In early October 2017, Henry Ford Health System announced that it had been hacked and that the records of 18,470 patients had been stolen. On July 25-26, Arkansas Oral Facial Surgery Center was infiltrated by a virus that blocked the practice from being able to access images, files, and notes related to 128,000 patients. In September, Augusta University Medical Center announced that fewer than 1 percent of its patients’ records were stolen during a breach; however, this attack was the second phishing effort to work against the healthcare provider in just 5 months. These are just three of the most notable healthcare data breaches that occurred in 2017.
By midway through the year, the Department of Health and Human Services’ Office for Civil Rights (OCR) had received 233 breach reports, which suggested there would be more than the 450 that were reported during 2016. Already through July, 3.1 million electronic health records had been affected, just according to what was officially submitted to the HHS.
All of these compromised records represent money lost by each organization. Worldwide, the total average expense of a successful hack is $3.62 million. The cost per record of a healthcare breach is an almost incredible $380.
What constitutes a breach of HIPAA?
It’s probably safe to say that few people deliberately breach the HIPAA rules. Many instances of violation happen simply by accident.
“Breach” is defined in Section 164.402 as the acquisition, access, use, or disclosure of protected health information in a manner not permitted… which compromises the security or privacy of the protected health information.
Exceptions to the rule
To understand what actually constitutes a breach, it is useful to consider what doesn’t. The following exceptions do not count as breaches:
a) unintentional acquisition, access or use of protected health information in good faith, within the scope of authority.
b) inadvertent disclosure in good faith by someone who is authorized to access protected health information to another person, also authorized to access protected health information at the same covered entity, business associate or organized health care arrangement in which the covered entity participates.
c) disclosure of protected healthcare information to an unauthorized person was believed in good faith to not reasonably have been able to retain the information.
For a) and b) above, the exception only applies if the disclosure does not result in further use of disclosure in a manner that contravenes Subpart E of HIPAA.
These are exceptional situations and, when in doubt, it would be wise to still refer to the rules, as there are many caveats.
If the above rules sound too dense for you, here are some scenarios illustrating what does NOT constitute a HIPAA breach.
- A staff member accidentally views protected health information without meaning to while carrying out his or her tasks, and while acting within the scope of authority.
- An individual who is authorized to access protected health information unintentionally discloses some of it to another individual who is likewise authorized to access protected health information, such as in the case of two staff members working at the same organization.
- A staff member or business associate verbally discloses protected health information within close physical proximity to a person in a coma.
Nature of breaches
Most recent healthcare breaches occurring in 2017 were unintended. Such breaches can happen, for instance, when an email containing protected health information is sent to the wrong email address, or when there are security lapses on an organization’s server.
Here are some examples of common healthcare breaches:
- Unintended disclosure of data – Sending emails to the wrong address, sending the wrong attachment to an email recipient, and accidentally setting access to electronic information to public are just some of the mishaps that can result in a healthcare breach.
- Malware and hacking – With so much information being stored on servers, any malware or hacking can lead to data breaches.
- Malicious insider threat – People within an organization such as current and former employees, as well as third parties such as business associates and contractors, may deliberately leak data in order to inflict harm.
- Physical loss – Devices and drives containing electronic personal healthcare information can get lost, as can physical paper documents. Paper recycling bins can also lead to breaches when documents are not properly shredded.
HIPAA breach responsibility
So, you have determined that a breach has taken place. Who is to blame?
In 2013, the HIPAA/HITECH Omnibus Final Rule, which was designed to answer this question, took effect. Prior to the Omnibus Final Rule, HIPAA covered entities had to shoulder the responsibility of any breaches. Now, business associates are also required to assume some of the responsibility for protecting protected health information.
Another interesting change is that only unsecured protected health information can give rise to a breach. If information has been rendered unreadable, unusable or indecipherable, it is not unsecured.
The Omnibus Final Rule also establishes new limits on the use of information, including for marketing purposes, and requires an individual’s consent before their personal health information can be sold. It also offers more extensive patient protection, for instance by giving them the right to ask for an electronic copy of their medical records and instruct their healthcare provider not to disclose information about their treatment with the provider of their health plan.
Giving notice of a breach
When a HIPAA breach has been detected, covered entities and their business associates are obliged by law to give notice of this breach.
Remember, thanks to the Omnibus Final Rule, only unsecured information constitutes a breach. So, if you’ve used computer software to encode information and are sure it is indecipherable, you’re in luck.
For those who are not so lucky, here is a series of requirements that must be complied with once a breach has been detected:
- Notify the individual whose protected health information has been leaked. This notice must be in written form and sent either by first-class mail or, if the individual has consented to the receipt of such notices via email, by email. If there are more than ten individuals involved for whom you do not have sufficient up-to-date contact information, you must either post a notice on your website’s homepage for at least 90 days or publish the notice in major broadcast or print media. You must also provide a toll-free phone number at which the individuals in question can get in touch with you.
- Notify the media – If the breach involves more than 500 individuals residing in a particular state or jurisdiction area, you must also broadcast a notice on prominent media outlets which serve that state or jurisdiction. This must take place no more than 60 days after you have detected the breach and must contain all the information required in the notice to individuals.
- Notify the Secretary – The HHS Secretary must also be notified by submitting a completed breach report form on the HHS web site. If at least 500 individuals are involved in the breach, your notification to the Secretary must be submitted in no more than 60 days after the breach, otherwise you only need to do so on a yearly basis.
- What if you’re a business associate? – If you are not a HIPAA covered entity but the business associate of one, you must notify the HIPAA covered entity no more than 60 days after you have detected a breach. As far as possible, you should provide the identification details of the individuals whose information has been compromised in the breach, as well as any other information the HIPAA covered entity might need to provide in its notification to the individuals concerned.
