With the expansion of telehealth during the pandemic, protecting your patients’ data has become more critical. Providers and associates took home their work computers, possibly accessed personal email while on your network, or used their personal devices for work-related calls, making your systems more vulnerable. All of these opened your practice up to phishing attacks revolving around a fear – the IRS needs some “information” from you or your online shopping account has been closed because of unusual activity. Practice associates may have innocently opened an email or clicked on a link without checking its validity.
While HIPAA regulations were relaxed, practices may have also used systems which were not originally compliant, protecting your patients’ data.
Why were practices targeted? Patient data may not have a tremendous value, but hackers understood the cost to you in the event that the information was released to the dark web. Hackers have been able to infiltrate networks and hold the data hostage, a term known as ransomware.
The hackers understood that while the data might not be sold for a lot, if they held or even released the information, your practice would be liable for the cost of a data breach. That cost, estimated to be on average $430-$500 per patient record, amounts to lost reputational value, lost operational expenses, legal fees and fines from government agencies for the violation of HIPAA.
What does a practice administrator need to consider when using vendors for IT support, as well as vendors to help with telehealth?
- Is your vendor HIPAA compliant? That should be outlined in their business associate agreement (BAA).
- Look for their definition of a breach of security – what does that mean to the vendor compared to your practice.
- Look at their disclosure timelines and breach interactions. How the vendor informs your practice of a breach, and how soon after a breach will they inform you can make a significant difference to your practice and patients.