Telemedicine is changing the way healthcare is delivered. The benefits of these platforms are abounding, and the adoption rate is staggering. But, as part of this tele-revolution, any organization that deals with electronic protected health information (ePHI) must be prepared to demonstrate their ability to maintain HIPAA compliance.
Undoubtedly, telemedicine is the future of healthcare. But according to the American Telemedicine Association, it is already making a huge impact today. In 2016, more than 1,250,000 online patient consultations will occur, more than 550,000 ICU patients will be monitored remotely, and over 125,000 patients will be diagnosed via telestroke. However, with the growing adoption of cloud technologies, and the increase in the delivery of telemedicine services, the amount of ePHI being handled by businesses and individuals, both in and outside the healthcare setting, is growing exponentially. And with this, comes serious threats to data security.
HIPAA Compliant Hosting is Essential
Covered entities (CEs) are required to ensure that the IT that supports their business is up to snuff. HIPAA’s reach does not stop there. The need for HIPAA compliance extends to data centers and other third-party vendors, described as Business Associates (BAs) in HIPAA, though, responsibility (and liability) flows upwards through the chain of command. As such, you must also be knowledgeable about what makes a hosting provider effective, reliable, and able to prove compliance in the event of an audit or a breach.
Compliance and the Growing Cyber Threat
The Ponemon Institute’s recent Fifth Annual Benchmark Study on Privacy & Security of Healthcare highlights precisely why regulatory standards and vigilance in security have become such a hot-button topic. One of the biggest takeaways is that for the first time in the history of this study, attacks by cybercriminals represent the primary cause of data breaches in healthcare. Shockingly, the majority of healthcare organizations surveyed indicated that they are not actively implementing change, nor are they apparently concerned with the threat of cyberattacks.
The study found that:
- 65% of the health care organizations participating in the study had experienced electronic information-based security incidents over the past two years
- 87% of third-party vendors also reported a data breach in the last two years.
- Criminal attacks on healthcare organizations and business associates have increased in frequency 125% compared to five years ago
- The average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million
- The average cost of a data breach for BAs is over $1 million
- Perhaps one of the most shocking data points reported is that in spite of the increased criminal activity and the rapidly evolving threat environment, the majority of healthcare organizations indicated implementing no changes to what they’re doing or how they’re doing it. Only 40% of healthcare organizations and 39% of BAs surveyed expressed concern about cyberattacks.
The stark reality is that no organization, regardless of size or authority, is immune to these threats. In fact, your organization is statistically much more likely to be targeted by a cyberattack than not, further illustrating the dire need for secure and compliant hosting systems for anybody receiving and transmitting ePHI.
HIPAA Violations Will Cost You
Regardless of whether a breach occurs, you must make sure that your business’s connected systems are not running afoul of HIPAA compliance regulations. The same can be said of any third parties that your organization might be working with. Whether or not your company becomes the target of an attack is out of your hands, but the possibility of experiencing a security event is growing exponentially.
Focusing on what you can control, however, not only prepares you for the possibility of a breach, but also decreases the risks of suffering legal and financial penalties or damage to your organization’s reputation for failing to comply with these industry governances. Willful neglect of HIPAA requirements can cost a business anywhere from $10,000 to $50,000 per violation, up to a maximum of $1.5 million per year, with possible criminal charges and jail time for individuals to boot. On the other hand, reasonable cause (knowing, but not willful neglect) that includes compromise of 500 or more records of medical data can cost from $100 to $50,000 per incident, though no criminal charges can be brought upon CEs in these instances.
What to Look for in a HIPAA Compliant Hosting Solution
OnRamp is proud not only of the fact that we offer secure, comprehensive HIPAA compliant hosting solutions but we are willing to work collaboratively with our partners to help them meet and maintain compliance from the IT perspective. We’ve even built an online, proprietary 3-step HIPAA Risk Management Tool to help with this process – a clear testament to our level of commitment.
Whether you’re evaluating the performance of your current cloud service provider, or looking for a new one, we’ve put together a free HIPAA compliance checklist for those in the market for a well-regulated hosting solution. The 12 main questions to ask are:
- Is the client infrastructure auditable?
- Will the provider sign a business associate agreement?
- How many of their clients are in healthcare and how do they facilitate HIPAA compliance with those clients?
- Does the provider have a HIPAA compliance officer or a designated official responsible for HIPAA?
- Does the service provider offer private clouds?
- Does the provider have a structured security awareness program?
- Do they educate staff on their security awareness program?
- What is the vendor’s incident response process?
- Do they provide FIPS 140-2 Encryption for data in transit?
- Does the provider do encryption at rest for SANs or local drives?
- Does the provider offer secure offsite backups?
- Does the provider offer disaster recovery or business continuity solutions?
Connect with OnRamp at ATA Conference 2016
OnRamp will be attending the American Telemedicine (ATA) Annual Conference and Trade Show in Minneapolis, MN. The event will be held Saturday, May 14 – Tuesday, May 17 and the OnRamp team will be there with information on HIPAA compliant hosting and managed security services. Find us at booth 1620 and we’ll be glad to offer you a sneak peek at our latest enterprise-level file sync and share service, Compliant Cloud File Share, hosted on OnRamp’s secure private cloud infrastructure.