By Mark S. Blanke
Back in 1996, Congress passed the Health Insurance Portability and Accountability Act known as HIPAA, which set in motion a variety of changes in the healthcare industry. This included a set of standards regarding health records as well as security and privacy rules enacted in 2003. At the core of these rules is securing personal healthcare data, known as Protected Health Information (PHI). In 2013, with the passing of the Final Omnibus Rule, HIPAA security rules were updated and penalties for violation of PHI privacy requirements were made more severe.
For many hospitals, doctors’ offices, and other healthcare providers and insurance companies, addressing security and privacy have been a growing concern. While many of these practices were new to organizations in the early 2000s, most have developed basic practices that address the rules. However, over the last decade, security threats have become significantly more prevalent and advanced. To make things worse, it’s not just the big organizations that are under attack. Small hospitals, medical groups, and stand-alone practices are also being targeted and getting compromised.
The HIPAA privacy and security rules are enforced by the Health and Human Services (HHS) Office of Civil Rights (OCR) and they issue annual guidance. Currently, it’s required that all “covered entities” perform an annual Security Risk Assessment (SRA). There is a lot more information on what is included as part of the privacy and security rules, but that’s probably a topic for another blog.
The fundamental essence of the security and privacy rules is to protect individuals from electronic healthcare information being shared with those that should not be seeing it and that control of that information is decided by the patient. While poor practices by a medical professional may allow certain people to gain access to records, a greater risk are cyber-attacks, whereby external bad actors gain access to large amounts of data, control or damage information systems, or execute ransomware attacks.
Major breaches, including an increasing amount of ransomware attacks, have been plaguing the healthcare industry. According to IBM’s latest “Cost of a Data Breach Report”, data breaches in healthcare cost organizations an average of $10.1 million each. Add the fact that over 600 breaches affecting more than 500 people each have been reported so far this year by healthcare organizations, it is a scary realization. The likelihood and impact to you is real and expensive.
With the increase in concern over these attacks, the White House has announced they are looking to add minimum-security standards for healthcare organizations. While the HIPAA and HITECH security and privacy rules already exist, this means additional requirements, higher standards, and increased auditing and penalties are most likely coming soon.
Specifically, Anne Neuberger, the deputy national security advisor for cyber and emerging technology in the Biden Administration, stated at a recent Washington Post Live event that the healthcare industry is one of the next three cybersecurity focus areas for the White House. Neuberger explained that through the HHS there are plans to “put in place minimum cybersecurity guidelines and then further work upcoming thereafter on devices and broader health care as well.”
For most organizations, if you are performing a proper security risk assessment at least once a year and addressing your vulnerabilities, you are probably in good shape for what’s next. The real problem is that many organizations perform an SRA simply meet the requirements as opposed to truly using it to better their organization’s security posture. For many, it is time to take a more aggressive approach to the organization’s security practices and put in place processes and technology that will achieve much greater protection.
With ever-increasing attacks, the requirement to publicly report any and every breach, increasing fines, and the OCR becoming more aggressive on audits, it is time to take healthcare security very seriously and make it a priority for your organization. The best way to get started is by performing your next SRA and ensuring that it is conducted thoroughly and by security experts to truly move you forward.
If you need assistance with your next SRA, contact ClearBridge Technology Group here for a free consultation.