Pharmacies, big and small, may find themselves on the probing end of a hacker’s criminal scheme designed to access and steal protected health information (PHI). Recently, CVS Pharmacy, Inc., Ravkoo (affecting Amazon Web Services), and Florida-based BioPlus Specialty Pharmacy Services LLC have all been targets of malicious actors after PHI. It comes as no surprise that the U.S. Department of Health and Human Service’s Office for Civil Rights (OCR) 2022 first quarter Cybersecurity Newsletter reported an increase in cyberattacks from 2020 to 2021. According to the OCR’s report, cyberattacks and “IT incidents” accounted for 66% of breaches affecting 500 individuals or more, and according to the 2020 Data Breach Investigations Report by Verizon, over 80% of data breaches due to hacking were from weak authentication requirements.
Having safeguards in place to detect, and prevent, unauthorized users from accessing PHI and electronic PHI (ePHI) is a requirement for all covered entities as outlined in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and clarified by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. Although ePHI is usually the target of cyberattacks, it is important to be aware of the potential for internal breaches as well, some of which may be the result of inadequate policies and procedures, not necessarily malicious actors. Rite Aid pharmacy chain found out the hard way that tossing medication vials with patient information into their regular trash bins was not the correct way to dispose of PHI. Rite Aid’s $1 million settlement for having insufficient internal policies and procedures for handling PHI can serve as a reminder of the importance of evaluating your own HIPAA policies and procedures. In fact, periodically reviewing your security protocols and correcting your security shortcomings is a HIPAA Security Rule requirement.
PAAS National® has a customizable Fraud, Waste & Abuse (FWA) and HIPAA Compliance Program with tools and resources to help pharmacies meet HIPAA and HITECH compliance requirements. The PAAS FWA/HIPAA Compliance Program walks members through setting up a robust compliance program which includes:
- appointing HIPAA Privacy and Security Officers,
- performing a Risk Analysis to identify and document threats and vulnerabilities that may impact ePHI,
- developing administrative, technical and physical safeguards to protect ePHI,
- developing customized HIPAA Policies and Procedures (including proper PHI disposal, security reminders, access controls, prevention of malicious software, etc.),
- online HIPAA training and much, much more!
Having a robust HIPAA Compliance Program and an educated workforce that is fully engaged in protecting PHI can greatly reduce the risk of unauthorized access to PHI and ePHI. Don’t be the weak link and have no plan in place – it’s the law!