2020 has been a transformative year for the healthcare industry. COVID-19 underscored how essential and delicate our medical infrastructure can be. We changed our working environments and how we interact with one another.
In order for us to protect our physical health, we instituted remote work forces, implemented telehealth services, thermal scanners, COVID-19 contact-tracing technology, and turned to more digital engagements and reliance on third-party vendors, all while researching for a vaccine. What developed was an increase in risk for our data health.
The attack surface for any medical, research, or healthcare institution has been hard hit with cyber attackers recognizing the value of the information stored and transmitted. Bad actors have also identified vulnerabilities specific to the healthcare industry such as numerous medical devices are connected to unsecured networks; devices can be outdated and behind on expensive upgrades; staff needs access to patient data instantly – and while cyber awareness training could be conducted – in life or death instances, a system may not be logged off properly, exposing records to hackers lying in wait.
RECENT HEALTHCARE DATA BREACHES
Breach Submission Date to OCR*:
Sept. 27, 2020
Ransomware
US Care Sites and Hospitals were affected – outages to computer systems, phone services, the internet, and data centers, with diverted ambulances, delayed lab results, and system shutdowns.
| ORGANIZATION | BREACH |
Breach Submission Date to OCR: | Ransomware 12,861 patients’ protected health information (PHI) has potentially been compromised. |
Breach Submission Date to OCR: | Phishing Attack |
Breach Submission Date to OCR: | Hacked/Cyber Attack 5,600 records; network server breached. |
University of Missouri Health Care Breach Submission Date to OCR: | Phishing Attack Compromised data of approximately 180,000 patients contained in the accounts, including names, dates of birth, medical record or patient account numbers, health insurance information, and or limited clinical or treatment data, such as diagnostics, prescriptions, and procedure information, and some social security numbers (SSNs). |
Breach Submission Date to OCR: | Phishing Attack Unauthorized access 5,226 patients which includes names, dates of birth (DOB), financial account information and credit and debit card information. |
Breach Submission Date to OCR: | Third-party vendor Blackbaud that provides customer management and financial services to Nuvance was breached. Unauthorized access of potentially 314,829 names, contact information, ages, gender, dates of birth (DOB), admission dates, departments of treatment, treating physicians, and health insurance statuses. |
The University of Tennessee Medical Center Breach Submission Date to OCR: | Ransomware Attack on third-party vendor Blackbaud, the software provider. Potentially 235,000 patient names, contact details, and demographic data may have been accessed. |
Joslin Diabetes Center Breach Submission Date to OCR: | Third-party vendor for fundraising and donor relations, Blackbaud, experienced a ransomware attack. May have impacted 71,160 names, dates of birth, treatment dates, treatment locations and physician names. |
REASONABLE SECURITY
As much as these institutions try to practice reasonable and appropriate cyber hygiene in their morphing world, it is a monumental effort just keep systems current and operational. Security unfortunately sometimes becomes an afterthought. How to prioritize security investments is the first step to a reasonable security strategy. How do you define reasonable security for your organization?
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule and Meaningful Use require that organizations implement security controls that are “reasonable and appropriate” for their organization. To comply with these guidelines, the regulations instruct each organization to (1) select its security controls based on risk assessments, and (2) oversee the effectiveness of those controls using risk management.
Your risk assessment should provide guidance on how to balance your organization’s mission (what your business does), objectives (your business goals), and obligations (the care you owe to the public or others). Basically, your risk assessment guides you how to define your duty of care and establish your acceptable risk.
In an age of social distancing and increased digital exposure, ensure you take care – duty of care. We can help.
Additional Resources
HIPAA & Penetration Testing & Incident Response Plans
Frequently Asked Questions (FAQs)
What is HIPAA compliance?
This refers to the process for following the procedures required by the Health Insurance Portability and Accountability Act. HIPAA is the law that established the current standards for protecting patients’ sensitive health-related data. The goal is to ensure healthcare companies do everything possible to secure and protect this information to prevent data breaches.
What is a HIPAA-covered entity?
Entities that are required to adhere to the HIPAA standards include healthcare providers, health plan providers, and healthcare clearinghouses. All of these entities are entrusted with patients’ personal information, including Social Security numbers (SSNs), bank account details, and medical histories. Any enterprise that falls into these categories can benefit from HIPAA compliance solutions.
What are HIPAA violations?
There are a number of ways in which a HIPAA-covered entity can fail to comply with regulations. These can include transmitting patient data without sufficient encryption, disclosing patient information to unauthorized entities or falling victim to cyberattacks that expose the data. The scope of potential violations and the severity of the penalties involved makes it all the more important that businesses enlist the help of HALOCK as their HIPAA consultant.
Are there any new HIPAA requirements we should be aware of?
If your organization is responsible for HIPAA compliance, you may have another incentive to begin regular pen testing. That is because on December 24, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify HIPAA. Learn more details in this HIPAA article.
Where can I find a guide to HIPAA Acronyms?
Read a glossary of HIPAA and healthcare acronyms.
What are the top threats facing the healthcare industry?
Top Cyber Threats in Healthcare
Review Your Risk and Security Profile.
