Recent high-profile data breaches are indicative of the avalanche that has arrived. For every Anthem, Primerus and Excellus, health and dental professionals everywhere are victims. Recent surveys have produced eye-popping data. According to the 2016 Net Diligence Study, the average payout was $1.2 million with average legal costs of $434,000 and crisis services cost of $539,000. Healthcare is the sector most frequently breached. When it comes to a cyber breach, it’s not “if.” Rather, it’s “when.”
The Importance of Cyber Security and HIPAA Compliance
Federal and state governments have enacted privacy laws to protect personal and health information. Congress has passed privacy legislation that governs the healthcare sector, but they are complex and difficult to understand. Similarly, federal agencies that have regulatory authority over the healthcare sector have promulgated rules and regulations and have increased their regulatory enforcement, seeking fines and penalties.
The Office of Civil Rights (“OCR”) enforces HIPAA and HITECH. OCR has investigated and resolved 24,501 cases. OCR has assessed $45,889,200 in fines and penalties. Effective March 21, 2016, OCR announced began random audits of healthcare professionals. Private practice groups are the most common covered entities required to take corrective action. On Feb. 3, 2016, an administrative law judge ruled in favor of the Office of Civil Rights and levied $239,800 in sanctions against a health care provider for HIPAA violations, showing that data security is at the forefront of federal enforcement actions. Currently civil penalties range from $100 to $50,000 per violation:
Technology is rapidly changing, hackers are becoming more sophisticated and the laws are constantly evolving. While most dentists profess to understand technological basics such as word processing, email and electronic medical records, most acknowledge that they have no understanding of the HIPAA mandated security controls used to protect health information.In addition to OCR enforcement actions, 48 states have enacted breach notification laws, and all 48 mandate notification to individuals whose personal information may be compromised. But key differences do exist. Fifteen states require notification to governmental agencies, and 27 states require notification to national credit-reporting agencies. Couple this with complex third-party litigation, and healthcare professionals are experiencing information overload. This is further complicated by statutes and regulations, inconsistent case law and procedural peculiarities throughout the United States.
Conversely, hackers have embraced the technology revolution and continue to develop more sophisticated tactics to prey upon people’s trusting nature. Spoofed emails lead dental-practice staff to visit infected websites designed to appear legitimate. Secretly installed spyware then tricks dentists or their staffs into divulging personal information such as credit card numbers, passwords and social security numbers. Hackers are leveraging social media to learn personal details about targeted individuals, and then carefully crafting emails to trick employees to turn over valuable data and give access to bank accounts. Hackers are particularly targeting dental practices because of the lax security protocols and the sales value of protected health information on the dark web is higher than other types of data.
What is the Greatest Cyber Threat?
Ignorance. When thinking of cyber exposures, what comes to mind are systems failures, and the human element is often overlooked. But according to the Poneman Institute, 35 percent of cyber breaches are due to human failings. Eighty-five percent of office workers, for example, have been duped by social engineering.
Employee ignorance is one risk factor, but ignorance at the ownership level is even more disconcerting. Most dentists are under the misimpression that cyber risk is an IT problem. Yet, system glitches account for only 29 percent of data breaches, so relegating the responsibility of mitigating cyber risk to an administrative employees or outside IT vendors fails to address 70 percent of a dental practice’s vulnerabilities. HIPAA compliance is not limited to technical security, but requires stringent administrative controls, commitment from the dental providers and ongoing training of employees.
Cygiene™ Best Practices Is Mission Critical to Mitigating the Cost of Cyber Breaches and Regulatory Enforcement Actions.
Cyber risk mitigation poses unique challenges, from adopting HIPAA-compliant best practices to managing vendors and maintaining appropriate cyber insurance. Dentists do not need to be subject matter experts in cyber security, but having a basic understanding of cyber threats, vulnerabilities and financial risk is critical for risk mitigation. Cygiene™ is no different than dental hygiene. Just as daily dental floss use mitigates the risk of tooth decay and gum disease, employee training and implementation of cyber best practices minimizes the risk of financial ruin from a cyber breach or a regulatory audit by the Office of Civil Rights.
To mitigate against cyber security breaches and the potentially devastating financial costs, dental practices should implement at a minimum the following Cygiene™ practices:
- Assess risks
Every dentist should understand the pervasive nature of cyber threats, from hacker attacks to employee mistakes. It is equally important to understand the dental practice’s cyber vulnerability, which can be the result of on-going poor cyber hygiene practices.
- Get educated
Dental practitioners should be well-versed in cyber security basics and understand the applicable federal and state regulations. Knowing the fundamentals is critical so that in the event of a breach, the right questions are asked and the right experts retained.
- Invest in the best-practices training
The greatest cyber threat is employee ignorance. According to the Poneman Institute, 35 percent of cyber breaches are due to human error. Social engineering is also a powerful means to steal data, reportedly duping 85 percent of office workers in recent findings. Proper and ongoing best practices training is not only required for HIPAA compliance but also reduces cyber threats due to employee error.
- Have a plan
Swift action is required for compliance with breach notification laws. Every dental office should have in place an early response team and a breach response plan.
- Shift your financial exposure
Procure cyber liability insurance. Traditional insurance products are insufficient to protect against cyber incidents.
- Employ the right tools and experts
Protecting a dental practice’s protected health information is complex. It is recommended that every dental practice retain lawyers and outside cyber consultants to develop and help implement best practices to ensure HIPAA compliance and prepare for or to combat a cyber breach.
Beth Fitch is a founding member of the Arizona law firm, Righi Fitch Law Group. She is a trial attorney with 30 years of civil defense experience and has the AV Preeminent Rating. Beth has defended numerous multi-million dollar cases ranging from catastrophic injuries to construction defect. She has represented all types of professionals from lawyers to architects. In 2016 she was again recognized as a Super Lawyer and is a member of Arizona’s Finest Lawyers. Beth is certified by the International Association of Privacy Professionals., is the Co-Chair of the Arizona State Bar’s Cyber Liability Committee, Co-Dean of the CLM Cyber Claims College and Vice-Chair of the IADC Technology Publications Committee. She counsels companies and insureds on cyber hygiene, best practices and responding to data breaches.