keep that data private.
Furthermore, healthcare workers have been under increased pressure due to the pandemic, which has made hospitals and health systems a more appealing and “softer” target for hackers.
By Ken Lynch, founder, Reciprocity.
The HIPAA outlines the standard security practices that organizations handling protected health information (PHI) need to adhere to. Whether your business is compliant with the HIPAA or not can have a huge impact on how you handle your business. If you are non-compliant, you risk being involved in data breaches, which results in a domino effect. A single breach can lead to the loss of valuable customer data, expensive lawsuits, PR nightmares, and even the loss of your business.
Even without a data breach affecting your business, you still need to be compliant to be competitive in the health industry. Security-conscious businesses in the industry will only agree to do business with you as long as you are compliant. Lastly, compliance will help you evade fines from regulatory bodies as well as appearing on the wall of shame, which is a site that lists health-related organizations that have undergone data breaches. Lucky for you, as long as you commit to understanding HIPAA compliance, it will typically be quite easy for you to know what to do.
Here are some insights on managing HIPAA compliance for your business:
What To Expect?
If you are supposed to be HIPAA compliant, you will either be a covered entity or business associate. Covered entities are organizations that have direct access to the customer and their PHI (doctors, insurance companies, and pharmacies). Business associates, on the other hand, work with the covered entities in a non-healthcare capacity, and they have access to PHI. These can be lawyers, IT personnel, accountants, and administrators. Regardless of where you fall, you need to adhere to four HIPAA rules:
1. The Privacy Rule
This rule looks to protect the privacy of PHI. It outlines how and when actors in the health industry can and cannot use health data. The data it protects includes past, present, and future health information of protected individuals, payment data, the details of the care any individual was provided with, contact information, identifying numbers (ID and social security numbers), and even fingerprints.
2. The Omnibus Rule
The Omnibus rule outlines how business associates should carry themselves out and how they interact with the covered entity. Recent updates to this rule expanded the omnibus rule to storage companies, sub-contractors, and even consultants. It prohibits actors from using PHI for the wrong reasons such as marketing or using genetic information to underwrite insurance policies.
3. The Security Rule
The security rule is meant to control how businesses handle electronic Protected Health Information (ePHI). It requires businesses to have the right safeguards for protecting the confidentiality security and integrity of ePHI. These safeguards are divided into three, including: