Health care IT security: What IT service providers need to know

Posted by Courtney Steinkrauss on May 5, 2015 9:00:00 AM

Find me on:

3840298584_4211a8f1a0_zData breaches are on the rise in the U.S., increasing 27.5 percent in 2014, and health care companies in particular need to start being more vigilant. Earlier this year, Anthem, a major health insurance company, experienced a cyber attack that made 80 million Americans’ sensitive information available to hackers. It serves as an important lesson on just how critical data protection can be.

As an IT service provider, it’s your responsibility to help protect your health care customers from the threat of cybercriminals attempting to gain access to patients’ confidential information. But health care businesses also need their service providers to be aware of key regulations about how health care information is handled. To position yourself as an expert in health care IT, there are a few things you need to know.

Understand the law

If you’re servicing the health care industry, you must be HIPAA compliant. The Health Insurance Portability and Accountability Act (HIPAA) requires health care providers to have certain administrative, physical, and technical safeguards in place.

Business associates, including IT service providers, also have to meet these standards. These entities act as subcontractors for the health care businesses, in this case safeguarding their information, which also makes them responsible for HIPAA compliance.

For health care businesses to be compliant, they need to have their data encrypted, have a contingency and data backup plan, limit access to data, and have audit controls in place, among other regulations. In order to make sure your customers have everything covered, meet with them frequently to better understand their use cases and standard practices.

To help satisfy the many requirements of HIPAA compliance, secure data in the cloud. Turning to the cloud will make it easier for you to be compliant while also offering a higher level of data protection to your customers. In fact, a Verizon report goes as far to say that 97 percent of data breaches could have been avoided with today’s cloud-based security technology, and encryption is a key component of that technology.

Implementing encryption will protect patient and billing records both in the cloud and in transit to the cloud. To further mitigate the risk, you should employ a cloud provider who uses military-grade 256-bit AES (advanced encryption standards) and SSL (secure socket layer) encryption protocols.

Stay informed

The regulations for HIPAA compliance are evolving, so MSPs need to stay informed about any changes made to the law that regulates IT security for health care providers. For example, the addition of the HIPAA Omnibus Rule in 2013 expanded the definition of Business Associates to include administrators, attorneys, consultants, and IT service providers working for the health care providers. Since then, some risk assessments suggest that Business Associates are posed with an even greater threat from attack because they hold large amounts of the data that hackers want.

The penalty for not being HIPAA compliant is severe, so it’s important to understand your responsibilities. Those found guilty of violating the law can be fined anywhere from $50,000 to $250,000. It’s clear that the consequences of leaving health care businesses vulnerable to cyber attack are detrimental not only to those businesses but also their IT services provider. If you’re just entering the health care vertical, make sure your services include appropriate encryption and meet other standards needed to be compliant. 

Educate your customers

Reports have found phishing to be a common trick used by hackers in the recent cyber attacks on health care companies. Phishing involves a cybercriminal sending a message to a user and making false claims in order to gain access to the user’s critical data. This social engineering tactic can come in the form of an email, phone call, or website download.

The best way to prevent phishing in your customers’ businesses is to educate the users on their network and show them the warning signs of an attack. Microsoft provides a helpful example of a phishing email that highlights spelling errors, suspicious links, direct threats, and the signature of a popular company as warning signs. Make sure to stay up to date on emerging types of malware so you can keep your customers informed.  

You can help save a small business by educating your health care customers on preventative cybersecurity measures. Teach your clients how to protect themselves and how to recognize a threat. Also, deploy solutions that are in accordance with HIPAA regulations. Sharing what you know about IT security will only help. Start the conversation before your client’s business is the headline in tomorrow’s cyber attack.

Photo Credit: The National Guard on Flickr. Used under CC 2.0 license. 

Download our HIPAA Compliance White Paper

Topics: HIPAA and Healthcare IT, Cyber Security

Which Data Loss Gremlin Is Targeting You
MSP Health Check
MSP Phishing Quiz
Intronis Local Lunches
MSP Marketing Assessment