Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

MD Anderson Fined $4.3 Million For HIPAA Violations

Posted on June 21, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

An administrative law judge has ruled that MD Anderson Cancer Center must pay $4.3 million to the HHS Office of Civil Rights due to multiple HIPAA violations. This is the fourth largest penalty ever awarded to OCR.

OCR kicked off an investigation of MD Anderson in the wake of three separate data breach reports in 2012 and 2013. One of the breaches sprung from the theft of an unencrypted laptop from the home of an MD Anderson employee. The other two involved the loss of unencrypted USB thumb drives which held protected health information on over 33,500 patients.

Maybe — just maybe — MD Anderson could’ve gotten away with this or paid a much smaller fine. But given the circumstances, it was not going to get away that easily.

OCR found that while the organization had written encryption policies going back to 2006, it wasn’t following them that closely. What’s more, MD Anderson’s own risk analyses had found that a lack of device-level encryption could threaten the security of ePHI.

Adding insult to injury, MD Anderson didn’t begin to adopt enterprise-wide security technology until 2011. Also, it didn’t take action to encrypt data on its devices containing ePHI during the period between March 2011 and January 2013.

In defending itself, the organization argued that it was not obligated to encrypt data on its devices. It also claimed that the ePHI which was breached was for research, which meant that it was not subject to HIPAA penalties. In addition, its attorneys argued that the penalties accrued to OCR were unreasonable.

The administrative law judge wasn’t buying it. In fact, the judge took an axe to its arguments, saying that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” noting that its leaders “not only recognized, but [also] restated many times.” That’s strong language, the like of which I’ve never seen in HIPAA cases before.

You won’t be surprised to learn that the administrative law judge agreed to OCR’s sanctions, which included penalties for each day of MD Anderson’s lack of HIPAA compliance and for each record of individuals breached.

All I can say is wow. Could the Cancer Center’s leaders possibly have more chutzpah? It’s bad enough to have patient data breached three times. Defending yourself by essentially saying it was no big deal is even worse. If I were the judge I would’ve thrown the book at them too.

Exec Tells Congress That New Health Data Threats Are Emerging

Posted on June 20, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A senior security executive with a major academic health system has told Congress that in addition to attacks by random attackers, healthcare organizations are facing new threats which are changing the health security landscape.

Erik Decker, chief security and privacy officer with the University of Chicago Medicine, testified on behalf of the Association for Executives in Healthcare Information Security in mid-June. He made his comments in support of the reauthorization of the Pandemic and All-Hazards Preparedness Act, whose purpose is to improve the U.S. public health and medical preparedness for emergencies.

In his testimony, Decker laid out how the nature of provider and public health preparedness has changed as digital health technology has become the backbone of the industry.

He described how healthcare information use has evolved, explaining to legislators how the digitization of healthcare has created a “hyper-connected” environment in which systems such as EHRs, revenue cycle platforms, imaging and ERP software are linked to specialty applications, the cloud and connected medical devices.

He also told them about the increasing need for healthcare organizations to share data smoothly, and the impact this has had on the healthcare data infrastructure. “There is increasing reliance on these data being available, and confidential, to support these nuanced clinical workflows,” he said. “With the adoption of this technology, the technical ecosystem has exploded in complexity.”

While the emergence of these complex digital health offers many advantages, it has led to a growth in the number and type of cybersecurity problems providers face, Decker noted. New threats he identified include:

* The development of underground markets and exchanges of sensitive information and services such as Hacking-as-a Service
* The emergence of sophisticated hacking groups deploying ransomware
* New cyberattacks by terrorist organizations
* Efforts by nation states to steal intellectual property to create national economic advantages

This led to the key point of his testimony: “We can no longer think of preparedness relative only to natural disasters or pandemics,” Decker said. “It’s imperative that we acknowledge the criticality of cybersecurity threats levied against the nation’s healthcare system.”

To address such problems, Decker suggests, healthcare organizations will need help from the federal government. For example, he pointed out, HHS efforts made a big difference when it jumped in quickly and worked closely with healthcare leaders responding to WannaCry attacks in mid-2017.

Meanwhile, to encourage the healthcare industry to adopt strong cybersecurity practices, it’s important to offer providers some incentives, including a financial subsidy or safe harbors from enforcement actions, he argued.

The State Of Healthcare Cybersecurity (Part 2)

Posted on May 22, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In Part 1 of this series, which drew data from a study by Black Book Market Research, I described how insecure healthcare leaders felt their cybersecurity protections to be. I also noted that a large number of providers are struggling to recruit senior health IT experts, and as a result are basically winging it when it comes to breach protection.

