The federal government continues to make one fact very, very clear: they do not take HIPAA violations lightly.
So far this year, the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR), which enforces HIPAA rules and tracks health information data breaches, has settled nine HIPAA violation agreements with health care organizations. That’s only five shy of their record-setting 13 settlements last year, with both figures topping 2015’s count of seven.
A deeper dive into the numbers reveals a troubling trend: the prevalence of data breaches or other “IT incidents” leading to breaches. In 2016, 93 of the 286 PHI breaches (33 percent) were related to hacking. In 2017, 76 of the 178 breaches reported so far (43 percent) involved hacking.
A joint Vormetric/451 Research survey of 1,100 senior IT security executives at more than 100 U.S. healthcare organizations on cyber threats also revealed frightening numbers. Sixty-three percent of executives said they had experienced a data breach, with one in five reporting a breach in the last year. Almost everyone surveyed (96%) said they felt vulnerable to data breaches.
That cybercriminals have a growing interest in health care organizations should come as no surprise. After all, there’s all that patient personal information just sitting there, waiting to be swiped and resold on the black market. Or as recent headlines have shown, hospital officials who are willing to cough up a considerable sum to free their network from the clutches of ransomware. Both these scenarios flash dollar signs to an industrious bad actor.
It’s this increased interest that undoubtedly triggered this recent OCR reminder to health care organizations, driving home the importance of security awareness of specifically phishing scams:
“Training on data security for workforce members is not only essential for protecting an organization against cyber attacks, it is also required by the HIPAA Security Rule.”
I’m thrilled to see the OCR taking such a strong stance. It’s a clear response to the headlines we’ve seen in the last year about hospitals, both large and small, being gripped by ransomware.
The HIPAA Security Rule does suggest that an employee awareness program should cover malware protection, employee login monitoring and password best practices. This is a great start, but it’s no place to stop. Health care organizations cannot afford to only follow the letter of the law here.
When PHI is at stake, employees with access to this sensitive data need to know more than the core HIPAA best practices to keep that data safe. PHI is not just lines of letters and numbers on a spreadsheet. It represents the well-being of real, live people, and the well-being of any organization that is entrusted with it.
Lives hang in the balance when malware finds its way into a hospital network and wrenches control away from doctors and nurses. Breaches of PHI can be just as impactful. Researchers with Verizon Enterprises report that patients will sometimes withhold medical information from their physicians for fear of exposing it to a breach.
Mere compliance with the letter of the law does not equate to a fully security-aware culture. In our experience, organizations of all types are best served when their whole employee population is exposed to a comprehensive security awareness program covering a wide variety of topics.
Such a program should also allow an organization to figure out what sort of education is needed, deploy it in the most efficient way possible, and make available training reinforcement materials, such as posters and games, as needed.
I can’t say that every breach could have been prevented with a robust security awareness program in place. Bad people will always find a way to do bad things.
But I don’t think it’s too much of a stretch to say that HIPAA training combined with expanded security awareness content can reduce the chances of a costly PHI data breach. Members of an organization with a strong security-aware culture will be better positioned to understand these stakes and act appropriately to protect this data. The more security aware doctors, nurses and other healthcare employees are, the better off patients will be.
About the Author: Steve Conrad is a founder of MediaPro and has worked to produce hundreds of innovative and high-quality information security, privacy, and corporate compliance initiatives for a variety of industries. Steve has a BA in Finance from Central Washington University, and his past experience includes various management and leadership roles at Oracle and Electronic Data Systems (EDS).
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.