Merely having a HIPAA-compliant email service isn’t enough to keep a clinic or agency within the regulations. The organization still needs to train its employees to use the Health Insurance Portability and Accountability Act compliant service properly, as well as implement the necessary policy and administration measures to guard its Electronic Protected Health Information (ePHI) records. If these aspects aren’t addressed, an organization could easily find itself suffering from a significant breach, the resulting fines, penalties and possibly failure.
Data breaches have become one of a medical clinic or insurance agency’s greatest fears. If you study the reparations, penalties, recovery costs and the ensuing investment in new security measures, data breaches are unbelievably expensive. That is aside from accounting for the interruption to regular business or the long-term damage to their brand reputation. 60% of all organizations that experience a data breach fail within the next 120 days … 120 days!
A clinic in Michigan closed its doors on April 1st, 2019 just months after a ransomware attack deleted EVERYTHING. http://www.startribune.com/all-of-records-erased-doctor-s-office-closes-after-ransomware-attack/508180992/
Only 3 weeks ago, Eye Care Associates in Ohio had a trojan virus attack that severely affected their ability to do business and as of today (8/16/19) they are still struggling to recover and keep doors open https://businessjournaldaily.com/eye-care-associates-hit-by-ransomware-attack/
In both of these examples the clinics did not lose any patient data but Where the attack succeeded was interrupting business operations, Loss of reputation, loss of company data, costing it patient bookings and eventually, for Dr. Scalf and Dr. Bizon, the closure of their clinic.
Analyzing all breaches over the past 5 years will tell you that encryption is the most suitable way to make data confidential both in transit and at rest.
When organizations evaluate their need for email security, they all come to the conclusion that they need better access control, encryption, measures to ensure data integrity, documentation that the email is secure and much more. Some will find that they need more advanced mechanisms than others, such as opt-out email encryption to reduce the chances of employees accidentally causing data breaches. Ultimately, some businesses may decide that they have the capabilities to make their emails HIPAA-compliant in-house.
Others will choose to go with a HIPAA-compliant provider, like 10D Tech, that understands how to mitigate the problem in this complex regulatory world. This approach is generally easier and helps to spread the risks onto the provider, as long as a Business Associates Agreement (BAA) is signed. When audited, a clinic or organization simply refers to their provider for the documentation and reports of compliance. The end result of either method will be more than just HIPAA compliance. If your company has been judiciously following HIPAA’s recommended path of performing security reviews and implementing mitigation strategies, then it will end up with a secure email system as well. With the right systems in place, an organization will reduce its chances of suffering a data breach.
Accidentally causing a data breach is as easy as clicking ‘Send.’ Are you prepared?
No comments:
Post a Comment