By Jennifer Stoop, Associate Product Manager, HealthStream
One per day. This was the average number of breach incidents in 2016. Last year, the Department of Health and Human Services (HHS) set a new record for HIPAA enforcement. Over $20 million in fines for HIPAA violations were collected from 15 enforcement actions that had associated monetary penalties. Fines per entity have also increased significantly, from $85,000 in recent years to $2 million in 2016. Topping the list of reasons for HIPAA enforcement actions was stolen unencrypted portable devices containing PHI and inadequate Business Associate Agreements.
Ransomware also plagues the healthcare industry, so much so that in August 2016 the Office for Civil Rights (OCR) released guidance that all ransomware attacks should be considered a breach. Ransomware is a type of malware that locks computer systems to prevent the access of data until a ransom is paid, often in Bitcoin. The statistics are alarming. From April 2015 to April 2016, more than half of the nation's hospitals were hit by ransomware. Twenty-seven million records were stolen in 450 reported data breaches, 26.8 percent of which were caused by ransomware, hacking or malware.
There are more than 4,000 ransomware attacks daily, and healthcare is the largest target. Why is that? For starters, hospitals maintain patient data, such as Social Security numbers, home addresses, bank account information, and medical information, all of which are highly valuable to hackers. Hospitals also don't typically focus on security awareness, making them an easy target. Most recently, the ransomware "WannaCry" infected more than 200,000 computers across 150 countries, including the healthcare industry. Ambulances had to be rerouted, patients were treated without their medical records, and treatments for some had to be delayed. Ransomware has turned cybersecurity into a life or death issue.
So far this year, we are seeing a shift in the cause of breach incidents. According to the Protenus Breach Barometer, hacking was the number one cause of breach incidents in January 2017. Then there was a shift in February and March, when we saw insiders responsible for the majority of the breaches—58 percent in February and 44 percent in March.
According to a recent MediaPRO survey, only 28 percent of healthcare employees demonstrated the privacy and security awareness to prevent incidents that could lead to a breach. Of the 850 healthcare employees surveyed, 72 percent were a security risk or novice, demonstrating a clear need for better training.
What can you do to mitigate your risk of a breach and keep your organization's name out of the headlines?
This year is shaping up to be bigger than 2016 in terms of enforcement actions and penalties. In the first two months of 2017 alone, fines were more than half of what they were for the entire year of 2016. There have been four enforcement actions with penalties totaling more than $11 million. In April, we saw three settlements in just a two week period, ranging from $31,000 for a small physician practice to $2.5 million for a wireless health services provider. With on-site audits expected to pick up when desk audits are completed, and ransomware attacks expected to increase this year, healthcare organizations need to be vigilant.
HealthStream’s learning management system and comprehensive suite of competency management tools empower your healthcare workforce to deliver the best patient care.View All Learning & Performance
When you enact HealthStream's quality compliance solutions, you can do so with the confidence your healthcare organization will meet all standards of care.View All Quality & Compliance
Fulfill compliance requirements with a variety of programs and courseware designed to address critical regulatory requirements as well as educate staff to recognize and mitigate risks.View All Products
HealthStream offers professional training and education on how to best optimize your reimbursement process within your healthcare organization.View All Reimbursement
Improve the preparedness of your staff, increase survival rates, and cut costs with the advanced resuscitation training services from HealthStream.View All Resuscitation
Expand the decision-making skills and effectiveness of your healthcare workforce with HealthStream's clinical development programs and services.View All Clinical Development
Delivers everything you need to request, gather, and validate information about a provider to create a single source of truth for downstream processes.View All Credentialing
Make sure your healthcare staff can schedule out appointments and work schedules with ease using HealthStream's line of software solutions.View All Scheduling & Capacity Management