Back to News

Recent Cybersecurity Worries for Health Care Companies

Published on

October 10, 2018

October has already had a haunting effect on health care providers given the two big news stories related to compromised patient information.

The Journal of the American Medical Association recently released a staggering study regarding the recent data breaches that health care providers have been experiencing. The study reported that from 2010 through 2017, there were 2,149 data breaches reported by business associates, health plans and health care providers. Those breaches exposed 176.4 million records, according to the study.

While in 2010 the most common form of a breach was from a laptop or paper films, by 2017 the most common form of a breach was to network servers and emails. In 2017 alone, 132 million records cumulatively were breached due to hacking or an IT incident. The most common breach was through a health care provider, which accounted for 70 percent of the breaches. This study indicates that cyber hackers are targeting health care providers’ networks and IT systems.

Hospital Employee Missteps

Then there was the recent $1 million settlement of three Boston hospitals related to potential HIPAA violations, proving there is a hefty price to pay when Protected Health Information (PHI) is not properly protected. This settlement arose from a compliance review investigation by the federal Office for Civil Rights after it learned that one Boston hospital was allowing ABC to film a documentary at the hospital.

The investigation revealed the hospital had impermissibly disclosed the PHI of patients to ABC employees during the filming of the documentary. Massachusetts General Hospital paid the stiffest fine of $515,000, Brigham Women’s Hospital paid $384,000 and Boston Medical Care paid $40,000 in fines related to accusations from the Department of Health and Human Services and Office for Civil Rights for failure to appropriately and reasonably protect their patients’ PHI from disclosure.

Although the results of the JAMA study show this type of employee-related compromise is on the downtrend when compared to incidences of network and IT breaches, the corrective action plans two of the three Boston hospitals agreed to complete are instructive since they can be molded to apply to network and IT breaches.

Making A Plan

The plans require the hospitals to develop processes, policies and procedures that:

  • Address and evaluate HIPAA compliance
  • Monitor access of PHI
  • Provide internal reporting procedures to report and promptly investigate any violations of the hospitals’ policies
  • Identify agents or representative that employees can contact regarding HIPAA compliance
  • Apply sanctions against employees that violate the hospitals’ policies

The hospitals then must distribute the policies and train their employees on them. Any new employee must also receive the same training. The hospitals must also provide an implementation report that includes:

  • A copy of all training materials
  • Summary of employee violations of the new policies
  • Confirmations by an owner or officer that the new policies are being implemented, employees have completed required training, the hospitals have complied with obligations of the plan, and that the report is truthful and accurate.

If a health care provider were to implement similar processes, policies, procedures and reporting related to protecting PHI from network and IT breaches, then this would be a beneficial initial defense that would likely help reduce the breadth of any breaches. It would also limit any hefty penalties that could arise from any breaches.

If you have any questions about the cybersecurity protection requirements, please contact me or any other member of the Barley Snyder Health Law Industry Group


Related News

View More News
News Alert
March 22, 2024

More Government Scrutiny of Private Equity’s Role in Healthcare, Including Nursing Facilities

On March 5, 2024, the U.S. Department of Health and Human Services (HHS), F...

Learn More
Press Release
March 15, 2024

Barley Snyder Partner Jeff Lobach Selected to CPBJ Power 100 List for Fourth Consecutive Year

For Immediate Release York, PA – For the fourth consecutive year, par...

Learn More
Newsletter
February 23, 2024

Barley Snyder 2023 Year In Review

Check out what the professionals of Barley Snyder have been up to in 2023 a...

Learn More

Other Upcoming Events

View All Upcoming Events
May
02
8:00 am
-
10:30 am
event
Location

Wake Up With Barley – A Morning on Real Estate 2024

Learn More
May
10
12:00 pm
-
5:00 pm
event
Location

Title IX Training: New Regulations & Updates – An Extension of the Employment Law Seminar

Learn More
Apr
10
12:00 pm
-
6:00 pm
event
Location

LendiCon 2024

Learn More

Get in Touch

Our attorneys, paralegals and staff look forward to hearing from you. Please reach out to let us know how we can help.

Get In Touch
RECOGNIZED IN
Super Lawyers
Best Law Firms US News
Best Lawyers