Posts Tagged: data breach

Healthcare Data Breaches Will Cost Sector $4B in 2019

Posted by & filed under Healthcare.

healthcare data breaches 4B

Healthcare is a massive target for cybercriminals. Hackers are clearly outpacing the technology innovation of provider organizations. Healthcare data breaches, according to a Black Book Market Research survey, will cost $4 billion in 2019. That’s billion with a B.

The survey included over 2,800 security professionals from 733 providers. The intent was to identify gaps, risks, and vulnerabilities that are inhibiting the healthcare industry in making strides to combat breaches. About 96% of experts surveyed believe cybercriminals are ahead of their ability to defend against them.

These eye-opening stats reinforce the need for healthcare to be more proactive in cybersecurity. The number of attacks is only increasing, as 93% of healthcare organizations have experienced one in the last three years. About one in 10 healthcare consumers has had their data stolen.  

Why Is Healthcare Still Struggling with Data Breaches?

healthcare data breaches struggle

Since it seems that healthcare data breaches won’t be waning, it’s time to address the real struggle. Much of it comes down to budget constraints. Black Book identified that 90% of respondents said their IT security budgets have remained relatively flat since 2016.

With competing priorities and every department fighting for funding, healthcare organizations find it difficult to invest in something that doesn’t generate revenue. However, the consequence of not investing puts them at a significant risk. This risk is quantifiable, as well. Most cyberattack recovery for healthcare breaches is, on average, $3.92 million. That number can easily rise depending on the type of breach and patients impacted.

Without budget evolution in healthcare, the focus on how to protect healthcare IT isn’t clear. They don’t have historical data. There are emerging technologies like AI. And, some of the buyers in healthcare organizations aren’t performing a true due diligence. That’s because a majority of hospitals don’t have a security executive on staff. Without expertise to make crucial decisions, cybersecurity won’t be as impactful.

Instead of managing cybersecurity internally, many in the healthcare sector are outsourcing this function. This approach can reduce costs and ensure that the latest cybersecurity tools are in place for defense mode.

Healthcare and Technology: Not Exactly the Odd Couple

Healthcare has a unique relationship with technology. It’s been able to boost outcomes, improve patient care, and deliver insights based on big data collection. But it has also created new risks, as healthcare data requires protection and compliance with HIPAA. Where these two sides converge is right now a space of vulnerability.

The future of healthcare cybersecurity must outpace what cybercriminals can do. Otherwise, the cost of risk becomes greater than the desire for profitability. When an organization hits this point, larger budgets for security could become a reality. However, healthcare should make careful investments and not be overly influenced by the immediacy that cybersecurity presents. Being strategic and proactive in cybersecurity is the optimal path to decreasing cyber attacks and healthcare data breaches.

HIPAA Trends and Emerging Challenges: What to Expect in 2020

Posted by & filed under Healthcare.

hipaa trends compliance

HIPAA is now over two decades old. In that time, much has changed. When it was written, the Internet was in its infancy, and most healthcare data was still on paper only. The objective of HIPAA was to modernize the flow of healthcare information and protect patients from fraud and theft. HIPAA compliance is critical to every healthcare organization, but that doesn’t mean it’s easy to keep up with HIPAA trends and emerging challenges. 

To help you prepare for any changes in 2020, we’re breaking down what to expect in the next year regarding HIPAA regulations. 

National Patient Identifier

As part of HIPAA’s passage in 1996, a National Patient Identifier was to be established. However, Congress overruled the legislation and restricted funding to develop it. In June of 2019, the House voted in favor of lifting this ban. There are two sides to the argument.

Most health IT leaders believe that creating an identifier is vital to solving challenges with patient matching and has the potential to minimize medical errors and misidentification. The American Health Information Management Association (AHIMA) supports the lift of the ban and development of the identifier. 

The identifier could help reduce interoperability issues, as well. The fierce objections to the identifiers are still coming from politicians, namely Sen. Rand Paul, R-Ky. He introduced a repeal act of the identifier in Congress recently. Paul argues that the national identifier would threaten patient privacy. Critics say his arguments are without merit and don’t align with the current reality of healthcare data needs.

A healthcare identifier for Medicare beneficiaries has been approved and goes into effect on January 1, 2020. This is a HIPAA trend that will continue to be a hot topic in the next year.

Compliance and Enforcement HIPAA Trends

Enforcement of HIPAA by HHS OCR has been picking up speed in 2019. After a record-breaking year of recovery of over $28 million, the OCR started 2019 with a $3 million settlement related to two breach incidents. 

Later in the year, the OCR announced its first settlement under the Right of Access Initiative. The case involved a healthcare organization that failed to respond to a patient’s request for medical records in a timely manner. With this settlement, it sends a clear sign that entities will be held accountable for not providing access to patients per HIPAA requirements. 

