The US government recently began investigating smaller healthcare cybersecurity breaches. Here's what it could mean for your business and how you can protect your company.
Small businesses handling health information, beware: As of August, the US Office for Civil Rights (OCR) is investigating smaller security breaches for potential HIPAA violations, and could leave your company subject to large fines.
In the past, OCR investigated all reported breaches involving the protected health information (PHI) of 500 or more individuals. But now, regional OCR offices will look more closely into the causes of security incidents affecting fewer than 500 people.
Large hospitals or healthcare organizations are already vulnerable due to outdated computer systems and the amount of sensitive data they hold. Hackers often target them through smaller vendors or other third-party suppliers that have access to important medical records, according to a Ponemon Institute study.
These smaller companies are often vulnerable because they don't have extensive security measures in place, said Michael Kline, partner and assistant general counsel at Fox Rothschild Attorneys at Law. The firm has represented data security consultants who touch protected health data in their work.
"People who may be trying to comply are constantly being beset by these creative, relentless hackers who are trying to intrude into their system," Kline said. "It's almost not a question of if you're going to have a HIPAA problem or health information problem—just when, and how bad it's going to be. It can be an entity killer."
SEE: Cybersecurity Research 2016: Weak Links, Digital Forensics, and International Concerns (Tech Pro Research)
According to last month's OCR announcement, "Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches."
The regional offices will consider several factors to determine whether or not to investigate a smaller breach, including:
- The size of the breach.
- Theft or improper disposal of unencrypted PHI.
- The amount, nature, and sensitivity of the PHI involved.
- Whether or not the breach was due to a hack.
- If the business has reported breaches in the past.
It's not the first time OCR has investigated smaller healthcare organization breaches: In July, Catholic Health Care Services of the Archdiocese of Philadelphia settled with OCR over potential HIPAA violations, and will pay $650,000. An employee's hospital-issued iPhone was stolen, compromising the PHI of 412 nursing residents. Information on the device, which was unencrypted and did not have a password, included social security numbers, diagnosis and treatment plans, and names of family members.
"This guidance says 'We're going to be looking at this, and you should set up your organization based upon its size, complexity, and the amount of PHI you have to deal with,'" Kline said.
Under HIPAA privacy laws, hospitals must diligently protect patient health data, such as patient names, birth dates, social security numbers, diagnoses, tests, and insurance information. Hospitals found guilty of data breaches can be fined upwards of $1.5 million per incident.
In 2015, there were more than 230 healthcare breaches that each impacted the records of 500-plus individuals, according to data from the US Department of Health and Human Services Office for Civil Rights.
Many forms of cybersecurity attacks are on the rise, especially ransomware, which affected 40% of businesses in the last year.
"Criminals used to go after larger companies, but as they have increased their cyber arsenals, the threats have trickled down to SMBs, which are less prepared, have fewer resources, and huge amounts of sensitive information," said Ebba Blitz, CEO of Alertsec.
Another part of the new HIPAA guidance states that the government will now categorize ransomware attacks as a breach, which is a concern for potential victims, said Elizabeth Litten, partner and HIPAA privacy officer at Fox Rothschild.
Prior to this guidance, if you were blocked from accessing your data, it was not generally viewed as an improper acquisition of PHI—it was assumed that you were locked out, but not that the records were viewed or stolen, Litten said. Now, if you can't rule out that information wasn't viewed or copied during a ransomware attack, it needs to be treated as a breach.
"It puts victims of these attacks in a position of having to take on an extra cost of compliance," Litten said.
Health information can have a higher value than financial information, Litten said. In some cases, it can be used for medical identity theft and insurance fraud by stealing the person's name and social security number.
"Protected health information could be as simple as a name and the fact that they were a patient at a hospital," Litten said. For example, a hacker could target an abortion clinic, an HIV center, or a cancer treatment facility to expose a high-profile person who received services there. "The more sensitive the information, the more it can potentially be used for blackmail," Litten said.
Though they may put more pressure on small businesses, the new OCR regulations are a needed update, Litten said. "The original regulatory standards were envisioned in a different environment, thinking of things as a rare incident that occurs if you lose a file or disk or your laptop," she said. "They weren't envisioning these daily potential efforts to get your information."
The mobility issue
Perhaps the largest concern for small businesses touching medical information is the mobile revolution. Some 45% of employees said mobile devices were their company's weakest security link, according to an August Tech Pro Research survey.
Another Tech Pro Research survey from earlier in 2016 found that 47% of employees reported that most workers at their company used either company-provided or personal devices for work purposes, with inconsistent use of security measures such as user authentication, data encryption, and device management software.
"You need a good plan for mitigating BYOD," Blitz said. She recommends asking employees to document their devices, so businesses can keep track of them and install security tools.
Tips for small businesses
Companies have a responsibility to their customers to maintain the security of their information, said Julie Simer, special counsel at Buchalter Nemer law firm in Los Angeles. "It's not simply a matter of avoiding the fines and damage to reputation that can happen when you have a breach, but maintaining the trust of your customer," Simer said.
Simer recommends performing a risk analysis, and creating a risk management plan and an incident response plan. It's also important to have a designated team to follow up on those plans, she added. You should also provide training for anyone who handles PHI, and regular monitoring to make sure training is effective.
"OCR is signaling that they are serious about investigating smaller breachers, and that you need more than just a perfunctory policy in place," Simer said.
Litten and Kline offer the following tips for SMBs to avoid HIPAA litigation:
- Hire a credible consultant to help you approach the issue, and how you would respond in the event of a breach.
- Document that you have policies and procedures in place to fight cyber crime. "If you didn't document it, it didn't happen," Kline said.
- Stay informed of cybersecurity news in your industry, or join an association. Be aware of what other companies in your space are doing to protect themselves.
- Update your security settings on a regular basis, perhaps every time you add new employees or change systems, or on an annual basis.
- Present annually to your company board on where the company is in terms of cybersecurity protection, and where it needs to be to remain as safe as possible in the future.
If you're an IT consultant working with a healthcare organization, be clear with your client what you need to access and when, Litten said. "A client that has protected health information in its software should carefully delineate who has access to that software," Litten said.
The 3 big takeaways for TechRepublic readers
- The US Office for Civil Rights recently announced that it will investigate smaller security breaches, in which fewer than 500 people's protected health information was compromised, for potential HIPAA violations. In the past, it usually only investigated larger breaches.
- Health information is sometimes valued higher than credit card information for cybercriminals, and can be used for medical identity theft, insurance fraud, and blackmail.
- Companies must take concrete steps to enhance cybersecurity practices, and ensure that they are documenting all of it, to avoid HIPAA-related litigation.
- Why data-driven analysis must inform healthcare IT security decisions (TechRepublic)
- 'Massive' Locky ransomware campaign targets hospitals (ZDNet)
- Ransomware-as-a-service is exploding: Be ready to pay (TechRepublic)
- New exploits target hospital devices, places patients at risk (ZDNet)
- Cybersecurity spotlight: The ransomware battle (Tech Pro Research)