Ransomware, Breaches, Enforcement Actions…Preventive Best Practices
May 23, 2017
By Jennifer Stoop, Associate Product Manager, HealthStream
One per day. This was the average number of breach incidents in 2016. Last year, the Department of Health and Human Services (HHS) set a new record for HIPAA enforcement. Over $20 million in fines for HIPAA violations were collected from 15 enforcement actions that had associated monetary penalties. Fines per entity have also increased significantly, from $85,000 in recent years to $2 million in 2016. Topping the list of reasons for HIPAA enforcement actions was stolen unencrypted portable devices containing PHI and inadequate Business Associate Agreements.
Ransomware also plagues the healthcare industry, so much so that in August 2016 the Office for Civil Rights (OCR) released guidance that all ransomware attacks should be considered a breach. Ransomware is a type of malware that locks computer systems to prevent the access of data until a ransom is paid, often in Bitcoin. The statistics are alarming. From April 2015 to April 2016, more than half of the nation's hospitals were hit by ransomware. Twenty-seven million records were stolen in 450 reported data breaches, 26.8 percent of which were caused by ransomware, hacking or malware.
There are more than 4,000 ransomware attacks daily, and healthcare is the largest target. Why is that? For starters, hospitals maintain patient data, such as Social Security numbers, home addresses, bank account information, and medical information, all of which are highly valuable to hackers. Hospitals also don't typically focus on security awareness, making them an easy target. Most recently, the ransomware "WannaCry" infected more than 200,000 computers across 150 countries, including the healthcare industry. Ambulances had to be rerouted, patients were treated without their medical records, and treatments for some had to be delayed. Ransomware has turned cybersecurity into a life or death issue.
So far this year, we are seeing a shift in the cause of breach incidents. According to the Protenus Breach Barometer, hacking was the number one cause of breach incidents in January 2017. Then there was a shift in February and March, when we saw insiders responsible for the majority of the breaches—58 percent in February and 44 percent in March.
According to a recent MediaPRO survey, only 28 percent of healthcare employees demonstrated the privacy and security awareness to prevent incidents that could lead to a breach. Of the 850 healthcare employees surveyed, 72 percent were a security risk or novice, demonstrating a clear need for better training.
What can you do to mitigate your risk of a breach and keep your organization's name out of the headlines?
- Perform a security risk assessment. Utilize the results to take action and implement measures that will protect your organization.
- Audit your policies and procedures. These need to constantly evolve based on regulatory changes, results of your own self audits, and any incidents that may have occurred.
- Check your Business Associate Agreements (BAAs) and make sure they're up to snuff. Don't share patient information without a signed BAA in place.
- Start reviewing resolution agreements from organizations who have had a breach, especially if they were issued a Corrective Action Plan (CAP) by the OIG. There are lessons to be learned within these agreements, including what caused the organization's breach and what they need to do to resolve it. You can find them here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/.
- Training, training, training. An effective compliance training program that resonates with employees and changes their behavior is key to preventing breach incidents. "Check-the-box training" isn't enough. You should include security awareness training to help protect your facility from ransomware and other cybersecurity threats.
This year is shaping up to be bigger than 2016 in terms of enforcement actions and penalties. In the first two months of 2017 alone, fines were more than half of what they were for the entire year of 2016. There have been four enforcement actions with penalties totaling more than $11 million. In April, we saw three settlements in just a two week period, ranging from $31,000 for a small physician practice to $2.5 million for a wireless health services provider. With on-site audits expected to pick up when desk audits are completed, and ransomware attacks expected to increase this year, healthcare organizations need to be vigilant.
Learn more about HCCS online compliance training courses, including HIPAA Compliance and Security Awareness in the Healthcare Setting.