Is HIPAA Enough to Secure Medical Data? Doctors Say No

Medical offices are treasure troves of valuable sensitive data - from patient records, insurance information, payment details, to payroll, there is no shortage of the kind of information a cybercriminal would be quite interested in. No matter, that’s part of what HIPAA (the Health Insurance Portability and Accountability Act) compliance is for, ensuring that medical data is adequately protected… right? 

Unfortunately, perhaps not.

Diagnosis: HIPAA is “Insufficient”

The American Medical Association conducted a survey of 1,300 physicians in 2017 that revealed a few troubling insights into the state of medical data security - not the least of which being that 83 percent of those surveyed had experienced a cyberattack against their practice. Here are a few more results of the survey:

• 55 percent were concerned about cyberattacks in the future.
• 74 percent were most worried about the interruption to their practice that a cyberattack could cause.
• 53 percent were worried about patient safety.
• 29 percent of those who operate a medium-sized practice said it takes a full day to come back after an attack.
• 56 percent notify their IT vendor when a cyberattack occurs.
• 87 percent were confident in the HIPAA compliance of their practice.
• About 66 percent still had a few basic questions regarding HIPAA.

Finally, 83 percent of those physicians surveyed shared a belief that HIPAA compliance is “insufficient.” Most wanted these requirements to be spelled out in a more accessible way, as well as tips and how-tos to ensure that their cybersecurity and risk assessments do what they are intended to do.

These physicians are right to be concerned. Medical offices are often targeted by cybercriminals due to how much information can be taken from a single target. Relative to, say, a database of credit card information, a medical office’s data stores can be far more valuable to a cybercriminal.

Some Hospitals Have a Privacy Problem

Returning to the statistics for a moment, it would seem that there is still some confusion when it comes to HIPAA and what it dictates.

For example, in 2018, three hospitals came to settlements with the Office of Civil Rights for a combined total of $999,000, as each of them had violated privacy laws by inviting in a documentary film crew from ABC without the consent of their patients. Boston Medical Center, Brighamand Women’s Hospital, and Massachusetts General Hospital each deny that there was any information improperly disclosed, but the director of the Office of Civil Rights, Roger Severino, wasn’t having it. As he said in a statement:

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments. Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

This doesn’t even account for the millions of records that were breached throughout that year, either, due to causes ranging from user error, to ransomware, to phishing campaigns, to basic security faux pas. 

We Can Help

While being compliant to HIPAA is important, it simply isn’t enough to keep a medical practice as secure as it needs to be. We can ensure your practice is both with our advanced security solutions. Not only that, we can help you to understand exactly what HIPAA requires of you, and how you can most effectively remain compliant.

Reach out to our team at (774) 213-9701 for more information.