Health care providers and insurers in the United States are required to obey the laws and regulations related to providing appropriate cybersecurity measures to protect their patients’ personal health information, as well as the information of their employees and any business associates with whom they work. Specifically covering these groups are two laws: the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
Both laws reflect an ongoing push to protect the privacy of those seeking medical attention, including their insurance and payment information, personal health care records, and related data.
In December of 2019, Crossroads Technologies, Inc., a company that provides technology and cybersecurity services, reported to their client Personal Touch Home Care (et al.) that there had been an attack using ransomware against their healthcare records. The attack affected approximately 156,000 patients and their health information, Social Security numbers, and other protected information.
What Happened
From the reports submitted to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the servers supplied by Crossroads to Personal Touch were struck by a ransomware attack on or about December 1, 2019. The attack made the health care provider’s electronic information stores unavailable for at least two days and exposed the personal health care information (PHI) of those affected.
During the downtime, the health care provider was able to use other methods to continue servicing their accounts, but those methods were slower and manual in nature.
Because part of the information exposed related to Social Security numbers, birth dates, and insurance information, there is a good chance that information may be used down the road by the attackers or someone who purchased the information. Credit monitoring services charge a substantial amount to protect information such as this from misuse, and many patients may opt to have those numbers changed. Again, this is a financial upset that may end up on the ledgers of Personal Touch and Crossroads.
How will this Affect You?
Any exposure or threat to PHI in a medical practice is of concern, especially considering the potential effect it could have on the faith your patients have in your ability to protect it. A loss of that faith can prove to be financially burdensome or even catastrophic to your organization. The financial burden could derive from:
- Loss of revenue during downtime
- Fines against your organization from local, state, or federal agencies that monitor and regulate your industry
- Loss of customers due to transitioning to a new provider
- Less effective and efficient records management
You may also be forced to take on cybersecurity insurance to protect against future losses, and this is a further expense that you may or may not be able to recover.
When a failure in security occurs, you must also recover from it. You may need to pay a ransom to obtain access to your files or more than one if the ransomer is not truthful about their dealings with you. You will have to improve your security, fix the problem or threat vector that allowed them access in the first place, and then you will likely be required to show proof of any measures taken and that you have met at least minimum security requirements.
In the case of Crossroads and Personal Touch, it seems they agreed with HHS to improve their security and recover the data that was affected. Due to their active efforts, the HHS has not, as of this time, levied a fine against either organization, though that may change.
It is also of note that due to the breach, both companies are potentially facing litigation under a Class Action suit titled “Booker v. Personal Touch Holding Corp., et al.” No matter the end result of the case, the public is likely to be less willing to trust either in the future.
What should you do
It is understood that cybersecurity is potentially expensive and time-consuming to implement, but the alternative is exposure to greater financial and business losses. Cybersecurity is an investment in your organization’s future and in protecting your clients from harm. Your organization may be breached without at least a bare minimum of planning and work.
Many companies, such as Northstarr System Solutions, can work with you to find a solution that works for you. Start by understanding the information you use in your practice and the systems where that information is gathered and stored. How it is communicated and used is also important.
Once you have a good idea of what, where, and how, start working with your in-house IT/Security staff or a vendor to plan what needs to be done. Know that this will require buy-in from your entire organization, including your vendors. They all will have a part to play in the success of your cybersecurity program.
Once you have created your plan, it will be time to implement it. Take the time to make sure that it is done and done well. There will be hiccups, just as with any plan implemented, but you can work through them.
While implementing your security plan, TRAIN your staff, management, and any vendors with whom you have data communication. They need to know what you are doing, why you are doing it, and their roles in the process. Once they are trained, keep them up to date with retraining and assurance checks.
Now that you have your plan, have implemented it, and your staff knows their part, it is time to maintain the security you have put in place. Update it, look for better practices and methods, train your staff regularly, and keep the work going. It does tend to get easier over time, and your patients/clients will appreciate the efforts.
Northstarr Recommendations
Northstarr can provide you with the necessary IT and cybersecurity expertise to help you with the process of planning, implementing, and maintaining your cybersecurity program.
Give us a call today at (888) 767-2210. We can discuss what you are looking for and develop options that work for you. You can also request a free assessment on our website.
If you would like to explore some of our service offerings or just check us out, find us at Northstarr System Solutions, Ltd.
You can also chat with us on our social media pages:
