I am old enough to remember when the internet wasn’t.  I can spin all kinds of tales about life before the internet and cell phones and things.  But we will save that for the bar at the Academy meeting! Today, I am on a roll about security.  Yep.  Let me start with some statistics. In 2022, hacking accounted for nearly 80% of all healthcare data breaches. And yes, you are a healthcare provider.  That can be topic number two at the bar.  According to the HHS Office of Civil Rights, in a report they released on 1/23/2023, this represents a 45% increase from just 5 years ago. 

It is easy to discount the risk of a data breach at your company, after all, in the scheme of things you’re a relatively small fish, right? But in the eyes of the malicious actors, you are a prime target.  Healthcare entities are about 2/3rds more likely to pay a ransom to recover their data than non-healthcare entities, according to a new report by SOPHOS.  

If cybersecurity is not enough to get you to take notice, there is this other thing out there known as HIPAA.  You are a “Covered Entity” whether you like it or not, and there are obligations that go along with that status.  So whether you have a hacker come in and steal your data or you have a worker who leaves a screen in a position that can be read by prying eyes, or multiple people logging into an account with PHI, your penalties are the same. Most HIPAA violations are the result of negligence, such as the failure to perform an organization-wide risk assessment.  

A password is a standard way of authenticating access to digital services and systems. It is supposed to be secret to ensure that only the account owner or those granted rights can view or modify important data. Unfortunately, there are individuals who can be lazy in safekeeping passwords, making their accounts vulnerable to hacking and other attacks. The following chart may surprise some of you (click the image to view full chart): 

When reasonable precautions are circumvented or not implemented and a disclosure of PHI occurs, it will most likely be deemed a “Tier 2” violation which carried (in 2022) a MINIMUM fine of $1,280 PER VIOLATION (2 disclosures is 2 violations) with a maximum penalty per year of $1,919,173.    

In 2022, over 80% of the fines and penalties levied were for violations involving a single individual. For example, one physician was fined $50,000 for “Impermissible disclosure on social media.” 

As an owner, if you think your risk is low, you should look at the chart above. The Office of Civil Rights is expected to continue to aggressively enforce HIPAA compliance in 2023 after a record-breaking year of HIPAA fines and settlements. Ensure your staff have protections in place to limit the ability of improper screen viewing. Make sure people do not share passwords, that they log off systems when not actively using them, and that they don’t write down passwords on a piece of paper! I know it’s a pain, and time-consuming, but not nearly as big a pain as it would be if you have a data breach or cyber attack. It is time to change our behavior and awareness.