MSPs are finding themselves with more and more PHI (personal health information) to safeguard. But how do you safeguard the safeguarding?
As a journalist who covers the burgeoning med-tech space, I’ve witnessed first-hand some, at best, sloppy, and, at worst, flagrant violations, of PHI standards by various stakeholders in the ecosystem.
An interesting statistic that illustrates the vise MSPs find themselves in is that while most people – 80 percent – trust their healthcare provider with their data, the data is actually pretty vulnerable. Thirty-four percent of all breaches are of PHI.
One healthcare professional dismissed the threat by saying that “healthcare information isn’t all that valuable to hackers,” insisting that hackers are after credit card numbers, bank account information, and other ways to get quick cash.
But that is not true
A Trustwave Global Security Report released in 2018 illustrated why hackers prize PHI. Payment card information might sell for $5 or more on the dark web. But that is bus fare money compared to the more than the $250 a single hacker patient record can sell for on the dark web.
PHI can be used to file fake medical claims, graft an identity, fill prescriptions (which can then be resold), social engineering, and MSPs have increasing opportunities in healthcare. An MSP owner that I was speaking to in Wilmington, Delaware, told me:
“For a long time, we tried to steer clear of healthcare clients; it just seemed too risky, but the demand is so great now for services that we decided to jump in, and so far, we are glad we did. We can’t keep up with the demand and are now seen as specialists in this area.”
The risky part the MSP owner was referring to are the fines imposed if a business runs afoul of HIPAA. There are numerous onerous laws that MSPs must navigate to be successful in the healthcare space of which HIPAA is just one. So, it is understandable why MSPs might want to pursue manufacturing or accounting clients where the oversight isn’t as significant, but healthcare opportunities are exploding.
Steps to keep in mind if pursuing medical clients and PHI
Encryption: Most breaches or HIPAA violations occur not because of some complex chain of opaque occurrences. Most occur because of a break-down in fundamentals. PHI data needs to be encrypted. HIPAA requirements can sometimes confuse this regard because the original statute was written with “breathability” built-in. In other words, the law knew that technological changes were coming.
The wording is: “Implement a mechanism to encrypt PHI whenever deemed appropriate.” “Appropriate” really means all the time.
HIPPA Journal says this about encryption:
A solution to the encryption issue is to implement a secure messaging platform. Secure messaging platforms comply with the HIPAA encryption requirements by encrypting PHI both at rest and in transit – making it unreadable, undecipherable, and unusable if a communication containing PHI is intercepted or accessed without authorization. These secure messaging solutions not only meet HIPAA email encryption requirements, but they also meet the requirements for access control, audit controls, integrity controls, and ID authentication.
Secure portable devices: Laptops, smartphones, tablets, and health wearables all contain troves of protected PHI data. Their portability leaves them vulnerable. They could be inadvertently left behind at the train station or a Starbucks. They could be stolen. Devices could be damaged and discarded.
All PHI in portable devices needs to be treated with extra care. Using a smartphone on an unsecured network at the local coffee shop could make any PHI an easy target for hackers. Every MSP needs to have a set of rules and protocol for which portable devices can be used for transmitting PHI and conduct proper security measures.
Conduct an annual risk assessment: The business world is in constant flux. As an MSP, you may think you don’t have any PHI in your portfolio and, perhaps, a year ago, that would have been accurate.
But maybe, during the past year, a manufacturing client of yours moved into the medical device space. Or an accounting client starts handling accounts for a medical clinic. Or perhaps the legal firm you manage security for has taken on some medical clients over the past year.
You can’t protect against what you don’t know about, yet, ignorance isn’t a defense against a hefty HIPAA fine. MSPs fall into the business associates or subcontractor category, which are required to be HIPAA compliant. A breach of PHI that can be traced back to the MSP can be costly, up to $50,000 per compromised record. Fines can even be imposed on MSPs who don’t have the proper agreements in place with clients dictating the handling of PHI.
With the continuing merging of medical data with IoT devices and the coming 5G transformation in speed, the opportunities for MSP in the healthcare field have never been greater. Just make sure you know all the best practices before taking the plunge, or your bottom line will plunge.
Photo: 18percentgrey / Shutterstock