I’ve been reading some recent statistics published by the National Association of Corporate Directors. They compare the self-reported knowledge levels of corporate directors about cybersecurity across a number of industries. What surprises me is that the knowledge levels of directors in the healthcare industry are average compared to those of the other six sectors reported. While there are signs that some senior managers are waking up to the dangers, it seems strange to me that 19 years after enacting HIPAA and 6 years after enacting HITECH, healthcare directors are not the best briefed, best educated in cybersecurity of all business sectors.
Source: National Association of Corporate Directors
If you haven’t already done so, you should look at the Office of Civil Rights’ Breach Portal – known to many as “The Wall of Shame.” It shows a staggering number of breaches of healthcare providers, health plan providers and their business associates (BAs). BAs have come under a lot of scrutiny recently mainly due to sending HIPAA information in unencrypted form. If you have any BAs who need to know more about securing emails or who have a complex solution that staff dislike using, get them to watch this webinar discussing how to balance HIPAA regulations with business needs. In addition to encrypting emails, health providers need to be aware of just how easy it is for staff to send PHI to the wrong people. Recent examples include UPMC Health Plan, where a staff member sent an email attachment with the PHI of 722 clients to the wrong people, Georgia Department of Human Services where PHI for 3000 people was sent to the wrong recipients, and NYC’s Health and Hospitals Corporation similarly affecting almost 4000 patients. It is inevitable that staff – busy staff – will make errors when it comes to sending emails containing PHI, costing your organization punitive damages, losing you clients and severely damaging your organization’s name and brand. Yet modern solutions can prevent this from happening. Automated data loss prevention prevents PHI going to the wrong people. It automatically stops and quarantines suspicious outgoing email before it leaves your network, giving you a second opportunity to check that the right PHI is going to the right recipient. Also, modern email encryption provides a way for staff to send and receive encrypted PHI without time-consuming activities such as remembering passwords. To hear my recommendations for healthcare providers and BAs, and those of my colleague Dena Bauckman, click on this link to listen to our webinar.