By Jeff Wardon, Jr., Assistant Editor

Cyberthreats can be costly in a variety of ways. Further adding to costs, healthcare facilities might even find themselves in lawsuits after cyberattacks. Given that cyberattacks can lead to sensitive and private data being compromised, the affected individuals may seek to recoup potential losses. 

The latest healthcare facilities caught in legal crosshairs is Norton Healthcare, which was hit with a cyberattack in May 2023. 

According to WHAS11, a federal class action lawsuit was filed on July 21, alleging that Norton Healthcare handled private information in a reckless fashion and failed to protect it from the cyberattack. Plaintiffs also allege that their information had been stolen by the attackers, potentially putting plaintiffs at risk of fraud and identity theft. They seek compensatory damages and a decade of credit monitoring. This lawsuit was filed by a former employee and current patient on behalf of all affected employees and patients.  

Picking up the pieces after a cyberattack is a challenge enough, and entering a legal quagmire is another issue entirely. Ultimately, what this boils down to is proper maintenance of personal information on these healthcare facilities’ information systems. Securing this data is critical to avoiding both a data breach and potential lawsuits. 

However, how does a healthcare facility secure this protected health information (PHI)? A good baseline to start with is the HIPAA Security Rule. This rule applies to and is required to be followed by all HIPAA-covered organizations and associated businesses.  

According to the U.S. Department of Health and Human Services, all covered entities must: 

• Ensure the confidentiality, integrity and availability of all e-PHI they create, receive maintain or transmit; 
• Identify and protect against reasonably anticipated threats to the security or integrity of the information; 
• Protect against reasonably anticipated, impermissible uses or disclosures; and 
• Ensure compliance by their workforce. 

Those are the basic requirements of the Security rule. While it gives a general idea of what to comply with, it does not lay out how to ensure protection. That is where the three standards of the rule come in: administrative safeguards, physical safeguards and technical safeguards.  

Administrative safeguards refer to the management processes put in place, personnel, training and evaluation of the prior aspects. Essentially, a healthcare facility wants to have informed processes, policies and procedures designed by experienced personnel. Then they need to train their staff on those standards, so the staff knows what to do. Lastly, they will need to evaluate what they have done on the administrative end to ensure PHI security. 

Physical safeguards are as they sound: physical components and barriers put in place to guard against physical access of PHI. Covered organizations must restrict physical access to their facilities all while allowing access to authorized individuals. Another part is ensuring that workplace technologies and media are guarded as well by having policies around the downloading, transferring or removal of data.  

Finally, technical safeguards account for things such as access controls, audit controls, integrity controls and transmission security. Basically, only authorized individuals should be able to access PHI. In addition, covered organizations must employ different mechanisms to keep track of access to PHI. This involves making sure sensitive files are not deleted or altered and that PHI can be transmitted over a network securely. 

These standards, when followed properly, allow for a robust information security system. Security systems are complex and require a good deal of planning. Healthcare facilities, whether HIPAA-bound or not, can benefit from implementing or improving their own information security systems.  

Jeff Wardon, Jr. is the assistant editor for the facilities market.