Tech Solutions Library > Stay Compliant with Healthcare Security Solutions
Case Study

Stay Compliant with Healthcare Security Solutions

Technology is on the front lines to help healthcare organizations stay compliant, combat data loss, enhance authentication processes and improve security.
  • October 26, 2017

Security is at the forefront for every healthcare provider. Whether it’s the myriad threats that bombard facilities on a weekly basis or the demand to better protect patient data and privacy, security is a stakeholder in modern healthcare success. But it’s when compliance comes into the picture that security goes from a necessity to a requirement, with high stakes for patients and providers alike.

Healthcare organizations that fail to comply with today’s ever-stricter HIPAA compliance regulations for security and patient data access find themselves paying the price. That’s why it’s crucial in the “juggling act” of data, device and network security that providers don’t drop the compliance ball. That’s also why compliance is a major focus for organizations in 2016.

57%

of health IT professionals cite their main focus for healthcare IT in 2016 as compliance and security upgrades.1

73.5%

said their organizations are increasing compliance spending in 2016.1

Source: 1 searchhealthit.techtarget.com, “Data Security in Healthcare Tops Health IT Buying Intentions,” April 2016

THE PENALTY FOR NONCOMPLIANCE

Under HIPAA, the American Recovery and Reinvestment Act of 2009 (ARRA) put forth strict penalties for non-compliance violations. Consider the following scenarios: 

THE PENALTY FOR NONCOMPLIANCE

Under HIPAA, the American Recovery and Reinvestment Act of 2009 (ARRA) put forth strict penalties for non-compliance violations. Consider the following scenarios: 
 
 HIPAA VIOLATION 
  • Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA.
 
 MINIMUM PENALTY 
  • $100 per violation, with an annual maximum of $25,000 for repeat violations. (Note: Maximum that can be imposed by State Attorneys General regardless of the type of violation.)
 
 MAXIMUM PENALTY 
  • $50,000 per violation, with an annual maximum of $1.5 million
  • HIPAA violation due to reasonable cause and not due to willful neglect.
  • $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
  • $50,000 per violation, with an annual maximum of $1.5 million.
  • HIPAA violation due to willful neglect but violation is corrected within the required time period.
  • $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
  • $50,000 per violation, with an annual maximum of $1.5 million.
  • HIPAA violation is due to willful neglect and is not corrected
  • $50,000 per violation, with an annual maximum of $1.5 million.
  • $50,000 per violation, with an annual maximum of $1.5 million.
 HIPAA VIOLATION 
  • Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA.
  • HIPAA violation due to reasonable cause and not due to willful neglect.
  • HIPAA violation is due to willful neglect and is not corrected.
 MINIMUM PENALTY 
  • $100 per violation, with an annual maximum of $25,000 for repeat violations. (Note: Maximum that can be imposed by State Attorneys General regardless of the type of violation.)
  • $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
  • $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
  • $50,000 per violation, with an annual maximum of $1.5 million.
 MAXIMUM PENALTY 
  • $50,000 per violation, with an annual maximum of $1.5 million
  • $50,000 per violation, with an annual maximum of $1.5 million.
  • $50,000 per violation, with an annual maximum of $1.5 million.
  • $50,000 per violation, with an annual maximum of $1.5 million.

Source: 2 ama-assn.org, “HIPAA Violations and Enforcement”

 
It’s clear that from a monetary standpoint, healthcare organizations truly cannot afford even the most innocent of HIPAA violations — but it’s also true from a reputation standpoint and a patient loyalty perspective. In the competitive healthcare arena, providers need every advantage against the competition. A security breach can be detrimental to patient care and the bottom line.

It’s clear that from a monetary standpoint, healthcare organizations truly cannot afford even the most innocent of HIPAA violations — but it’s also true from a reputation standpoint and a patient loyalty perspective. In the competitive healthcare arena, providers need every advantage against the competition. A security breach can be detrimental to patient care and the bottom line.

