background: url(/wp-content/uploads/2009/09/backgroundHome.jpg) no-repeat top center !important;
Law Firms Hacked: HIPAA And Other Information Security Compliance Issues
Law firms that represent healthcare providers and health plans have another level of information safeguards to add to their internal HIPAA compliance assessments. Bloomberg News has reported that approximately 80 law firms had been hacked since 2010 and that the FBI convened a meeting of the top 200 law firms in New York City to advise them that the increasing number of electronic intrusions clearly indicates that law firms are increasingly seen as weak links in information security and, therefore, will be targeted with greater frequency.
While the hackers in the Bloomberg article (available at http://www.bloomberg.com/news/2012-01-31/china-based-hackers-target-law-firms.html) have been linked to individuals in China and the law firms involved, to a great extent, were active in merger and acquisition matters, law firms representing healthcare entities should take notice because they have discrete obligations under HIPAA and HITECH to implement safeguards for Protected Health Information.
While any firm can be the victim of a cyber-attack, an attack that results in the unauthorized disclosure of patient-identifiable health information (such as “phishing” attacks or certain “worm” viruses) can subject the firm to investigation by the Office For Civil Rights of the U.S. Department of Health and Human Services. In such an investigation, one of the first questions will be the documentation of information security safeguard policies, and a current security assessment. Both are critical to defensibility of the firm’s information management practices and, to put a fine point on it, the firm’s continuing ability to retain healthcare business.
Policy preparation, workforce training and security assessments require the work of an inter-disciplinary team comprising firm risk management and IT resources, an outside technical security vendor and outside counsel to advise the firm on the information security obligations under federal and state laws, as well as the ethical obligations to maintain confidentiality in client electronic information,