SOUTH FLORIDA, USA – 31 Oct, 2017 – While the Health Insurance Portability and Accountability Act (HIPAA) was implemented 25 years ago by President Clinton to protect consumers’ health information, but there are an alarming number of medical related businesses (like dentists, doctors, diabetic centers, plastic surgeons, etc.) that are not compliant with the minimum professional standards required by HIPAA. According to Andrew Scott, Founder of the South Florida Tech Group, it’s an ongoing problem his company runs into, with as many as three clients per week turning a deaf ear on resolving their shortcomings.
“If we are called in to fix a computer or technology problem in a business that we find is not HIPAA compliant, we put it in writing that we cannot assist them further, and why,” Scott said. “There’s a $100,000 fine if a business gets caught and we, as the IT provider, are held liable at the same standards, having known better, if we perform the non-compliant work.”
“It’s not about a government agent showing up and doing ‘an inspection.’ Most of these medical businesses are being busted because their lack of compliance left their systems vulnerable, and they were then hacked or breached in some way, with email being the top way hackers get in.”
Scott cited many instances in which he’s had to turn away customers because they were not willing to become HIPAA compliant. “A skin care medical spa in Naples next to the Coastland Mall called us in to fix a computer problem. We found viruses doing unknown things … reporting patient information back to some remote system. This was an obvious breach. They stored their patient information on old Windows 7 machines. After finally reaching the doctor in charge, who was on constant vacations, he said the owner wanted to ‘keep things the way they were’ and ‘didn’t want to spend any money on computer things.’ So we put it in writing that we could not work with them further.”
Another, an attorney on Bedford Dr. in Melbourne, FL, called in South Florida Tech Group to fix an email problem. The law firm was using an insecure email platform. Medical information, children and family records, criminal cases, were all part of this company’s files. After being hacked twice, South Florida Tech Group offered a $275 upgrade to Google Apps to secure his system, but the attorney denied the upgrade. SFTG says they wrote him a letter that they could no longer work together, and he is still operating with the vulnerable system today.
“We had a husband a wife team that jointly own a Dental practice on Marco Island, as well as individual practices for Orthodontics, Kids Dentistry and Oral Surgery in Bonita Springs. None of their offices are HIPAA compliant. Although they process millions in sales a year, and only require a few thousand dollars investment to bring their servers and workstations up to date, they told us years ago that they wanted to ‘avoid spending any money,’ so we have had to decline them every time they call for service. They last called during Hurricane Irma when they were worried about losing all their patient records, having none of them backed up, another violation. We can’t help them if they are unwilling to come into compliance with the law.”
Former President Obama recognized the lack of concern for complying with minimal technology standards and signed into Federal Law the HITECH Act to provide additional enforcement resources to find businesses that are non-compliant, Scott said. But it doesn’t seem to be persuading the majority of companies to get their technology in order.
What does it take for a business to be technologically and logistically HIPPA compliant?
1) Any individual who has access to the computer systems or network must have signed confidentiality agreement on file for last three years. Scott says 90% of the businesses he comes across have no idea what this is.
2) All patient records must be simultaneously stored in at least two locations, and any off-site or external sources must be encrypted. Scott says he was surprised how many medical practices were scrambling just the days before Hurricane Irma to get backed up for the first time in a while.
3) Management must have a written plan for maintaining their computer systems on file and available for inspection at all times. Scott said almost 100% of the medical offices they frequent for the first time have never done this before.
4) Devices that are plugged in to the network must only be running operating systems currently regularly supported by their manufacturer with security updates. (Only Windows 10 and Server 2016 qualify. All other machines must be on a separate, isolated network. Server 2012 is compliant until January 2018, but Windows XP, Vista, 7, and 8 no longer qualify.) Scott says this is the point that holds the most resistance from business owners who are reluctant to change from older Windows versions.
5) Computer systems must have active anti-virus protections. About 40% of businesses Scott comes across don’t have this either.
“I think this is an alarming issue. I certainly do not want my medical information or my personal information being hacked or stolen because a doctor, who makes hundreds of thousands of dollars a year, can’t spend a few hundred on keeping his software up to date. I can say some of it is ignorance, but a lot of it is greed. They don’t want to understand how vulnerable they are until it is too late, until after they have either been hacked or held ransom.”
Many health care providers have experienced the repercussions of not being up to date, like the James A Haley Veterans Hospital in Tampa which was hit with a ransomware attack and suffered data loss, 5 days of downtime, and tens of thousands of dollars in IT costs, and now possible lawsuits and government fines for their roles in risking patient information.
“If someone gets hit with identity theft or credit card fraud, I think people should definitely consider which medical offices they have visited, not just suspect gas pumps and ATMs,” Scott said.
Scott tells consumers to casually ask the receptionist what computer operating system the company uses. If it’s older than Windows 10, it’s not compliant.
Businesses can take advantage of a free, no obligation HIPAA compliance analysis from South Florida Tech Group. Call 888-257-3015 for more information.
Company Name: South Florida Tech Group
Contact Person: Kori Ellis
Phone: (888) 257-3015
Country: United States