Don’t Come in Second .. Or First

Second Place: Premera Blue Cross is the largest health plan in the Pacific Northwest.  They have the dubious reputation of coming in second.  In this case, they were fined the second-largest HIPAA fine to date – $6.9 million dollars.   The confidential information of over 10 million people were exposed. 

What is HIPAA: HIPAA is the Health Insurance Portability and Accountability Act. This law gives patients control over their health information but also requires healthcare providers to limit the use of personal health information and holds providers responsible for any inappropriate disclosure of patient information which includes any type of breach.  All healthcare providers are required by law to be HIPAA compliant.

Pain Still to Come: Going back to Premera Blue Cross, the consequences did not stop at the fines.  They settled a 30 state lawsuit for $10 million.  But wait there’s more!  There was a federal class-action lawsuit that they settled for $74 million.   In addition, the Office of Civil Rights (OCR), who levied the fine, required Premera to perform corrective actions on their cybersecurity strategy.  They were also monitored for two years.

No Prejudice: These consequences are not isolated to large companies. Small and medium-sized businesses have breaches and get fined by the OCR, too.  The difference is the size of the fall-out.  The problem is that most small business can’t survive the fines and lawsuits.   Breaches can happen to any organization.  Actually, before the breach, Premera was warned about their vulnerabilities.  Premera thought, “It can’t happen to us,” but it did. 

Protecting Yourself: If you are in the healthcare sector, you can protect yourself.  Providers are required by HIPAA to do a risk assessment.  This assessment is the baseline to develop a cybersecurity strategy.  It includes a data, software, and hardware inventory because you have to know what you have in order to protect it.    Policies need to be developed and implemented.  Contingency plans need to be created and tested.  Physical security is also a part of it.  Of course, there are the technical cybersecurity aspects of protection like firewalls, anti-malware, encryption of data, and endpoint detection.  You should get a cybersecurity professional to assist with your cyber strategy.  Your IT department is focused on functionality, not security.  Have a cybersecurity expert help.

What About the Users: Of course you can implement physical constraints, administrative policies, and technical measures like those list above and still have a breach if users are not educated and trained.  Training is one of the best defenses organizations can have against hackers.  The best training comes in small “bytes,” about three to five minutes every week or two to keep phishing and safe browsing on the top of the employee’s mind. It is money well spent.

Transfer the Risk: Healthcare providers also have the option to transfer the risk of a breach through cyber insurance.  If you were in a flood plain, you would get flood insurance.  Since you are in the cyber world, you should have cyber insurance. The healthcare sector has more vulnerabilities to be concerned about than many other sectors.   Every healthcare provider should look into cyber insurance because you can’t beat the odds forever.

Avoid the Oversight: According to hhs.gov, 69% of investigations result in corrective action (and fines). If your organization has a breach, the OCR will investigate, but if you are using “industry best practices” and have a solid cybersecurity strategy, you can avoid the fines and monitoring that Premera experienced