Healthcare organizations’ data security problems run deeper than that, however, the study suggests. Not only are C-level execs finding security investments to be troublesome, IT managers responding to the survey admit that they, too, feel that they are not fully prepared to defend their institution’s data.

To begin with, 74% of surveyed CIOs admitted that they failed to evaluate the total cost of ownership before signing a deal with a cybersecurity solution or service provider, and 89% said they bought their cybersecurity solution to be compliant with security regs, and often, not necessarily to reduce security risks.

And the failure to protect critical information doesn’t stop there.  For example, 57% of IT managers said that they hadn’t taken stock of the full variety of cybersecurity solutions that currently exist, notably mobile security environments, intrusion detection, attack prevention, forensics and testing.

Also, many healthcare institutions seem to react only after they’ve been invaded. According to Black Book, 58% of hospitals didn’t select their current security vendor until after a data security incident, and 32% of healthcare organizations hadn’t scanned for vulnerabilities before an attack.

What’s more, 83% of healthcare organizations haven’t staged a cybersecurity drill which included an incident response process, which arguably leaves them particularly unprepared. Not only that, when an attack comes, some won’t catch it right away, as 29% said they don’t have an adequate solution to instantly detect and respond to cyberattacks.

Meanwhile, 16% of respondents reported being uncomfortable working with vendors that do a hard sell when they find security flaws and vulnerabilities. These insecurities aren’t surprising given that 60% of healthcare enterprises haven’t formally identified specific security objectives and requirements and integrated them into a strategic and tactical plan for breach prevention.

Given how unfocused many security plans are, it’s not surprising that 22% of provider organizations believe their cybersecurity position will worsen between now and the second quarter of 2019. Only 12% of hospitals and 9% of physician organizations reported that they expected to see cybersecurity improvements.

The bottom line here is that if the Black Book research is correct, many healthcare organizations are frighteningly unprepared to protect their data, much less survive a serious attack relatively unscathed. For everyone’s sake, let’s hope that providers wise up to the need for strategic, substantial investments in security technology and staff.

The State Of Healthcare Cybersecurity (Part 1)

Posted on May 21, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare data has never been under more outside threats than it is today. For a number of reasons, this data has become more attractive to cybercriminals and can be sold on the dark web for a pretty penny. Not only that, emerging threats like ransomware attacks are hitting home and wreaking havoc with the institutions they target.

Unfortunately, according to a new study by Black Book Market Research, healthcare organizations don’t seem to be adequately prepared for this onslaught.

The survey, which collected responses from more than 2,464 security pros working at 680 provider organizations, found that health IT leaders aren’t confident they can defend themselves against cyberattacks. In fact, 96% of IT professionals who responded said that the attackers are significantly ahead of them and could probably cut through the protection their organizations have in place.

Given that stat, it’s not surprising that over 90% of healthcare organizations have seen a data breach since Q3 2016. Worse, almost 50% reported that they had more than five data breaches during this period. Not only that, more than 180 million records have been stolen since 2015, a staggering haul which affects roughly one in every 12 healthcare consumers.

On the surface, it might seem surprising that healthcare organizations haven’t toughened their defenses given the number of threats they face. Actually, they are, but they’re being outgunned. It’s not that they’re not making cybersecurity investments, but both the level of investment and their strategy for deployment may be inadequate.

In a surprisingly frank set of disclosures, one-third of hospital executives that bought cybersecurity solutions between 2016 and 2018 said they did so blindly without much vision or understanding of what they were getting for their money. Respondents said that 92% of data security product and services buying decisions were made at the C-level, and the process didn’t include any users or affected department managers.

One reason that C-level executives with little relevant knowledge are making security investment decisions because they don’t have anyone senior to consult – and the problem is extremely common.

The survey found that 84% of hospitals responding had no dedicated security executive in place. Most say that it’s difficult to recruit a qualified chief security officer, which is why they’re going bare on data security and stumbling through the buying process as best they can.

Some organizations are responding to the shortage of C-level tech talent by outsourcing the function. Twenty-one percent said they outsource security to partners, consultants or selected security-as-a-service options as a placeholder.

Given this interest in outsourcing, healthcare organizations are signing deals with security services and outsourcing companies five times more often than they’re buying cybersecurity products and software. Vendors, in turn, are responding by diversifying the portfolio of services they offer. Still, that’s unlikely to be enough over the long term.

All of this suggests that the healthcare industry is in a security crisis. I’ll offer more details on the situation in part two of this series.

