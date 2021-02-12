In the 2002 box office hit, “Spider-Man,” shortly after Peter Parker discovered his new spider abilities, Uncle Ben had a ponderous discussion with Peter. He said “Just because you can beat him up, doesn’t give you the right to. Remember: with great power, comes great responsibility.”
So, you are thinking, “That is great advice for an up-and-coming Spider-Man, but I’m not overly burdened by that statement. I don’t have great power.” To that, I say power really depends on your perspective.
One of my boys was playing soccer in a league that goes by age. Since he trained and usually played with much older children, his skills developed quickly so that he was much better than kids his own age. Once the game started, it didn’t take long to notice that he was a target. Why? Because the other team knew what power he had when he took control of the ball. They began to trip and slide tackle him whether he had the ball or not. Other teams saw the power.
Last week Tom talked about how most businesses have what hackers want. They will take the soggy PB&J sandwich (credit card information) if they can get it, but they hit the jackpot if they come across health records. So, for all the healthcare providers out there - doctors, dentists, acupuncturists, oncologists, counselors, physical therapists – any kind of healthcare, you have great power as far as the cyber hacker is concerned.
Because of the high value information you possess, you have a target on your back. Big companies have the financial backing and budget to make themselves a hard target. The small- and medium-sized providers are easy targets, even for unskilled hackers. Your vulnerability is how they make a living.
Healthcare providers have the burden of regulatory requirements governing their use of their patients’ health records. They are legally responsible for protecting them. HIPAA contains what is called the Health Breach Notification Rule. This rule NOW REQUIRES businesses to notify their patients and others if there is a breach of unsecured, individually identifiable electronic health information. Both the Federal Trade Commission (FTC) and the Office of Civil Rights (OCR) are involved in enforcement of this rule.
If your organization is involved in a breach, it is best to review the incident to determine whether you have tripped the Breach Notification Rule. If you have, report it. According to a zdnet article, “the chief security officer of Uber is currently facing obstruction of justice and “misprision of a felony” charges for what the FBI calls, ”masterminding and executing a plan to cover up a major data breach, obstruct federal regulators, and conceal activity from senior executives.”
A breach is one thing. It happens a lot more than you would think, but covering it up can carry major consequences.
If you subscribe to an Electronic Medical Record (EMR) system, you as the healthcare provider are not off the hook. Even though you don’t physically store the information, you are responsible for all your patients’ health care records. According to a Ponemon 2020 survey “54 percent of healthcare vendors have experienced at least one data breach of protected health information belonging to patients of the healthcare providers they serve.” That is more than one out of every two vendors that are being breached.
Back on the soccer field, what did my son do when the target was on his back? He passed the ball to his open teammate for them to score. Consult with your local cybersecurity professional to make sure that you are protected. Ask how you can become a hard target and fend off the hacker. Pass the ball to your cybersecurity professional teammate for the win.
Co-written by Dan Gavin and Tom Jewkes, the cyber guys from CyberEye. An archive of past articles can be found at www.cybereyeaw.com/blog Contact us at gavin@cybereyeaw.com and tom@cybereyeaw.com