A ProPublica investigation found that a number of commonly-used PACS (picture archiving and communications systems) software programs left the medical imaging results and health records of millions of people unprotected by passwords and easily available to the public. In many cases, the records could be viewed with an ordinary web browser, without installing any special software.
Ransomware attacks and HIPAA breaches have made headlines the last few years, but this violation is somewhat different in how incredibly easy it was found to be to access these records. No “hacking” was required to see medical records stored on servers from companies like MobilexUSA or OffsiteImage – anyone with the right URL could access them. There was shockingly little thought put into making sure the records were stored securely. More so than any other PHI breach in recent years, this story makes healthcare organizations and medical software companies question who’s really responsible for making sure PHI is stored in a HIPAA-compliant way.
Who’s to Blame: Software Vendor, or Healthcare Organization?
Companies that create PACS or other medical software often assume that their customer – the clinic, hospital, or healthcare system – already has safeguards in place that will be applied to their software, as well as an IT team well-versed in HIPAA who’ll know how to properly implement the software. Meanwhile, the healthcare organization assumes that the medical software they’re buying already meets HIPAA requirements. The result is a disconnect where each side assumes the other is “handling it,” without actually knowing anything about the other’s systems and processes.
When it comes to medical software and hosting, HIPAA compliance should be a shared responsibility between the vendor and the healthcare organization. There are clearly factors that need to be handled by the organization, such as:
- Strong access control and audit mechanism
- Network segmentation and flow control in order to access software that stores PHI
- Real-time threat and vulnerability management
- A holistic risk management policy
But the onus is also on medical software developers, website developers, and hosting companies to provide a HIPAA-compliant service, as well as to work with their clients to make sure the implementation of their products follows HIPAA guidelines.
Though a healthcare organization should expect HIPAA compliance from its software vendors, they should also be putting their own protections in place. Medical Web Experts offers a number of web-based solutions available to control, audit, and monitor access to PHI, such as:
- HIPAA-compliant enterprise hosting
- HIPAA-compliant file sharing – aims to solve HIPAA issues around the sharing of PHI between clinics, laboratories, providers, and patients, while being affordable on the budget of a small practice or small lab.
- Security auditing
- Custom development, including healthcare web design, medical mobile app development, and healthcare interface development – all HIPAA-compliant.
To learn more about our HIPAA-compliant services, contact us online.