January 26, 2018

HIPAA Enforcement in 2017: Key learnings from others’ mistakes

Laleh Hassibi

Vice President of Marketing

The US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) investigates reports of data breaches involving health information. The breach reports are publicly available and searchable with a tool called the HIPAA Breach Reporting Tool.

Because entities have 60 days beyond the date a breach occurs to report it, complete results for 2017 will not be available until March 2018. However, a look at what has been reported so far, along with any general trends, may be instructive as we all prepare for the more stringent penalties of GDPR coming in May of 2018.

HIPAA Security is still a problem

One thing is certain: healthcare still has a security problem. The majority of the breaches in 2017 are classified as being the result of hacking/IT incidents. Out of 295 breaches reported between January 1, 2017 and December 31, 2017, 132 are listed as hacking/IT incident breaches.

2017 Data Breaches by Type

One of the largest, which occurred at Airway Oxygen, Inc., and affected 500,000 people was due to hacking of information in a network server. The company was hit by a ransomware attack in April, 2017, and reported the breach to HHS in June.

According to a story about the Airway Oxygen breach in Healthcare IT News, after the attack was discovered, Airway Oxygen “performed an internal scan on its system, changed all passwords for all users, vendors and applications, reviewed the firewall, updated and deployed security tools and installed monitoring software to issue alerts of suspicious activity.” They also hired a cybersecurity firm to help them understand how the breach occurred and its impact.

The story of Airway Oxygen’s breach begs the question: if they had taken all of those security measures before the breach, would it have happened? There’s no way of knowing, of course, but it certainly is a question worth asking.

Many types of entities are at risk, not only healthcare providers

Another interesting thing about the reports for 2017 so far is that all different sorts of entities reported breaches. It’s not only health systems or practices that have suffered security woes; insurers, state departments of human services, software companies, and other types of covered entities and business associates have reported breaches as well.

Late in 2016 and continuing into early in 2017, MongoDB databases fell victim to ransomware attacks. The Hacker News reports, “These MongoDB instances weren’t exposed due to any flaw in its software, but due to a misconfiguration (bad security practice) that let any remote attacker access MongoDB databases without using any special hacking tool.”

MongoDB corrected the problem in the next version of its software, but that requires administrators to actually update their servers. In September 2017, as many as 26,000 databases were hijacked and held for ransom. Emory Brain Health Center and Bronx-Lebanon Hospital Center were caught up in the attacks, along with other entities.

Lessons from others’ mistakes

On December 28, 2017, the OCR announced a settlement for a breach. The entity, 21st Century Oncology (21CO), was investigated by the Federal Bureau of Investigations (FBI) twice in 2015 and informed that patients’ personal health information (PHI) was being obtained illegally by unauthorized individuals.

The FBI found that the breach was occurring through a remote desktop protocol from an exchange server. As many as 2.2 million people were affected.

The settlement was for 21CO to pay $2.3 million and to enter into a corrective action plan (CAP). According to an article published by the law firm Saul Ewing Arstein & Lehr LLP, the results of the OCR’s investigation in this instance offer insight into what all healthcare entities should be doing:

The OCR’s investigation determined that 21CO (i) failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of its electronic protected health information (ePHI); (ii) failed to implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level; (iii) failed to implement procedures to regularly review records of its information system activity; and, (iv) disclosed PHI to third party vendors who were acting as business associate without having written business associate agreement in place.”

The CAP that 21CO agreed to includes completing a risk analysis and risk management plan, revising security policies and procedures, and cataloging its business associate agreements, among several other steps.

Saul Ewing Arnstein & Lehr offer advice to other business required to comply with HIPAA regulations, writing,

As we begin 2018, covered entities and business associates should revisit their HIPAA Privacy, Security and Breach Notification policies and procedures to ensure internal compliance and make timely adjustments as appropriate.”

As we move through 2018 and toward May, when the new GDPR EU data privacy regulations becomes effective, it behooves us all to pay close attention to how much we are at risk of a data breach—not only with HIPAA, but also with GDPR. After all, that $2.1 million 21CO HIPAA penalty could potentially be ten times that amount in GDPR fines.

Let Datica remove the burden and risk of compliance for your digital health application with our HITRUST-certified healthcare platform. Get started today with a free trial.

tag HIPAA Healthcare News


Will new identity-proofing NIST standards prove who you say you are?

Marcia Noyes

Director of Communications

A recent NIST update includes important changes that encourage out of band authentication methods versus a single source email. Learn how Datica is responding.

event-note October 10, 2017

Facing down the largest breaches of 2017 with Datica's open-source policies

Mark Olschesky

Chief Data Officer

As we roll into the end of 2017, it's worth looking back on how the industry has been doing protecting PHI against the threat of cyber-intrusions.

event-note August 30, 2017

Spear Phishing: Hackers Aiming for Healthcare

Marcia Noyes

Director of Communications

In the 377 healthcare data breaches last year, phishing attacks were among the top data breach causes. Why is healthcare such a target for spear phishing attacks?

event-note August 18, 2017

CloudFlare, Data Breaches, and the HIPAA Conduit Exemption

Adam Leko

Chief Technology Officer

By now you've heard of the CloudFlare leak of sensitive data. There's a specific part of HIPAA legislation that health care should be concerned about.

event-note February 27, 2017