The medical cannabis industry has rapidly moved from the fringes into the mainstream. With its popularity growing as a viable and acceptable medical treatment, this highly regulated industry is also highly profitable. Combined with legalized recreational marijuana which exists in some states, cannabis sales are experiencing a 14% year over year growth rate. Forecasters believe that the industry will be worth $30 billion dollars within the next 5 years.
However, every profitable industry in this day and age faces a common enemy in cybercriminals. In fact, the more lucrative an organization, the more it is vulnerable to cybercrime and security breaches. Legalized cannabis organizations keep vast amounts of personalized data and information. Every business is required to comply with all cybersecurity and data privacy laws. But coupled with the cannabis industry’s mandatory retention requirements the issue becomes more complex.
HIPAA Regulations & Considerations
In the medical marijuana arena, the data collection involves medical recommendations. Those recommendations include medical diagnoses from physicians and related patient health data. All of that information is protected under the Health Insurance Portability and Accountability Act (HIPAA) as it is considered protected health information (PHI).
If a health care provider wants to share medical information with a cannabis provider, that provider will be asked to sign a Business Associate Agreement (BAA), required for HIPAA compliance.
Signing a BAA, which may be required to do business with referring physicians, can dramatically increase possible liability for cannabis sellers. It places them directly under the regulatory oversight of HIPAA and the Office of Civil Rights (OCR).
Cyber Criminals Have Taken Notice
Aside from HIPAA regulations, the personal health information which is collected is an exceptionally tempting target for cybercriminals and hackers. Health care as a whole is known to be one of the top targets for data breaches, and cannabis providers are no exception. Ransomware attacks are increasing rapidly and providers must protect their data with aggressive security measures.
In addition to PHI, the law requires that employee records of the cannabis provider are also maintained, which may include background checks and financial information, and social security numbers. As with any industry, data to drive sales and marketing is stored as well, adding yet another target rich environment for hackers.
The Threat is Real
Recently, a database supporting a point-of-sale system for medical marijuana dispensaries was breached. The attack impacted an estimated 30,000 individuals. 3 ½ years ago, Nevada’s Medical Marijuana Program database was targeted, resulting in a breach of sensitive data including names, social security numbers, race, and addresses. 11,000 patients were affected.
Shortly after that event, operations at over 1,000 dispensaries across 23 states were interrupted when their software company experienced an attack. Unfortunately, cyber attack incidents are on the rise, and the cost of those attacks is rising as well. Across all industries, the average total cost of a data breach in 2019 was $4 million, a loss many businesses would struggle to recover from.
But revenue loss is just the beginning. A data breach almost always results in a loss of customer trust, and the future financial repercussions of lost business can be even worse than the breach itself. In addition to that, businesses may face regulatory fines and oversight which could severely impact them. Between standard privacy laws and HIPAA considerations, medical cannabis providers (and recommending physicians) would be remiss if not addressing data security issues. The medical cannabis industry has multiple issues – sensitive data, regulatory oversight and mandatory data storage. Those who tackle those issues head on are best positioned to thrive as medical marijuana settles into place as a mainstream treatment option.
Dr. Daniel P. Stein is a Sarasota neurologist and one of the country’s leading authorities on medical cannabis. He understands these sensitive issues and considers patient confidentiality as one of the most important factors in establishing a therapeutic relationship. Call today for your consultation.