Healthcare is in Dire Need of HIPAA Compliant MSPs
-
In a recent KPMG survey of 223 healthcare executives, a full 80 percent stated that their information technology had been compromised by cyber attacks.
Let’s think about this for two seconds… 80 percent!!! Possibly, a portion of the remaining 20 percent had not yet known that they were a part of the 80 percent. After all, how many clients have you taken on only to find that their network was being compromised or had been compromised?
In healthcare especially, the question is not if providers will experience a breach or cyber attack, but rather when. How will they respond, and what will the fallout be?
-
Important to note that HIPAA is not about being secure, just about making a good effort. Tons of things that are totally acceptable in HIPAA (sending a fax, for example) are considered ridiculously insecure by IT standards. HIPAA consulting is about avoiding fines. Security consulting, separate from HIPAA, is about keeping your data from being exposed.
-
@scottalanmiller oh so very true! You've just inspired a new blog post for us - stay tuned!
-
@scottalanmiller said:
Important to note that HIPAA is not about being secure, just about making a good effort. Tons of things that are totally acceptable in HIPAA (sending a fax, for example) are considered ridiculously insecure by IT standards. HIPAA consulting is about avoiding fines. Security consulting, separate from HIPAA, is about keeping your data from being exposed.
What are some other insecure, but HIPAA-compliant practices you see all of the time?
-
@MKM8DY said:
What are some other insecure, but HIPAA-compliant practices you see all of the time?
This one is non-digital and something that people often miss... but paper destruction does not require that the paper be destroyed or secured. So at many hospitals I've walked around their parking lots outside of their document destruction area and seen client identifiable paperwork blowing around having been shredded but not enough to hide the details and falling out of the machines or getting caught by the wind. I've checked and it was, at least at the time, considered HIPAA compliant as the destruction method and style was approved. That the data was leaking wasn't a concern of HIPAA, only that the proper "effort" had been put into it.
-
I think this is along the same lines as what @scottalanmiller is saying, but the effort is also company-size related.
So for example a 5 person company is going to have to have much less security than (or going to need to be judged to have) a huge hospital organization.
