Cyber Risk Is Not Going Away

In a future that has become more ambiguous than ever, some things are certain. Businesses, including health care entities, will increasingly rely on data and technology in order to conduct their business.  Data containing personal information will continue to be valuable.  The risk of liability for those holding that data will remain, whether the enforcer is at the federal or state level in a regulatory action, or a private citizen filing suit.  Safeguarding data against cyber-attacks and other impermissible disclosures must continue to be a priority for those who use and share data.

In the healthcare world, HIPAA compliance is key.  An example is the November 22nd settlement between the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the University of Massachusetts Amherst (UMass). The settlement includes a corrective action plan and a monetary fine of $650,000 (which would have been more had UMass not been operating at a financial loss in 2015). The trigger for the enforcement action was a UMass workstation that became infected with a malware program, resulting in the wrongful disclosure of electronic protected health information (ePHI) of 1,670 individuals. The malware was a generic remote access Trojan that infiltrated the UMass system, providing unauthorized access to ePHI because UMass did not have a firewall in place.  OCR’s investigation found that UMass failed to conduct an accurate and thorough security risk analysis, failed to have adequate policies and procedures in place, and failed to implement technical security measures.

For healthcare entities and those who handle their data, HIPAA compliance not only is required by law, it is still the most certain way to protect against, prepare for, respond to, and mitigate the effects of a cybersecurity incident.

On Tuesday, December 13, 2016, from 7:30 a.m. to 12:30 p.m., Denise L. Sanders, Esq., will participate in the seminar “Cybercrime:  Facts, Threats, and Countermeasures,” held at Rowan University and hosted by Avasek.  The seminar includes presentations by Mike Geraghty, Director, NJ Cybersecurity & Communications Integration Cell; Philip Frigm, Supervisory Special Agent, FBI Newark Division; and Lt. Cy Bleistine, NJ State Police, Cyber Crimes Unit; along with David Humphreys, Avasek.  As part of an expert panel, Ms. Sanders will address HIPAA and HITECH compliance by healthcare providers facing cybersecurity threats.  To register, please click here.