A new report shows only half of healthcare providers are meeting NIST Standards, Premera Blue Cross pays a hefty fine to the Office of Civil Rights, and more details on October’s Paubox [email protected] Home virtual conference. It’s free to join the conference.
Olena Hue: Welcome to another edition of the HIPAA Critical Podcast. I’m your host Olena Hue and joining me this week, marketing manager of Paubox, Sierra Reed.
Sierra Reed: Hi, Olena, I’m happy to be here. Happy Wednesday!
Olena: Happy Wednesday, and always a pleasure to have you!
Now coming up on the show, simple security is not enough. Healthcare providers need to step up when it comes to cybersecurity standards; we’re going to talk about that. Nearly $7 million was paid due to a recent HIPAA violation by Premera Blue Cross. Paubox SECURE @ Home is coming up later next month.
But first, what’s in the news?
Sierra: Thanks, Olena.
According to a new report that analyzed 300 healthcare providers’ assessments against the NIST cybersecurity framework, data shows that despite increased healthcare data breaches, cybersecurity progress in healthcare is declining.
Currently, only half of the healthcare providers meet cybersecurity standards. Some examples of companies examined in this report include physician practices, accountable care organizations, and business associates.
Olena: What would you say is one of the concerning factors of this report?
Sierra: What’s troubling is that there has been no progress in this conformance.
So far this year, there’s been a record number of phishing and DDoS cyberattacks, and combined with COVID-19, these issues will only continue to worsen.
Something to note is that there has also been an increase in phishing and business email schemes disguised as supply chain emails for personal protective equipment (PPE). That is a good thing to be on the lookout for.
Olena: Interesting. Can you elaborate on the key findings and how they can improve upon the situation?
Sierra: Key findings of the report point out that organization and budget do not equal better security performance.
Actually, in some cases, larger organizations performed worse than smaller provider organizations.
Assisted living facilities best conformed with the NIST CSF at 96% in 2019, followed by insurance at 59%.
Physician groups are the least likely to conform with NIST standards at 28% this year.
Some more key takeaways of the report include healthcare focus on information security has increased over the last 15 years, but the investment is still lagging.
Furthermore, investing in security isn’t enough these days. Security leaders must identify priorities, invest in multi-factor authentication, privilege access management, and ongoing workforce security training is very important.
Olena: All right.
As mentioned in the intro, we’ve got another breach that cost nearly $7 million. What can you tell us about that?
Sierra: Premera Blue Cross has agreed to pay $6.85 million to the Office for Civil Rights. The company also agreed to implement a corrective action plan to settle violations of HIPAA privacy and security rules.
This is related to a breach affecting 2.4 million people’s PHI. This resolution is the second-largest payment to resolve a HIPAA investigation in OCR history.
To give you some background here, Premera operates in Washington and Alaska and is the most extensive health plan in the Pacific Northwest.
The cyber attackers gained access through the Premera IT system.
Olena: Interesting. Do they know how the hackers gained that access?
Sierra: They sure do. Hackers used a phishing email to install malware that gave them access to the IT system.
Believe it or not, this went undetected for nine months, which is crazy.
The OCR investigation found systemic non-compliance with the HIPAA rules.
Olena: What would you say are the key takeaways here? What should people do?
Sierra: If healthcare insurance entities don’t have time to invest and put forth the effort to figure out their security vulnerabilities, hackers most definitely will exploit that.
Olena: Well, thank you so much, Sierra. That’s great.
Now, what else can you tell us today? Perhaps something that’s coming up… Paubox SECURE @ Home?
Sierra: Yes! This is a large event for us.
It’s our virtual healthcare, cybersecurity, and innovation conference. It’s fast approaching and will take place on October 21 and 22. It’s a two-day event.
Olena: What’s the cost of the conference, and how can people get more information?
Sierra: We have a free ticket that can be found at PauboxSECURE.com. Because we have a free ticket, there’s no reason that folks should not attend.
To gain a full list of speakers and information, please visit our PauboxSECURE.com.
Olena: Great, and again, that website is PauboxSECURE.com. So be sure to register; it’s free!
Any other updates to share?
Sierra: The Office of the National Coordinator, in collaboration with the Office of Civil Rights, recently released an update to the Department of Health and Human Services security risk assessment tool, which is exciting.
For those who don’t know, this tool was specifically designed to support small and medium-sized healthcare providers to ensure HIPAA compliance.
This is a downloadable SRA tool to support healthcare entities with the risk assessment process specifically.
It can also inform the provider organization’s development of mitigation plans and to review all electronic devices that interact with PHI.
Under HIPAA, for those of you who don’t know, covered entities and their business associates are required to perform a risk assessment to assess compliance with HIPAA safeguards.
Olena: What would you say are the key takeaways right here?
Sierra: Risk assessments and analysis are very crucial to any resilient healthcare information security program.
What we’ve talked about a lack of risk assessments can prove very costly.
For example, the Texas Health and Human Services Commission paid a penalty of $1.3 million in 2019, while Touchdown Medical Imaging settled with OCR for $3 million.
These are both great examples of failing to conduct a risk analysis.
Olena: Crazy. All right, well, thank you. A lot of information could be saved and some money too.
Now, as we always do, we highlight failures to report, and it’s time to highlight who’s failing this week.
Sierra: We’ve had many failures in this episode, and we spoke about them, but to add to the list, Athens Orthopedic has to pay the OCR $1.5 million over non-compliance.
This stems from the notorious hacking group, The Dark Overlord, hacking into their data and posting patient data online. This group stole the data of more than 655,000 patients, which is a considerable amount.
The motivation for The Dark Overlord is to hack into targeted networks to then sell access on the dark web or extort for financial gains.
Olena: What kinds of things did they find after discovering this failure?
Sierra: When the OCR conducted the audit after the attack, they found a list of grievances.
Some of these include failing to conduct a risk analysis, which we spoke of before, implementing risk assessment and audit controls, and the requirement to implement security measures to reasonably reduce risks and vulnerabilities.
If this wasn’t enough, the clinic did not maintain HIPAA policies and procedures, nor did they secure a business associate agreement. The list goes on and on here.
A key takeaway here is that all healthcare organizations need to ensure that they remain HIPAA compliant, so they don’t end up on this list.
Olena: Good to know and also to do some assessments to assess the risk.
Well, thank you so much.
Of course, if you would like more information, you can always log on to our website, which is Paubox.com. There you’ll find great resources, blogs, and of course, this podcast where you can listen and like as you take part.
Until next time, thank you for tuning in.
Sierra: Thanks so much, Olena.