Compliance Extends Beyond Provider Walls

It’s important to note that these stringent guidelines apply to more than just the organizations themselves. They also extend to business associates. In 2013, the final omnibus regulations rule under HIPAA, including changes made by HITECH (Health Information Technology for Economic and Clinical Health Act), amended the definition of business associate to be “a person or entity that creates, receives, maintains or transmits protected health information to perform certain functions or activities on behalf of a covered entity.”1 It also “…added a new category of services, patient safety activities, to the list of functions and activities a person or entity may undertake on behalf of a covered entity that give rise to a business associate relationship.”1

Just like the healthcare organizations they work with, business associates and other covered entities are required to adhere to HIPAA security policies to safeguard Protected Health Information (PHI). What happens if a business associate or other covered entity incurs a breach? If more than 500 people are involved, the healthcare organization must let prominent media outlets, and HHS, know. HHS could fine the provider or the business associate up to $50,000 per violation, and both could face criminal charges.


In 2015, according to the Office of Civil Rights [which published data breaches reported to it and as required by HIPAA] there were 253 healthcare breaches that affected 500 individuals or more with a combined loss of over 112 million records. The top 10 breaches alone accounted for just over 111 million records lost, stolen or inappropriately disclosed.4

Source: forbes.com, “Data Breaches in Healthcare Totaled over 112 Million Records in 2015,” December 31,2015

CASE STUDY

 
The Challenge

The new CSO at a mid-size hospital wanted to improve upon the security platform the organization already had in place. CDW Healthcare partnered with him to build a strategy to strengthen security protocols while aligning with the hospital’s long-term security goals.

The Solution

CDW Healthcare began the process by conducting initial assessments to help the CSO demonstrate security vulnerabilities and secure board-level buy-in. Once a consensus was reached as to the need for an upgraded solution, CDW Healthcare mapped out a unique security solution to meet the hospital’s specific needs that included:

  • DLP managed security services
  • Cybersecurity and 24/7 surveillance services from Symantec
  • A security simulation at Symantec’s facility
  • Modeling of Oracle databases
  • Aurelia product sets that work with the hospital’s legal and other departments

The Result

Every area of the healthcare organization was touched, from basic PC devices all the way up to network infrastructure coverage, proxy servers and outwardbound traffic. All solution components were rolled out in stages spanning three years. The hospital now worries less about becoming the next one hit with a security breach and is able to focus more on its mission of patient care.

 

WHY CDW FOR HEALTHCARE SECURITY

You can’t be in compliance without the right security solutions in place. CDW Healthcare can help you determine the right mix of data and network protection solutions to help protect patient information and better address compliance mandates. CDW Healthcare works with vendors and partners that sign business associate agreements to help ensure compliance, with technologies available to address:

  • Authentication
  • Data loss prevention
  • Mobile security
  • Threat prevention
  • Social engineering/phishing

CDW Healthcare can provide the services to help ensure your healthcare organization stays on top of security measures to better align with compliance mandates:

Security assessments. These encompass mobile security, endpoint security, risk assessment and compliance/threat prevention. We’ll conduct a targeted security analysis and network review, then design, configure and install a tailored security solution to help ensure hospital information is better protected.

Vulnerability assessments. Our assessment team evaluates your current IT systems to determine and categorize present vulnerabilities. We then classify and rank them by criticality, helping you prioritize risks and handle the most destructive threats first. Finally, we provide a customized report helping you find the right means to address any vulnerabilities.

 

Source: 3mwe.com, “New HIPAA Regulations Affect Business Associates and Subcontractors,” February 2013

 

Interested in talking to an IT expert about your security needs?

Call us at 800.808.4239

 

Share this article

You May Also Like

Solution Spotlight

The Cost of a Data Breach for Healthcare Organizations

Whether it's a stack of stolen paper files from a clinic or an exposure of millions of electronic patient records at a major hospital system, every data breach comes at a cost to patients, to healthcare providers and to quality care overall.

Trend Article

The Next Grave Threat: Cybersecurity

Former FBI Director Mueller puts cybersecurity on par with terrorism as a top attack vector.

Trend Article

Managing Risk in a Connected World

As digital transformation takes hold, organizations must learn what their cybersecurity risks are – and how best to address them.