Recently, there has been a lot of focus on the safety of medical data due to the Anthem cyber attack. On February 5, it was discovered that Anthem, the second largest insurer in the United States, had been hacked. This was an aggressive attack that came from outside the organization. The massive data breach may have compromised the personal data of as many as 80 million people, placing them at risk of identity fraud.
If a large corporation like Anthem can’t protect its data, then many smaller practices are concerned that there is no way they’ll be able to protect theirs. However, you can and more importantly, you must protect your data. Whether you’re a small practice or a major corporation, everyone who works with protected health information has the same legal obligation to protect data under the Health Insurance Portability and Accountability Act (HIPAA) regulations. Here are some steps you can take to help ensure that your data is protected.
Encryption, Encryption, Encryption
The best way to ensure that your data is protected is through encryption. If the Anthem data was encrypted, the breach never would have happened the way it did. The National Institute of Standards and Technology (NIST) ( http://www.nist.gov) has established an encryption standard called the Federal Information Processing Standards (FIPS). This method provides four levels of security established to maintain the confidentiality and integrity of the data. This applies to data at rest and data in transit. Even if encrypted data is hacked, it will be unusable.
Review Your Business Associate Agreements (BAAs)
The second best practice to ensure that your data is protected is to establish proper contracts between your business relationships. These Business Associate Agreements (BAAs) are a contract between a HIPAA-covered entity and a HIPAA business associate that ensures that personal health information (PHI) is protected according to HIPAA guidelines. When you are creating a BAA, you need to ask who is acting as the covered entity and what is their relationship to the data. In addition, make sure all your BAAs are kept up-to-date, and use assurance questionnaires to ensure that your associates are doing everything they can to protect your business data.
Assess Your Liability
Anthem made the news because its breach involved 80 million records; however, data breaches occur every day. Smaller data breaches may not make the news, but they can still cause devastating consequences, and even small practices are subject to the same data protection rules. There are steep penalties for not complying with HIPAA regulations. The HIPAA Omnibus Rule enacted in 2013 places the same legal and financial burden on all companies that work with PHI, no matter the size.
What You Can Do
Don’t look at the big organizations and assume that they’re protecting data correctly. And, don’t assume that you don’t have to comply with the same standards as the big organizations. If your organization works with PHI, you and your staff need to understand how the rules affect your organization. If your internal resources cannot handle the task, consider using outside help. Digirad partners with Anaseed for its HIPAA compliance program, training, risk analysis and more, via the Live Compliance system (livecompliance.com). Anaseed assists organizations with encrypting data and attaining HIPAA compliance. For more information, visit http://www.anaseed.com