Cybersecurity: Think HIPAA and beyond 

Q. Why is cybersecurity important to HME providers? 

A. For HME providers, understanding and acknowledging the importance of cybersecurity is a key component of strategic risk management that can support the sustainability and stability of the organization. Without good practices and controls in place, the organization could face fines; incur economic damage due to ransomware; create reputational damage; or cause harm to patients, employees and the communities they serve. 

HME providers are subject to HIPAA regulations. The Office of Civil Rights (OCR) is responsible for enforcing HIPAA Privacy and Security Rules and routinely carries out investigations and audits of health care entities who have access to or manage Protected Healthcare Information (PHI). These compliance reviews occur for covered entities (providers) and can include any business associates that engage with the providers regarding handling PHI.  

Many people do not realize how valuable health care data is to cybercriminals. Typical reports demonstrate that health care records are valued at 10 times to 50 times the value of financial data. This is because controls around financial records can be activated quickly, fraud is detected quickly and action is taken swiftly. Health care data, on the other hand, can be used for long periods of time to create new identities, secure medical products for resell and even establish new credit facilities. These new identities can create confusion around treatment history, medication records, etc., that could create delays or improper treatment for patients.  

Beyond HIPAA regulations, HME providers also need to protect employee data like Social Security numbers, payroll information, etc., and organizational data such as bank accounts, credit card data, trade accounts, etc. If an HME provider experiences a breach and employee or organizational data becomes public or used by cybercriminals, the organization could see significant harm in the forms of fraud, identify theft, cyber theft and public image damage. 

Jeff Woodham is vice president of operations for Mandry Technology Solutions. Reach him at jwoodham@mandrytechnology.com.