by Jay Hodes, President, Colington Consulting - HIPAA Compliance Experts
I am not sure if those tasked with securing protected health information lose sleep every night worrying if they did enough to safeguard the data their organizations maintain. If they are losing sleep, though, that may be a good thing, because it could show how seriously they take this responsibility. But for the rest, that obnoxious wake up alarm that we all hate at times should be the recent ransomware case that occurred at the Hollywood (CA) Presbyterian Medical Center.
A letter released by Allen Stefanek, President and CEO of the Center, acknowledged that $17,000 in a ransom was paid to the alleged perpetrators to get their electronic health records back. Stefanek stated the “quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.”
If a hospital system can be put into a virtual shutdown, how vulnerable are millions of small to mid-size providers?
When conducting HIPAA risk assessments, I ask required questions about contingency, emergency and disaster recovery plans. Some organizations do not realize these are critical elements for HIPAA compliance. Policies and procedures must be in place and address these potential vulnerabilities that could result in a high risk rating. Unless these providers are outsourcing IT services and secure backup is part of the arrangement, many fall short in making sure all PHI maintained is available at all times, regardless of emergency or disaster – or data being taken hostage, as was the case with Hollywood Presbyterian.
One of the lessons I learned from my time in Federal law enforcement is to “what if” scenarios to death. Try to determine all the negatives an operation or mission could face, and then have a contingency plan to address each particular scenario. Being prepared is crucial because if something does go bad, a plan is already in place to address it.
When it comes to protecting healthcare data, the same philosophy should hold true. There are required HIPAA implementation specifications for the standard of developing and maintaining contingency plans. Policy and procedure must be in place to address areas like data backup, disaster recovery, system criticality analysis and emergency mode operations.
Although not technically a HIPAA requirement, I always bring up continuity of business operations when talking with clients. It goes beyond needing access to protected health information in emergency conditions. I recommend timelines in cases where a facility cannot be occupied after a natural or man-made disaster and there is the need to assign roles and responsibilities to do certain things, such as locating temporary office space, procuring IT, telecom, and medical equipment and establishing a process to notify patients about the closure or relocation.
Many larger organizations have procedures in place and routinely test and drill their contingency plans. Small to mid-size organizations must have the same protocols in place; albeit to a lesser extent because of the nature of their business operations.
Fearing if your organization is going to be compromised is a reality that needs to be faced. Most experts agree it is not if, but when. Having addressed these issues before a breach occurs and having a game plan in place can go a long way in making sure any impact can be minimized as much as possible.
For free, initial, consultation to find out if your practice is meeting all the HIPAA compliance requirements, give me a call at 800-733-6379.