In January 2024, the healthcare industry experienced a significant number of breaches, impacting the privacy and security of millions of patients. According to the OCR breach portal, 59 incidents were reported, affecting a staggering 8,799,300 patients.
Hacking incidents: The leading cause of breaches
Hacking incidents accounted for the majority of breaches in January 2024, with 46 reported cases. These incidents affected 8,687,089 patients, making up 98.72% of all patients affected during the month.
Given that hacking incidents continue to be the leading cause of healthcare breaches, organizations must take proactive measures to minimize the risk of being targeted. Here are some recommended strategies:
Security risk assessments and remediation
Conducting regular security risk assessments helps organizations prepare themselves against potential threats by identifying areas that need improvement. Once the assessments are completed, organizations should create remediation plans to address any identified deficiencies.
Employee cybersecurity training
Providing employees cybersecurity training is necessary to improve an organization's overall security posture. Employees should be trained on recognizing phishing attempts and what steps to take if they suspect an incident has occurred.
Read also: Cyberattacks on the healthcare sector
Unauthorized access or disclosure incidents
In January 2024, there were 11 reported incidents of unauthorized access or disclosure, affecting a total of 77,088 patients.
Unauthorized access or disclosure incidents can occur due to inappropriate employee access or unauthorized access by another entity. To prevent such incidents, organizations should consider the following measures:
Policies and procedures and employee training
Policies and procedures guide employees on what is considered appropriate access and disclosure of protected health information (PHI). Training employees on these policies and procedures is important to ensure they are aware of their obligations.
User authentication, access controls, and audit controls
Implementing user authentication, access controls, and audit controls can help organizations adhere to the minimum necessary standard required by HIPAA. User authentication ensures that each employee has unique login credentials, while access controls enable administrators to designate different levels of access to PHI based on these credentials. Audit controls track access to data, ensuring that PHI is accessed appropriately by each employee.
Read more: What are the permitted uses and disclosures of PHI?
Loss and theft incidents
While hacking and unauthorized access or disclosure incidents make up the majority of breaches, there were also a few incidents of loss and theft reported in January 2024. One healthcare provider reported an incident of theft, affecting 34,016 patients, while another healthcare provider reported an incident of loss, impacting 1,107 patients. Although the number of affected patients in these incidents was relatively low compared to the total number of patients affected during the month, organizations should still take steps to prevent such incidents.
Preventing HIPAA breaches
To protect the privacy and security of patient data, organizations must prioritize HIPAA compliance and take proactive measures to prevent breaches. By implementing the following strategies, organizations can reduce the risk of breaches and protect patient information:
Regular security risk assessments
Conducting regular security risk assessments is necessary for identifying vulnerabilities and weaknesses in an organization's security practices. These assessments help organizations understand their risk profile and develop targeted remediation plans to address identified issues.
Employee training
Comprehensive training programs should be implemented to educate employees about best practices for safeguarding sensitive information. This includes training on recognizing and reporting potential security incidents, such as phishing attempts or unauthorized access.
Strong access controls
Implementing strong access controls is key to limiting access to sensitive data to only those who need it to perform their job responsibilities. User authentication, access controls, and audit controls should be in place to ensure that employees have appropriate access levels and that access to PHI is tracked and monitored.
Physical security measures
In addition to digital security, organizations should also implement physical security measures to protect patient data. This may include secure storage of physical records, restricted access to data storage areas, and proper disposal of sensitive information.
Incident response planning
Having an incident response plan in place can minimize the impact of a breach should one occur. This plan should outline the steps to be taken in the event of a breach, including notifying affected individuals, regulatory agencies, and implementing remediation measures.
Ongoing monitoring and auditing
Regular monitoring and auditing of systems and processes assist in identifying and addressing potential vulnerabilities. This includes reviewing access logs, conducting penetration testing, and staying up to date with the latest security best practices.
Encryption and secure communication
Implementing encryption and secure communication protocols can help protect patient data during transmission. This includes using secure email services that meet HIPAA compliance standards and encrypting stored data to prevent unauthorized access.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
Are loss and theft incidents common in healthcare breaches?
While loss and theft incidents are less common than hacking and unauthorized access or disclosure incidents, organizations should still take steps to prevent them by implementing physical security measures and proper data disposal protocols.
What constitutes a healthcare breach?
A healthcare breach involves the unauthorized use or disclosure of protected health information (PHI), compromising its security or privacy. This includes incidents such as unauthorized access to medical records, sharing PHI with unauthorized individuals, loss or theft of devices containing PHI, hacking incidents compromising PHI security, or improper disposal of PHI.
How can you identify a healthcare breach?
Identifying a healthcare breach involves recognizing any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. Monitoring access logs, conducting regular security assessments, and promptly investigating any suspicious incidents are steps in identifying potential breaches.
Are healthcare organizations liable for breaches caused by their business associates?
Yes, covered entities can be held liable for healthcare breaches caused by their business associates if the business associate was acting within the scope of their agreement with the covered entity at the time of the breach.
What is the HIPAA breach notification rule?
The HIPAA breach notification rule makes it mandatory for healthcare providers to report all data breaches of unsecured protected health information (PHI).
Farah Amod
