by Arianna Etemadieh
Article filed in
Hacking and human error: Two enemies of HIPAA compliance
by Arianna Etemadieh
Written by Adnan Raja, Vice President of Marketing for Atlantic.Net
Healthcare firms, like companies of any industry, were rapidly approaching the due dates for their taxes. However, there was another federal deadline that was coming even faster for covered entities (healthcare providers, plans, and data clearinghouses): March 1, 2018, when any smaller data breaches must be reported to the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS). Getting any breach information to the OCR on time was necessary to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
With larger breaches (anything involving 500 or more individuals’ records), covered entities have to act quickly – within 60 days. However, when a breach compromises fewer than 500 patients’ protected health information (PHI), the deadline to report those to the health agency is 60 days following the calendar year when they occurred – which in 2018 was March 1st.
If your organization experienced a breach, you can report it to the OCR via the Breach Notification Portal. Note that business associates (BAs; e.g., PHI-handling healthcare hosting companies, shredders, accountants, etc.) do not need to worry about this deadline because they are directed by the regulations to report compromises to the relevant covered entity – except for cases in which the BA is responsible for breach notification per the applicable business associate agreement, as indicated by Davis Wright Tremaine LLP.
For many healthcare organizations, HIPAA is fundamentally important but also fundamentally stressful, since no one wants to end up on the HHS’s so-called Wall of Shame. Avoiding violations and fines is not just about knowing the law but better understanding why these incidents occur, to learn from common mistakes and the general threat landscape. This report explores two top reasons why breaches occur: human error and hacking.
HIPAA compliance threat #1 – human error
A report from specialist insurance agency Beazley assessed healthcare breaches for January through September 2017, finding that 2 in 5 data breaches (41%) were due to unintended disclosure. This figure is more than twice that of the second leading cause of breaches, hacking and malware, representing 1 in 5 exposures (19%). Other reasons for breach were insider wrongdoing (15%), physical loss (8%), portable device (6%), and social engineering (3%). Note: This data is specifically sourced from Beazley’s clients, only taking into account incidents that were directly reported to the insurer.
The researchers behind the report noted that common reasons why human error occurs are servers/systems with healthcare data accidentally being publicly available, discharge information mistakenly being given to the incorrect patient, and emails (even if encrypted) wrongly sent to an unintended individual.
Beazley is adamant that organizations need to pay greater attention to the threat of human error via unintended disclosure if they do not want to experience HHS penalties and fines, along with the many additional costs of a typical data breach (such as the costs of breach notification and legal fees). After all, the issue of an insider error is far simpler to address, control, and prevent than is a hacking effort by a cybercriminal: you cannot train an attacker not to hack you, but you can train your staff to be more careful about these types of compromises.
“We urge organizations not to ignore this significant risk,” noted the Beazley report.
As suggested above, anyone at your organization who has any interaction with patient records should receive training so that unintended disclosure is less likely to occur. That means you need training for your receptionists, human resource specialists, security and network personnel, researchers, and practitioners such as doctors and nurses, among others.
To get everyone on your staff trained properly, think in terms of what different employees need to understand about the law, but also be aware that there are HIPAA fundamentals that should be understood by everyone.
The basic information that you should include in general HIPAA training is highlighted by security and compliance training firm Infosec Institute:
- Overview of HIPAA – what it is and why it is important to your organization
- Reporting protocol related to compliance – an understanding that breaches need to be reported to the company’s HIPAA security and/or privacy officer (which might be the same person)
- Rights of the patient – related to the privacy and security of their health records
- Internal documentation – an overview of your organization’s security and privacy policies.
HIPAA compliance threat #2 – hacking
The number of breaches reported to the HHS in 2017 was not a huge rise over 2016, up just 5.5%, from 327 to 345. However, compromises reported to the OCR that involved hacking ascended more steeply, from 113 to 142, a 25% increase.
Infosecurity firm Cryptonite released an analysis called the “2017 Healthcare Cyber Research Report” in January, detailing the work of cyberattacks against the healthcare industry. The findings related to the rise in these incidents was rather startling and is a sign of the extent to which cybercrime has generally been expanding in the recent past. The report notes that cybercriminals have been persistently attempting to access networks and, in turn, electronic PHI (ePHI) using a wide variety of approaches. There were a total of 140 breaches reported to the HHS that were described as hacking or IT incidents, a jump of nearly a quarter (24%) over the 2016 figure for these types of breaches, 113.
While attacks were conducted in numerous different ways, there were certainly trends. Most notably, ransomware has been skyrocketing, with this type of IT breach increasing nearly 90% year-over-year (from 19 reported incidents in 2016 to 36 of them in 2017). This increase means that ransomware represented one in four attacks credited to hacking or IT incidents that were included in breach notifications to the HHS throughout the year. In fact, ransomware was the culprit behind 2017’s six most sizable hacks!
In 2016, 13.4 million records were breached. In 2017, the number of compromised records was substantially down, to 3.4 million records. The reason was an increased trend toward going after a wide range of organizations. Before 2017, hackers were more likely to go after “whale” targets; for instance, Anthem (79 million) and Premera Blue Cross (11 million) were breached in 2015, while Banner Health (4 million) and Newkirk Product (3 million) were successfully targeted in 2016.
Today it is possible for cybercriminals to set their sights on a broad swath of small healthcare entities – such as doctor’s offices, MRI/CT scan providers, diagnostic labs, and surgery facilities. This transition to smaller organizations is because of the increasing sophistication of ransomware programs, allowing nefarious parties to attack these entities for less money and in less time than ever before. According to the Cryptonite press release on its report, “This is the beginning of a trend that will increase very substantially in 2018 and 2019.”
In the same way that training will help you prevent human error, working with HIPAA-compliant hosting services and other partners will make it less likely that you experience ransomware and other forms of hacking.
The previous March 1st deadline for small-breach notifications prompted us to evaluate top reasons HIPAA breaches are occurring. With unintended disclosure so common, healthcare security is not just about avoiding cyber crime but about training your staff. Hackers are still a threat though, and increasingly for smaller organizations – so be certain that all your business associates are as dedicated to HIPAA compliance as you are.