The US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) investigates reports of data breaches involving health information. The breach reports are publicly available and searchable with a tool called the HIPAA Breach Reporting Tool.
Because entities have 60 days beyond the date a breach occurs to report it, complete results for 2017 will not be available until March 2018. However, a look at what has been reported so far, along with any general trends, may be instructive as we all prepare for the more stringent penalties of GDPR coming in May of 2018.
HIPAA Security is still a problem
One thing is certain: healthcare still has a security problem. The majority of the breaches in 2017 are classified as being the result of hacking/IT incidents. Out of 295 breaches reported between January 1, 2017 and December 31, 2017, 132 are listed as hacking/IT incident breaches.
One of the largest, which occurred at Airway Oxygen, Inc., and affected 500,000 people was due to hacking of information in a network server. The company was hit by a ransomware attack in April, 2017, and reported the breach to HHS in June.
According to a story about the Airway Oxygen breach in Healthcare IT News, after the attack was discovered, Airway Oxygen “performed an internal scan on its system, changed all passwords for all users, vendors and applications, reviewed the firewall, updated and deployed security tools and installed monitoring software to issue alerts of suspicious activity.” They also hired a cybersecurity firm to help them understand how the breach occurred and its impact.
The story of Airway Oxygen’s breach begs the question: if they had taken all of those security measures before the breach, would it have happened? There’s no way of knowing, of course, but it certainly is a question worth asking.
Many types of entities are at risk, not only healthcare providers
Another interesting thing about the reports for 2017 so far is that all different sorts of entities reported breaches. It’s not only health systems or practices that have suffered security woes; insurers, state departments of human services, software companies, and other types of covered entities and business associates have reported breaches as well.
Late in 2016 and continuing into early in 2017, MongoDB databases fell victim to ransomware attacks. The Hacker News reports, “These MongoDB instances weren’t exposed due to any flaw in its software, but due to a misconfiguration (bad security practice) that let any remote attacker access MongoDB databases without using any special hacking tool.”
MongoDB corrected the problem in the next version of its software, but that requires administrators to actually update their servers. In September 2017, as many as 26,000 databases were hijacked and held for ransom. Emory Brain Health Center and Bronx-Lebanon Hospital Center were caught up in the attacks, along with other entities.
Lessons from others’ mistakes
On December 28, 2017, the OCR announced a settlement for a breach. The entity, 21st Century Oncology (21CO), was investigated by the Federal Bureau of Investigations (FBI) twice in 2015 and informed that patients’ personal health information (PHI) was being obtained illegally by unauthorized individuals.
The FBI found that the breach was occurring through a remote desktop protocol from an exchange server. As many as 2.2 million people were affected.
The settlement was for 21CO to pay $2.3 million and to enter into a corrective action plan (CAP). According to an article published by the law firm Saul Ewing Arstein & Lehr LLP, the results of the OCR’s investigation in this instance offer insight into what all healthcare entities should be doing:
The OCR’s investigation determined that 21CO (i) failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of its electronic protected health information (ePHI); (ii) failed to implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level; (iii) failed to implement procedures to regularly review records of its information system activity; and, (iv) disclosed PHI to third party vendors who were acting as business associate without having written business associate agreement in place.”
The CAP that 21CO agreed to includes completing a risk analysis and risk management plan, revising security policies and procedures, and cataloging its business associate agreements, among several other steps.
Saul Ewing Arnstein & Lehr offer advice to other business required to comply with HIPAA regulations, writing,
As we begin 2018, covered entities and business associates should revisit their HIPAA Privacy, Security and Breach Notification policies and procedures to ensure internal compliance and make timely adjustments as appropriate.”
As we move through 2018 and toward May, when the new GDPR EU data privacy regulations becomes effective, it behooves us all to pay close attention to how much we are at risk of a data breach—not only with HIPAA, but also with GDPR. After all, that $2.1 million 21CO HIPAA penalty could potentially be ten times that amount in GDPR fines.
Let Datica remove the burden and risk of compliance for your digital health application with our HITRUST-certified healthcare platform. Get started today with a free trial.