WHY HIPAA STANDARDS MATTER
Every single day , 2,300 small businesses are breached . According to the FBI , 95 % of all successful cyberattacks during 2020 came through email phishing scams or links . Tracey believes that if more companies followed the HIPAA standards , this number would be greatly reduced . “ Small companies end up going out of business and quietly just disappear ,” he says . “ The larger companies are still susceptible , but they don ’ t get hit as often because they are investing in educating their employees . Small businesses aren ’ t having that conversation , and that ’ s a real problem . Hackers are having success with small businesses because of the lack of security tools and security training these businesses have .”
The new work-from-home environment has only made the situation worse . “ If security measures were loosely followed before the pandemic , consider how problematic it became as masses of people were deployed to work from home using computers that weren ’ t set up with proper security , firewalls , or other protocols ,” Tracey says . “ Sadly , we ’ ve already seen a substantial uptick identified in digital threats targeting platforms that remote workers use . HIPAA standards could have prevented that .”
HOW TO GET A COMPANY TO ADOPT A SECURITY MIND-SET
Tracey recommends the following actions to help transform a company ’ s security :
1 . Execute Training : “ The workforce is significantly undereducated about technology ,” Tracey says . “ And keeping up with the number of new threats popping up every day is tremendously difficult . That ’ s why we focus on employee education . It must be met with the same kind of commitment and persistence as doing the security work .”
2 . Gamify Security : “ We gamify the security practice ,” Tracey says . “ We send videos with security tips and phish and spear-phish all users by sending out a phishing email from us . If a user clicks on that link , it immediately sends them to training . We ’ ve found this on-the-spot training to be extremely effective at changing the behavior .”
3 . Change the Culture : “ The culture can completely change and be unrecognizable when you shift the employee computer behaviors and mind-set ,” Tracey says . “ Frequently , I notice how people refer to their company computer and data as the ‘ agency ’ s computer or data .’ Once we change employees to think in a possessive manner regarding the technology , they are more careful with it .”
4 . Outsource an IT Firm : “ Organizations simply do not have enough hours per year to do HIPAA training and implementation correctly ,” Tracey says . “ We realized we could provide a package that freed up clients ’ time . Companies only need to allocate 15 – 20 hours per year to HIPAA compliance . We do the rest .”
5 . Educate Companies on the Benefits of Compliance and the Consequences of Noncompliance : Providers often don ’ t realize that the fines for violations may be less severe if they have taken proper measures to comply . “ If a provider has properly trained an employee and received the policy attestation for the issue in question , the fine and / or associated legal actions can be greatly mitigated ,” Tracey explains . “ However , if the violation is deemed negligent because training and policy were not in place , the fines can be 10 times higher . But a breach doesn ’ t have to qualify as a HIPAA violation to be catastrophic . It may result in data loss , costly downtime , and further ramifications if the data gets sold , which can happen even when the ransom is paid .”
6 . Implement Rules and Procedures Following the HIPAA Standard : Most companies don ’ t know what data they hold or where it ’ s located in their systems . They also have misconceptions about which data is protected . “ Regularly , companies , especially smaller businesses , do not have procedures in place for even simple things such as what to do when you download a file and copy it or move it ,” Tracey says . “ A client may tell us they store all their medical data in an electronic health records ( EHR ) program , then invite us to perform an audit . It ’ s not unusual to find 6 – 8 months ’ worth of information that never got deleted or $ 2 million worth of medical information saved in download folders and other unencrypted locations — all outside the EHR .”
“ While HIPAA was designed to protect the privacy of patient records , it is actually an excellent framework for any organization ’ s security plan .”
With so many companies unaware of how much time it takes to make sure a company is safe and how overworked most internal IT departments are , there needs to be more conversations around the risks and what companies can do to protect themselves . “ The conversation about cybersecurity inside of organizations is long overdue ,” Tracey says . “ While there ’ s a long list of things to be afraid of , fortunately , there are reasonable solutions for all those bad , scary things . HIPAA is truly the gold standard and should be applied across all industries . An effective entry point is education . And an understanding of what threats you ’ re dealing with at this moment in time will help you make a plan to deal with those in order of the highest priority . Regardless , immediately start getting employees cybersecurity training , even if it ’ s minimal . Mandate and verify they do it . It ’ s time to take cybersecurity seriously because there ’ s no time to drag your feet .”
For more information on Innovative Technologies , please visit UpstateTechSupport . com .