Who enforces cyber security for healthcare?

​
​The assumed answer is HIPAA. To clarify, HIPAA is an act and not a governing body of any sort. HIPAA’s rules and regulations are enforced by the U.S. Department of Health & Human Services (HHS) and their Office for Civil Rights (OCR). Besides Attorney Generals, other entities cannot enforce HIPAA, it acts as a standard for the healthcare industry and is used as a measuring stick for due diligence. 

FTC

​The Federal Trade Commission (FTC) is an example of a government organization that has launched cases against companies who demonstrate poor cyber security practices. One such case is FTC v. Wyndham Worldwide Corporation where security failures led to three breaches. Another example is the case the FTC launched against LabMD, Inc. In LABMD, INC v. FTC, the FTC declared that LabMD’s lack of security measures violated their clients’ right to privacy. Although overturned, this case showed the FTC’s willingness to go after businesses with poor practices and in the end, LabMD succumbed to the financial burden of defending themselves.

Attorney General

​Another organization enforcing HIPAA violations is the State Attorneys General (SAG). According to the HITECH act from 2009, “[it] gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.” Although I have found no cases of SC AG enforcing HIPAA, other states have been active under the law. New York embraced the power given by HITECH and has issued over $2 million in fines. California, New Jersey, Vermont, and Massachusetts have also flexed their enforcement powers paving the way for other states to do the same.

Patients

​While HIPAA cannot be used as a foundation for a civil action (private cause of action), several states allow patients to bring suit against offending companies on the grounds of negligence. Patients must prove substantial harm was caused by the breach; however, this does not guarantee a favorable outcome for the patient. If you are curious about activity in cyber security litigation, see  Willis Towers Watson’s great write-up.  

Summary

Medical practices that are HIPAA compliant abide by standards that provide great care to their patients while protecting the confidentiality of the sensitive information they encounter daily. Would you talk freely to a doctor knowing that the world will also know? Probably not. This is why Federal organizations and patients are taking cyber security seriously and now have the power to ensure medical practices do the same.


Great Cyber Security requires a wealth of knowledge and a practiced hand, just like patient care. Contact Tandem Cyber Solutions to discuss HIPAA compliance and protecting your patients.  

For a HIPAA check list, go [here].
To get in touch with our experts at Tandem Cyber Solutions, call us at 843-309-3058
Check out our HIPAA services [here] ​

Author

Micheal Small
Co-founder + Ethical Hacker

Micheal has over 13 years combined experience in Information Security, Information Technology, and Physical Security. He has tackled some of the most daunting certifications in the industry and his passion for the cyber world is unparalleled with exposure to virtually every industry. He continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cyber security, he volunteers to help entrepreneurs, veterans, and recent graduates. ​