Are you tired of seeing the word “cyber” inserted in front of everything?  I know I am.  Cybersecurity in healthcare requires security implementation to the modern methods in which we communicate (email and texts), store information (databases and computers), and diagnose and treat disease (medical devices, wearable technology).  The computing power each person now has available, combined with global interconnectivity, makes healthcare cybersecurity a complex topic.

In the past, communication and records seemed much more secure.  A doctor could mail a test result to a patient with little worry that someone would open an envelope sent via U.S. Mail.  A hospital employee might take home a couple of patient charts to catch up on work at home.  A provider simply had to put a lock on the door to an office or file room to keep unauthorized people out.

Now, it seems email gets read by myriad individuals or bots along the route to its recipient. Likewise, an employee can bring home hundreds of thousands of patient records on a personal laptop or thumb drive.  If a patient records database is not secure, the electronic Personal Health Information (“ePHI”) can be accessed by a teenage hacker in Russia, or by a nation-state’s military, like North Korea.  The consequences associated with each vulnerability are daunting.

Strictly speaking, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) created standards for the electronic exchange of health information, and it provided data privacy and security provisions for safeguarding medical information. In 2009, it was supplemented by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which primarily updated the Privacy and Security Rules and created monetary penalties for noncompliance.  The last major update to the HIPAA regulations came in 2013 under the HIPAA “Omnibus Rule.”

The main characters under HIPAA and its regulations are “Covered Entities” and “Business Associates.”  Covered Entities are defined as a health plan or provider providing medical care or transmitting identifiable information about a patient.  Business Associates are third parties who receive, store, transmit, or use ePHI on behalf of a Covered Entity.  HIPAA requires Business Associates to sign Business Associate Agreements (“BAA”) with the Covered Entity agreeing to keep the ePHI it receives, stores, or transmits under a certain level of security, and the BAA must define how ePHI shall remain available to the Covered Entity, and it must establish the breach notification protocol between the Business Associate and the Covered Entity should any breach occur.

Cloud Computing Vendors

Almost as ubiquitous as “cyber” in our modern vernacular is talking about the “cloud.”  Most people are now familiar with the cloud through using iCloud, Dropbox, OneDrive, and more.  As we have learned through news reports, the cloud consists of thousands if not millions of networked computers that store and share data in massive datacenters.

The benefit to moving operations to the cloud is decreased storage cost, and for most small businesses it helps relieve tasks such as updating firewalls or data backups.  However, moving ePHI to the cloud means that, except in the most sophisticated hacker attacks, a user password is all that protects the ePHI from potential cyberthieves.

The Department of Health & Human Services has acknowledged the increased use of cloud computing services and encourages providers to gain a further understanding of cloud offerings. If your medical practice or small business stores protected health information, it is critical to consult with an experienced professional about your obligations and to put a plan in place to minimize risk.

William McDonald is Counsel at Campolo, Middleton & McCormick, LLP, a premier law firm with offices in Ronkonkoma and Bridgehampton, where he chairs the Healthcare and Criminal Defense practice groups. Contact Bill at wmcdonald@cmmllp.com.