In this age of technology, we have to monitor computer systems very closely because cyber-attacks are just waiting to happen. Cybersecurity, Computer Security, or IT Security are different names for the same concept – to protect computers (software & hardware) and data inside a system from being damaged or stolen. The damage to data or corruption may occur as a result of a virus or a malware program in a system.
In order to resolve it permanently, it is wise to temporarily go offline and fix the issue before going online again.
What do you have in mind to defend a computer system against cyber-attacks?
Consider them as homes, once we do, it is easy to protect them. No one should enter unless they are permitted. Some of us may have extra keys to the house, which refers to the people who are allowed to access information in a particular system.
Ordinarily, if sensitive data goes public, it will not only be a HIPAA violation but will also taint your healthcare reputation; in most cases, it is the hefty amount that one has to pay up as a consequence. Moreover, it becomes a big liability for that particular covered entity or business associate.
Below, we will see what a covered entity such as a medical practice or a business associate such as a medical billing service can do to avoid a HIPAA penalty in an event of a cyber-attack.
The Covered Entity Has to Figure A Way Out a Way in Case of a Cyber-Attack
When under attack and the systems with Protected Health Information (PHI) have a virus or malware detected, first thing is to stay calm. Because if you panic, it will make matters worse.
Now you know there is something wrong with the system, think about your options, whether to inform your IT team, technical staff, or network administrator; once notified, it is up to them to find a solution in time.
The recommended action is to let them work on computers until the issue is resolved. Hackers are after information such as social security numbers because they think they can earn them a fortune.
For instance, a social security number may give intruders access to a person’s bank account. When on one hand, the digital age makes things simpler for us, on the other, it gives hackers a chance to rob us. How ironical?
Not to make it easy for evil geniuses to work their way through your online security networks is where the ability of your IT staff is tested. They must keep them out of the network.
In the hopes of protecting the affectees from emotional and financial losses, the IT department must do everything they can to revert the problem.
If the attack is severe, you may hire a company that mitigates such attacks, but get them on board quickly without wasting any time.
As a general rule, conduct a thorough HIPAA compliant security risk analysis after every few months to keep your systems breach-proof. That, in turn, adds to the steps each organization should take to protect ePHI. It will also filter out links or third-party connections that shouldn’t have access to PHI.
Inform OCR First; Share Threat Indicators with Them
Moving on, Office for Civil Rights (OCR) holds the right to know it first in case there is a breach. They shouldn’t hear it from outside sources such as their government counterparts. Therefore, give them the heads up before reporting it to others.
OCR comes under the Department for Health and Human Services (HHS) and exercises audits after which the healthcare organizations may be susceptible to substantial fines.
Private and public Information-sharing and analysis organizations (ISAOs), the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response must all be part of those who need to know about any hovering cyber threat signs.
Inform Federal Authorities
Although sensitive data leakage comes under the jurisdiction of OCR, local and federal authorities – Federal Bureau of Investigation (FBI) and the Secret Service – must be informed too.
For your and my knowledge, PHI is not something to be disclosed unless extremely necessary to the law enforcement agencies. They may view and store it under the HIPAA Privacy Rule provisions.
To be equally prepared as the ill-intentioned, a HIPAA compliant security risk analysis exactly identifies the root of the problem before the problem occurs. The healthcare providers are bound by the law to carry it out via health IT companies specialized in HIPAA law.
The law also guards PHI if the breach is a threat to national security or if it may delay criminal research. When such is the case, one must wait until 30 days or until they receive a formal request in writing.
Don’t Delay in Reporting a Breach
As soon as an attack happens, you must report it to OCR. The allowed time duration to report is within 60 days of a breach that affects 500 or more people. All of the affectees, as a result of that breach, must be immediately notified unless the law enforcement authorities say otherwise.
The points at which PHI is accessed, stored, and transferred are all vulnerable to a breach, but in case the entity performs encryption beforehand, there is less of a risk involved. It is possible if the entity performs a HIPAA compliant security risk analysis every few months and has strict measures in place to defend its territory.
Therefore, if the provider confirms taking encryption measures before the breach incident, and that there are very few chances the information got into the wrong hands, the incident may be kept as a private affair. However, a written confirmation of the risk analysis must be submitted to OCR to keep things transparent and by the book.
For breaches affecting less than 500 people, the Secretary of HHS must be notified through their website by filling out the relevant form. This notification must reach the secretary in no less than 60 days after the incident first occurred.
Breach & Business Associate
Medical billing services or medical billing companies are shining examples of business associates.
What should they do in the occurrence of a breach?
The first thing they must do is to inform the covered entity for whom they are working. A delay of more than 60 days may just raise fingers on their credibility as someone working for healthcare professionals. By writing it down and properly mailing it to the entity is how a business associate should respond under the flag of HIPAA compliance.
The notification document must contain the number of affectees that may be under harm’s way due to the incident. All medical billing outsourcing companies must follow this procedure to avoid unnecessary attention.
Do get in touch with P3 Healthcare Solutions for QPP MIPS submissions or HIPAA-related consultation. What will you do in case your systems were under cyber-attack?