Simply put, information security is about protecting information. In the medical field, there are numerous types of information that need protection whether you are in the clinical environment, or behind the scenes. Regardless what your position may be, 2016 is the year that information security is going to be bigger than ever. And there are two reasons why.
The first reason has to do with HIPAA, a law passed in 1996. Anyone who works around healthcare has heard of HIPAA, but few understand what is really in the law. There are two parts to it, a Privacy Rule (which covers patient privacy) and a Security Rule (which covers electronic health records), but few have paid much attention to it, because unless something comes up in the news nobody was likely to feel the sting if either rule was broken. However, starting in 2009, that started to change. When President Obama signed the American Recovery and Rehabilitation Act (the large economic stimulus plan) into law, it contained provisions that gave HIPAA some teeth and those teeth have bite. Consider these examples:
- a hospital agrees to pay $850,000 for potential HIPAA violations,
- a health insurer agrees to a $3.5 million penalty for potential HIPAA violations,
- a university hospital agrees to pay $750,000 and implement missing HIPAA policies.
These are just some enforcement examples from 2015. Look for more in this year.
There are worse things than a government penalty, and this is the second reason why information security will be important for all of us in 2016. One year ago this month, one of the largest health insurers in California announced they were the target of a data breach, and approximately 80 million people were affected. In July, a well-known university medical center announced they had been breached, affecting 4.5 million people. According to one report, the first half of 2015 saw more than 89 million patient and staff records hacked nationwide, up from 12 million for the same time in 2014. At an average cost of $154 per patient record to fix the mess caused by data breaches, this amounts to over $13.7 billion in damages caused to hospitals, insurers, HMOs, and others in just six months.
HIPAA is just one of the best known information security requirements, but there are other regulations, industry standards, and laws that apply to the areas covered by information security. This is because the credit card industry has requirements for payment collection, the federal government has requirements for anything affecting collections and credit, and many states have their own unique requirements. Any or all of these requirements may overlap anywhere where there is information that needs protection: frontline/patient admit, revenue recovery, billing, patient records, and human resources. No matter where in a healthcare you work, you have a role to play.
There are reasons with technical sounding names for why hackers are able to wreck such havoc, but the bottom line is there are no signs they are going to stop trying. So for this reason, 2016 will be a very important year for everyone to pay attention to information security.