A Massachusetts hospital learned the hard way that HIPAA compliance is NOT optional. Hospital staff filed a complaint back in 2012 because the medical center was using Web-based document sharing for protected health information. A HIPAA breach followed in 2014 due to lack of adequate security policies. A settlement of $218,400 was reached with the Office for Civil Rights based on the potential exposure of 500 patient records via the document sharing. The hospital will also be required to show proof that they are remediating the HIPAA compliance gaps with unannounced on site spot checks to assess the policy and procedure implementations.
A Tennessee based retailer was hit with more than $13 million in fines by Visa for non-compliance with the Payment Card Industry Data Security Standards (PCI DSS) after a breach. Visa is among the credit card processors that self-regulate PCI compliance and are given authority to fine organizations for violations in maintaining the standards. The retailer is now in a costly multi-year legal battle with Visa to try and recoup some of the fines.
Don’t think you’re immune just because you may not be subject to HIPAA or PCI regulations. An organization with 500 records that include social security #s (staff, past employees, clients) could face losses of $2,127 PER RECORD or $1,063,613 using HUB International’s data breach cost calculator estimates.
5 action steps to take to lessen your risks include:
- Assess current level of compliance with regulatory or NIST cyber security standards
- Remediate gaps
- Run regular security testing (vulnerability scans, pen testing, and social engineering to check staff’s cyber security awareness)
- Monitor your network and make sure to investigate any suspicious behaviors to detect a breach or attempted breach as quickly as possible
- Educate staff at all levels about the importance of cyber security and the risk to the organization if it is not a top priority. Have an Incident Response plan so everyone understands their roles and what steps need to be taken should a breach occur.