More Than 1.1 Million Patient Records Breached During Q1 of 2018

Posted on May 14, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Well, this isn’t a pretty picture. According to research by Protenus, roughly 1.3 million patient records were breached between January and March of this year. (The actual number is 1,129,744 records, for those who like to be precise.)

During that quarter, the healthcare industry saw an average of at least one data breach per day, racking up 110 health data breaches during this period, according to the Protenus Breach Barometer.

The researchers found that the single largest breach taking place during Q1 2018 was an intrusion involving an Oklahoma-based healthcare organization. The breach, which exposed patient billing information for 279,856 patients, resulted from an unauthorized third-party gaining access to the health system’s network.

If you assume that the other breaches were also executed by external cyberattackers, think again. According to the data, healthcare staffers represented a far bigger risk of being involved with security violations.

The data suggests that such insiders were most likely to illegally access data on the family members, a problem which accounted for 77.1% of privacy violations in the first quarter of this year. Accessing records on coworkers was the second most common insider-related violation, followed by accessing neighbor and VIP records.

Not only that, Protenus researchers found that if a healthcare employee breaches patient privacy once, there’s a greater than 20% chance they will breach privacy again in three months’ time. Worse, there’s a greater than 54% chance they will do so again in a years’ time. That’s a pretty nasty form of compounding risk.

Not only that, do healthcare institutions catch breaches right away? According to Protenus research, it takes healthcare organizations an average of 244 days to detect breaches once they take place. As readers know, some of these events involve information being exposed to the Internet, offering private information to the public via an unprotected interface. Also pretty ugly, and also a source of lousy PR for the organization.

This research is a sobering follow-up to the company’s year-end report for 2017. Last year, according to Protenus research, there was an average of one health data breach per year in 2017. The 407 incidents it identified affected 5,579,438 patient records.

The largest breach taking place in last year involved a rogue insider, a hospital employee, who inappropriately accessed billing information on 697,800 patients. The rest of the top 10 largest data breaches largely sprang from insider errors.

Wow. If it wasn’t evident already, it’s pretty clear now that healthcare organizations need to tighten up their internal data security measures and training substantially.

While there will always be some folks who want to snoop on celebrity records to find imaging medical information on their ex, and some who plan to sell the information outright, a greater number simply need to be reminded what the rules are. (Or so I assume and fervently hope.)

Cybersecurity Lapses Might Be Killing Patients

Posted on April 4, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Nobody would argue that data breaches are good for patients. After all, health data management is challenging enough without having to deal with outside attacks. But could they actually be killing patients? One researcher argues that this is indeed happening.

According to research by Dr. Sung Choi of Vanderbilt University’s Owen Graduate School of Management, hospital data breaches are linked to more than 2,100 patient deaths per year.

One key reason for this phenomenon is that data breaches create distractions for doctors which can extend far beyond the actual incident. This seems to be associated with an increase in patient mortality rates, he said. He also noted that it can be costly for hospitals to address images created by the data breach, which may divert resources better spent in patient care.

What’s more, breaches trigger a whirlwind of administrative activities, including remediation efforts, regulatory increase in litigation in the years that follow. This presents yet another distraction from focusing on care delivery.

To conduct his analysis, Dr. Choi used data from CMS and HHS, comparing patient care data at hospitals that have and have not experienced a data breach. He found that there were 305 hospital breaches between 2012 and 2016, exposing 14 million records.

One of the metrics Dr. Choi reviewed was the proportion of who died within 30 days of being heart attack patients who die within 30 days after being admitted to hospital. He found that this rate increased by 0.23% with one year after the breach, and by 0.36% two years after the breach. This adds up to an additional 2,160 additional patient deaths each year, he said.

What’s more, hospitals that experienced a health data breach took far longer to administer an ECG to newly-admitted patients, the data analysis concluded.

It’s worth noting that this phenomenon is not well documented as of yet. While data breaches are clearly correlated with some additional patient deaths, Dr. Choi seems to concede that he hasn’t found a direct causal relationship between breaches and mortality across the board.

Still, it stands to reason that cybersecurity problems would have some impact on patient care quality. Now that we’re armed with this data, we have even more compelling reasons to avoid breaches. Let’s hope that the hospital industry’s track record on health data security improves in the near future.

Cybersecurity Report Card:  Better Performance, But Not Great

Posted on March 29, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new research report from HIMSS has concluded that while healthcare organizations are improving their cybersecurity programs, there’s still a number of things they could do better.

