One of HIPAA's most crucial administrative safeguards is the implementation of "policies and procedures to prevent, detect, contain, and correct security violations." This particular safeguard requires a great focus on risk analysis and management, reducing risk, as well as implementing the necessary measures to keep vulnerabilities at a reasonable level.
What does it do?
The aim of risk management in healthcare security is to reduce potential harm to patients, healthcare professionals and healthcare providers, whether it be physical harm to their health as a result of a ransomware attack or a case of breached personal health data.
In the event that an organization falls short in risk management, the following will most likely occur:
The Department of Health and Human Services office reported that it issued a total of $15.3 million in fines in 2019 alone. The fines ranged from $10,000 to $3 million per provider. While this number has dropped significantly since 2018, it is still quite high and is a constant reminder of the huge fines awaiting any organization that fails to adhere to risk management safeguards.
Financial penalties can be a hard blow to organizations but it is not their only worry. According to a study conducted by the Ponemon Institute, when an organization is breached, its share value drops by 5%. Moreover, 31% of survey participants said that they ended their relationship with breached organizations and 65% lost their trust in them. Such numbers make retaining any long term patients extremely difficult.
Reduced Patient Safety and Care
As soon as a healthcare provider's networks are breached, its patients become potential victims and targets. This is because the attack could have a negative effect on the treatment they receive while in the breached provider's care. Moreover, the possible exposure of their data to attackers could make them easy targets of phishing attacks, identity theft and much more.
What should risk managers do to minimize the chances of a successful breach?
- Take advantage of the Security Risk Assessment Tool that has been developed and provided by The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR). This tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program.
- Conduct a thorough and comprehensive risk assessment in your organization. Assess your levels of preparedness and try to quantify and prioritize risks. Ensure that you are compliant with current regulations but also be aware that this step may not be adequate enough.
Hold honest and transparent discussions with your organization's business executives about the current state of your security measures and what must be done to improve or maintain them. Discuss the need to update your existing incident response plan or create a new one.