- March 20, 2017
My partner and I recently visited with a physician who runs a thriving primary care practice in an affluent retirement community to discuss the state of his practice’s IT security program. He reached out to us after receiving an inquiry about whether his practice was HIPAA compliant. The practice consists of himself, a small team of Family Nurse Practitioners and admin staff. He has been in the same location for over 30 years and a well-known and trusted physician in the community.
We started the meeting asking a series of questions about the security measures he had in place to protect his patient’s confidential data (ePHI). It became apparent to us although he provided outstanding patient care, he had not invested the time to learn basic security principles to keep his patient’s data secure within the practice. When we asked him about the last HIPAA Security Risk Analysis he conducted, he looked at us with a blank stare and said, “I’m not sure what you are asking.” After explaining this was an annual requirement under the HIPAA Security Rule, he asked… and I quote,
“So… is this HIPAA Security thing a law?”
At first, my partner and I looked at each other thinking he was playing with us… or trying to test our knowledge of compliance in healthcare. Neither was true. He was sincerely uncertain whether or not HIPAA was a federal law. That was a sobering moment for Lee and me.
It was in that moment we realized just how uneducated small-midsize businesses (SMB) are when it comes to having basic IT security practices in place. It reinforced our decision that leaving the enterprise security world after many years to help SMBs with security and compliance issues was the right move to make and we had our work cut out for us. The fact is, most IT security consulting firms are still trying to keep up with the demand for cybersecurity services from the enterprise world, which has left small-midsize businesses severely under served. GoldSky Security exists to serve SMBs, at rates they can afford.
As we were winding the down our visit, we suggested performing a HIPAA Security Risk Assessment to help identify threats and vulnerabilities within the practice. Then we would provide a list of remediation items that would reduce his risk of a data breach in the future.
I’m sure we would all agree that this physician, and his affluent patients, have been extremely LUCKY up to this point in time! Well, at least as far as we know. I’m sure many cyber criminals would view this type of breach as finding a very large pot of gold at the end of the rainbow!
He responded, “Ya know, I’m getting ready to retire next year and we haven’t had any issues up to this point. I think we’re good for now.” But thanks for your time and sharing this information. It’s been very insightful. So… Luck or Security? How would you advise the good doctor? Wishing you all a safe and secure St. Patrick’s Day!