Back to News

Recent Cybersecurity Worries for Health Care Companies

Published on

October 10, 2018

October has already had a haunting effect on health care providers given the two big news stories related to compromised patient information.

The Journal of the American Medical Association recently released a staggering study regarding the recent data breaches that health care providers have been experiencing. The study reported that from 2010 through 2017, there were 2,149 data breaches reported by business associates, health plans and health care providers. Those breaches exposed 176.4 million records, according to the study.

While in 2010 the most common form of a breach was from a laptop or paper films, by 2017 the most common form of a breach was to network servers and emails. In 2017 alone, 132 million records cumulatively were breached due to hacking or an IT incident. The most common breach was through a health care provider, which accounted for 70 percent of the breaches. This study indicates that cyber hackers are targeting health care providers’ networks and IT systems.

Hospital Employee Missteps

Then there was the recent $1 million settlement of three Boston hospitals related to potential HIPAA violations, proving there is a hefty price to pay when Protected Health Information (PHI) is not properly protected. This settlement arose from a compliance review investigation by the federal Office for Civil Rights after it learned that one Boston hospital was allowing ABC to film a documentary at the hospital.

The investigation revealed the hospital had impermissibly disclosed the PHI of patients to ABC employees during the filming of the documentary. Massachusetts General Hospital paid the stiffest fine of $515,000, Brigham Women’s Hospital paid $384,000 and Boston Medical Care paid $40,000 in fines related to accusations from the Department of Health and Human Services and Office for Civil Rights for failure to appropriately and reasonably protect their patients’ PHI from disclosure.

Although the results of the JAMA study show this type of employee-related compromise is on the downtrend when compared to incidences of network and IT breaches, the corrective action plans two of the three Boston hospitals agreed to complete are instructive since they can be molded to apply to network and IT breaches.

Making A Plan

The plans require the hospitals to develop processes, policies and procedures that:

  • Address and evaluate HIPAA compliance
  • Monitor access of PHI
  • Provide internal reporting procedures to report and promptly investigate any violations of the hospitals’ policies
  • Identify agents or representative that employees can contact regarding HIPAA compliance
  • Apply sanctions against employees that violate the hospitals’ policies

The hospitals then must distribute the policies and train their employees on them. Any new employee must also receive the same training. The hospitals must also provide an implementation report that includes:

  • A copy of all training materials
  • Summary of employee violations of the new policies
  • Confirmations by an owner or officer that the new policies are being implemented, employees have completed required training, the hospitals have complied with obligations of the plan, and that the report is truthful and accurate.

If a health care provider were to implement similar processes, policies, procedures and reporting related to protecting PHI from network and IT breaches, then this would be a beneficial initial defense that would likely help reduce the breadth of any breaches. It would also limit any hefty penalties that could arise from any breaches.

If you have any questions about the cybersecurity protection requirements, please contact me or any other member of the Barley Snyder Health Law Industry Group


Related News

View More News
Press Release
August 15, 2024

Barley Snyder Attorneys Recognized by Best Lawyers in America

For Immediate Release Lancaster, Pa. – Forty-nine Barley Snyder attorneys have been recognized by The Best Lawyers in ...

Learn More
Press Release
July 31, 2024

Barley Snyder Partner Luke Weber Named to Pennsylvania Bar Association Bar Leadership Institute Class 2024-25

For Immediate Release Lancaster, Pa. – Barley Snyder partner Luke T. Weber has been named to the Pennsylvania Bar Associati...

Learn More
News Alert
July 22, 2024

New Pennsylvania Statute Imposes Significant Restrictions on Noncompetes for Healthcare Providers and New Patient Notification Requirements

Key takeaways: New legislation in Pennsylvania makes many noncompete clauses in employment contracts of healthcare providers ...

Learn More

Other Upcoming Events

View All Upcoming Events
Oct
02
3:00 pm
-
6:00 pm
event
Location

2024 Reading Business Seminar

Learn More
Oct
23
3:00 pm
-
6:00 pm
event
Location

2024 Lancaster Business Seminar

Learn More
Oct
30
3:00 pm
-
6:00 pm
event
Location

2024 Harrisburg Business Seminar

Learn More

Get in Touch

Our attorneys, paralegals and staff look forward to hearing from you. Please reach out to let us know how we can help.

Get In Touch
RECOGNIZED IN
Super Lawyers
Best Law Firms US News
Best Lawyers