Avoiding a HIPAA Breach
Given the above stories and statistics, combined with the high associated costs, every covered entity and business associate wants to do whatever they can to avoid a HIPAA data breach. Several strategies can help you in prevention:
Test yourself relentlessly and randomly.
If someone is going to compromise your system, they want to catch you off-guard. Your vulnerability and penetration testing should occur at random points. It is also often a good idea to use outside security specialists to confirm all mechanisms and protocols are in place. You want to know when any rogue applications appear and any devices need patching, but you also want to penetration test to reveal how strong your system really is (so you get to any weaknesses ahead of hackers). Vulnerability assessments can also be helpful so that you are minimizing your chance of a breach and its numerous financial ramifications.
Verify that your staff is knowledgeable on HIPAA.
In order to carry out business, a healthcare organization relies on various personnel to conduct the many different elements of its operations. These people are each possible points of exploit for social engineering, an increasingly prevalent method.
For instance, a person might call on the phone or contact you by email and claim to be a certain doctor or patient. Note that proper adherence to the HIPAA Privacy Rule provides the appropriate checks and balances to avoid any violations in these cases. What happens after an individual asks for the information in this manner will rely, in large part, on how well your staff is trained on HIPAA-compliant protocols related to patient information.
Properly manage business associate relationships.
Healthcare companies are often incredibly complex, and they typically will rely on a diverse array of outside businesses to perform the functions needed to treat patients and help them to heal. In order for all of the protected health information that you use and generate to remain secure, the business associates who perform any services for you must follow proper standards and protocols to keep it from unauthorized access. Although the business associate agreement is a dry legal document, it is essential in establishing responsibility so that all compliance concerns are clearly delineated.
Bolster end-user defenses.
There are end-user tools that allow you to cover gaps in the use of services and perform ongoing threat detection, based on recent developments in machine learning and AI. Antivirus protection is helpful by itself but also serves as a foundation for more comprehensive and robust end-point detection and response (EDR) platforms. Strong EDR technologies will continually and systematically improve the intelligence that is built into your security approach (through predictive analysis). In order to get ahead of end-user threats, it helps to look at security in the terms of personalization: thinking at the level of each user activity, device, location, etc.
Apply encryption at the local level.
Make sure that you are internally encrypting data within all the systems containing ePHI. As indicated by recent statistics, two in five healthcare providers are not properly encrypting all of the data for which they have responsibility. Since the threat landscape has become so elaborate and severe, it is necessary to review the needs for encryption. It is important to reassess requirements for encryption annually; analyses such as these are necessary under the HIPAA regulations. It is especially critical to continue to review and improve your system if a breach has ever occurred.
Review your email protections.
It is easy to simply think at the level of record storage and transfer, or simply to verify the security auditing and certification of infrastructure. Think directly at the level of the email inbox. Often healthcare email is a target for phishing and ransomware. Go beyond traditional email gateways to using ones that are specifically designed for high, HIPAA-compliant security. Beyond helping you set up a better defense for your patients or clients, these more sophisticated security mechanisms will better safeguard you against data loss.
Strengthen your network security.
By sub-networking, you can restrict access and prevent breaches within the local system. However, in order to stop electronic protected health information (ePHI) theft from the outside, you need an advanced network security stance (as provided through a SOC 1 and SOC 2 audited datacenter from a HIPAA hosting company).
When an outside entity is specifically targeting your organization, they will typically start out through tests as authorized users. When you have advanced network security implemented, your ecosystem is able to comprehend when attackers are preparing themselves to strike.
Adopt a more powerful logging and analytics design.
If you want to study and grasp the nature of all the data that is streaming through a healthcare setting, it helps to leverage data intelligence, log analytics, and security information and event management (SIEM). In 2018, it is possible for these systems to detect irregularities in patterns through assessment of the log – in turn pointing to areas of security weakness. One thing to remember is that it is critical to have solid forensics, and that will ultimately be determined by the accuracy and sophistication of your log analysis.
Consider voicemail, text messaging, videoconferencing, and faxing.
It is easy not to include certain aspects of your business under the scope of HIPAA, especially since core IT needs are such an immediate point of focus. Voicemail and text messages can be problematic when patients send you ePHI. Your telecommunications provider should sign a business associate agreement confirming their commitment to HIPAA compliance. You want a business associate agreement spelling out all parameters and expectations of your video conferencing provider as well. HIPAA-compliant cloud-based systems can be used for document transfer, offering better security over the traditional practice of faxing.
Why Use HIPAA-Compliant Cloud Storage?
The best HIPAA-compliant cloud storage is within an infrastructure that encrypts all at-rest data across-the-board, avoiding the costs of data breaches by meeting standards and proving adherence through third-party certifications.
Settlements for the violation of healthcare privacy and security laws outlined within the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were at an all-time high in 2016. A total of $22.9 million was submitted to the HIPAA enforcement agency, the Office for Civil Rights (OCR) of the federal Health and Human Services Department (HHS). The largest settlement ever under the HIPAA law, $5.55 million, was announced in August. There were 6 fines in 2016 that were $2.14 million or more. This trend continued in the new year, with a $5.5 million fine, nearly reaching the record settlement, announced in February 2017.
As you can see, HIPAA compliance is a multi-million-dollar proposition – and it is not just the fines. When you calculate in reputational, legal, operational, and other expenses, the cost is an average $700 per healthcare data record breached. If 5,000 records are compromised, the expense to a company will typically be about $3.5 million.
Your HIPAA compliance partner
Are you in need of a HIPAA compliant solution for your organization, to protect the data of your own patients or those of clients? At Atlantic.Net, our HIPAA Compliant Hosting is SOC 1 & SOC 2 certified and HIPAA audited, painstakingly designed to secure critical data and records. See our HIPAA server hosting plans.