One of the questions we hear pretty often when we are starting a relationship with a new healthcare client is as it relates to new technology that we are introducing for marketing purposes: “Is it HIPAA compliant?”
Because of this, it is crucial for our team to stay up-to-date about the top threats facing healthcare as they relate to our clients and the marketing technologies we use. I attended a fantastic panel discussion today called “Cyber Threats in Healthcare.”
Featured experts:
Karen Clark, Chief Information Officer, OrthoTennessee
Ian Hennessey, Attorney, London & Amburn, P.C.
Bill Dean, Senior Manager, LBMC
Michael Saad, Vice President & Chief Information Officer, University of Tennessee Medical Center
Paul Sponcia, Principal and CEO, The IT Company
Tommy Smith, Vice President, Ackermann Marketing & PR
There was a ton of actionable information shared by the expert panelists, and I’ve paraphrased my favorite response from each of them.
Why are healthcare records so valuable to hackers?
Bill Dean, Senior Manager, LBMC
“A healthcare record is worth $50 vs $.50 for a credit card.” Why? Because healthcare records have so much more information about people and that information doesn’t change. Your mother’s maiden name, your date of birth, the treatments you’ve had don’t change. This means they have far more long-term value, which is why they are sought out for theft and then sale.
Compliance is important, but why should I care?
Karen Clark, Chief Information Officer, OrthoTennessee
A question that she was asked recently was, “I get why all this compliance is important, but why should I care?” It’s a very honest and valid question. Her answer was brilliant. “We have 880,000 patient records, if there was a breach it would cost us $440,000 in postage alone to notify everyone of the breach.” I thought this was a great answer because it changed the impact of a breach from something computer related, technical and intangible and instead turned it into figure that has value and a monetary cost.
Infractions by Generation
Michael Saad, Vice President & Chief Information Officer, University of Tennessee Medical Center
When talking about where compliance infractions happen, many people think it will be the older, less technical employees, but surprisingly it’s actually the millennial employees who fall prey to these threats. They seem to be less suspicious and as a result will click on links in emails they shouldn’t which could create a breach.
Most Common Starting Point for a Breach
Ian Hennessey, Attorney, London & Amburn, P.C.
If you review cases of breaches you’ll see that they’re commonly caused by thefts like laptops being stolen from cars. While the policy would say that the laptop shouldn’t be taken home with patients records on it, in all reality is taken home every night. This theft is the tripwire that then brings in an investigation where they start to look at compliance for everything in your practice, not just the fact a laptop was stolen from a car.
Just Because You Can Connect a Device, Should You?
Paul Sponcia, Principal and CEO, The IT Company
One of the issues in healthcare is how everything is now connected to the internet, or Internet of Things (IoT). In medical practices, IoT issues and opportunities for threats are increased by adding consumer devices, like a Nest or Sonos to the network and not understanding the risk that is being introduced for the convenience it provides. These devices aren’t vetted before they are added and could introduce a threat because they may open a door in a secured network.
Conclusion – What’s Next?
Tommy from Ackermann PR had some thought provoking questions for the panel, and did a great job moderating the discussion. Overall, I know that I learned a number of things about cyber threats, and gained powerful answer from Karen, to use when talking about why a practice should care that the technology we are recommending is in compliance. Talking to attendees afterwards it seems there were a lot of good immediate takeaways for practices.
Great panel – can’t wait for the next one!