Fear mongering and cautious optimism have likely been the drivers behind IT expenditure in recent weeks. I’d wager few of those dollars were allocated to securing this “new work from home” bug that has bitten everyone.
Aside from the health risks, COVID-19/Coronavirus has demonstrated and/or revealed the wanton disregard for IT security in the global workplace. No where more prevalent than HIPAA related entities. This lack of importance placed on proper implementation and maintenance of IT systems to support a medical practice has exacerbated security issues over time.
The usual justifications I hear are merely excuses underpinned by budgetary and time constraints. Does this absolve a practice owner from the inherent responsibility to their patients? My answer to this is, if you can’t do it properly, don’t do it at all.
Modern cyber threats are quickly changing, complex and difficult to prevent. This problem is compounded by the reality that most small healthcare practices simply don’t have the knowledge or expertise available to adequately set up their systems, much less defend their network.
Just yesterday I had a conversation with a colleague. His client (a medical practice) needs a way to see patients remotely. Knowing me, you’d to correct in expecting my suggestion goes beyond an out of box solution that doesn’t meet compliance needs. In this particular case, I told him what solution would work and it would take a handful of hours to secure and configure,and in the end be better than HIPAA compliant (I refuse to do the bare minimum). His reply? “That is too expensive, they won’t pay for that!” Imagine, 3-4 hours of work is too expensive for a medical office to be able to remotely serve their patients securely and continue operations during this pandemic.
What happens when my colleagues client begins using whatsapp, Facetime and other freeware to treat patients? What controls are in place to secure PHI? Anyone who sees or uses the physicians phone can now have access to PHI.
This mentality is endemic throughout medical practices in and around the country, no matter the size.
Remember, these people are only required to report a breach if they have determined data has been taken, not even viewed. This allows companies to continue to be grossly negligent with your data.