The largest settlement in 2019 will reportedly be a fine of $145 million paid by Allscripts Healthcare Solutions. The settlement is in reference to Practice Fusion, an entity purchased by Allscripts in 2018 that was under investigation regarding HIPAA’s anti-kickback statutes. 

Data breaches continue to be an Achilles heel for healthcare. Healthcare again leads all industries in cybersecurity attacks and data breaches. What’s interesting and provides context to this statement is that most incidents originated inside the organization.

Healthcare organizations must begin to evolve and modernize their infrastructure to combat this. They should also think of HIPAA compliance as a baseline and exceed requirements for better protection.

More Risk Assessments Will Occur

Healthcare organizations often think, incorrectly, that general insurance will cover a data breach. This is rarely the case. To ensure companies have insurance, they’ll likely need to perform risk assessments, which are already part of HIPAA audits. While you can undergo a risk assessment internally, it’s often a good idea to work with an experienced third-party expert.

Social Media Continues to be a Compliance Miss

hipaa trends social media

There have been many tales associated with social media and HIPAA noncompliance. Social media is another channel for communication and must be treated with the same perspective. Under HIPAA, violations on social media networks include:

  • Gossip or hearsay posted to unauthorized individuals even if no name is disclosed
  • Sharing any patient photos without express permission
  • Posting pictures from your office that contain any visible patient files
  • Directly publishing any PHI

Much of this noncompliance challenges comes to appropriate employee training. Organizations need to have a clear and accessible policy on social media, so there is no room for misinterpretation.

State AGs Ramping Up General HIPAA Enforcement

While the healthcare industry generally thinks about the OCR as the agency to be concerned about the most, they can’t overlook state attorney generals. State AGs are becoming more active and have begun to band together to initiate multi-state suits. 

In addition to OCR, states are bringing their own actions on entities found to be in violation of HIPAA. The OCR is profoundly encouraging state AGs to take a stand. They were once not really a party. That all changed in 2010 when the Connecticut AG took aim at a company responsible for the breach of 446,000 patient records in the state.

Since then, multiple state AGs have sued noncompliant businesses and recouped monies on behalf of their impacted residents. That isn’t expected to decline. Research has shown that of the enforcement actions taken by state AGs, much of the time ePHI is the risk. Yet another reason to strengthen cybersecurity programs.

As technology advances and new innovative tools like AI and blockchain become part of the healthcare infrastructure, there will be new HIPAA trends to consider. Healthcare organizations must be proactive, rather than reactive, in sustaining HIPAA compliance and data security. We’ll keep you updated. Stay in touch by subscribing to the blog

EHR Patient Data Found for Sale Online, Browser Extensions Found to Be Source of Leak

Posted by & filed under Healthcare.

hacker

The Washington Post recently posted an alarming story relating to EHR patient data being sold online. The culprit? Web browser extensions. The Post reports that as many as four million people have browser extensions that sell their every click.

The investigation prompted a notification to Google and Mozilla, which reported that they had closed these leaks immediately. However, many more could be out there.

Plug-Ins Make Life Easier

The beauty of integrating plug-ins into your web browser is that they should make your life online easier. Many of you probably use them to store passwords with a platform like 1Password.

The problem is that most users install these add-ons believing Chrome or Internet Explorer offer them, so they must be legitimate. While many are, some extensions are doing extra duty.

The Data Economy

Once these plug-ins have a window into your browsing, they can pass of information about where you spend your time. So much activity occurs in your browser. If you’re in the healthcare field, you are probably using your EHR within your browser, which means data brokers could be viewing protected information.

That’s exactly what the Washington Post reporter found. In his article, he shared that he found the names of patients, doctors, and even medications. With this data available and for sale on data broker sites, it’s clear that a data breach has occurred. And not one that many would have expected.

How Many Extensions Are Leaking Private and Sensitive Data?

ehr patient data google

While the  Washington Post only found a handful of extensions with nefarious dealings, a North Carolina State University study of the 180,000 Chrome extensions found that there were 3,800 problematic add-ons. Not all of these are extensions are doing something illegal. Many of them make it known to users that they are collecting data based on their search history. But of those 3,800 add-ons, the study found that at least 382 were in the data sales business. However, there is no regulation that prevents them from doing this.

What You Can Do to Protect Your Sensitive Data

EHR patient data is private and protected. Should it fall into the wrong hands, you could be liable and be found to be noncompliant with HIPAA. To prevent extension-related leaks, your organization should have security guidelines in place about what extensions a user can add. Your IT team may decide to whitelist some like password savers.

But this due diligence should extend to your vendors as well, especially if you are expected to initiate a data conversion in the future. In a data conversion, a data management company pulls data from an old EHR system and then formats and prepares it for loading into your new system. You should ask about their policy on browser extensions for added peace of mind.

Data leaks happen, but there are many things you can do to keep your EHR patient data safe. One of which is limited browser extension integrations. Be sure to update your policy immediately to protect your data.