The study drew on responses from 239 health information security professionals. Their responses were gathered from December 2017 to January 2018. While respondents came from a number of settings, the largest number (31.5%) were with hospitals, multi-hospital systems or integrated delivery networks.

One key point made by the study was that significant security incidents are projected to continue to grow in number, complexity and impact. That’s reflected by responses from survey participants, 75.7% of whom said that their organizations experienced a significant security incident in the past 12 months.

The top threat actors attacking these organizations included online scam artists deploying phishing and spear phishing attacks (37.6%), followed by negligent insiders (20.8 %) or hackers (20.1%). In many cases, the initial point of security compromise was by email. Time it took to discover the incident included less than 24 hours (47.1%), one to two days (13.2%) and 3 to 7 days (7.4%).

Despite these risks, and the effort required to protect their data, healthcare organizations with cybersecurity programs are improving their performance. They’re devoting more resources to those programs (55.8% of current IT budgets), responding to problems identified by regular risk assessments (with 83.1% adopting new and improved security measures in the wake of those assessments) and regularly conducting penetration testing and security awareness training.

On the other hand, HIMSS found that most healthcare organizations, cybersecurity programs still need improvement. For example, staffers face major obstacles in remediating and mitigating security incidents, particularly having too few cybersecurity personnel on board and a lack of financial resources. HIMSS also noted that educating and testing “human components” for security vulnerabilities is critical, but may not be included in many efforts.

In some cases, organizations don’t have formal insider threat management programs. While many respondents (44.9%) said they do have insider threat management programs and policies in place, another 27% said those programs were informal. And 24.2% said their organization had no insider threat management program at all.

In addition, risk assessments vary widely across the industry. Popular sources used to gather cyber threat intelligence include US CERT alerts and bulletins (60%) and HIMSS resources (53.8%), but many others are used as well.

The net of all of this seems to be that while healthcare organizations have gotten smarter where cybersecurity is concerned, they need to invest more in specialized personnel, improve staff training, remediation and risk assessments and stay alert. As the number of attacks continues to grow, nothing else will get the job done.

CES Really Scared Me. Will HIMSS Make Me Feel Any Better?

Posted on February 22, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Are Consumer Health Care Products Accurate & Safe Enough for Your Healthcare?

At CES, the monstrous electronics show, I saw lots of consumer devices advertised for personal fitness and healthcare. There was even a Digital Health Summit, with a wide range of industry experts.

Some companies were promoting their ability to send data to healthcare providers. That’s scary, since there are no standards governing many of these devices.

A clear message from CES is that the divisions between ‘technology’ and ‘devices’ are diminishing. Alexa, Google Home, and Siri, won’t be tied to stand-alone devices for long. They will be integrated into a wide range of consumer products across a home network, your car, portable devices, and the Internet. It’s not a big leap of the imagination to think that you will be telling Alexa, in your refrigerator, to reset the alarm clock in your bedroom, for an early meeting. And that Alexa will be telling you that you gained a pound, and send that data to your doctor.

Considering the recent news about Amazon getting into healthcare, with Warren Buffet and JP Morgan, it’s logical to think that Amazon will be delivering our healthcare along with our packages. Will you get a colonoscopy notification from Amazon because someone orders a 50th birthday card for you? (Will they only use lubricant if you have Prime? Ok, that might have been a little harsh.)

Loud and clear from CES is the consumerization of healthcare, and it’s scary.

Will data from your consumer products be accurate enough for a health care provider to form a professional opinion?

Will your devices be safe from hacking and interference?

Who will be liable if something bad happens to you because your data wasn’t accurate, or was delayed in transmission?

Should there be a government or industry-based organization setting standards and certifying devices?

ACCURACY

Valencell makes biometric sensor chips for companies to use in their consumer products. They displayed stylish brand-name smart watches that imbed their biometric-sensor chips.

Valencell’s President, Steven LeBoeuf, said that there are no standards for consumer heart monitors. His chips are voluntarily lab-tested and certified for accuracy. He said that some of their competitors’ products can confuse a person’s steps, as they are walking or running, as a heartbeat.

While that might not matter too much to a person casually checking their own vitals, what will happen if incorrect data is sent upstream to your healthcare provider?

This diagram, produced by iHealth, a company that makes ‘consumer-friendly, mobile personal healthcare products that connect to the cloud’, clearly shows their expectation that your data will be communicated to hospitals.

iHealth aptly describes this as a Systematic Framework. Think about how many vendors will be involved in the system. Device manufacturers, chip manufacturers, software designers, programmers, computer companies, communication networks, Internet service providers, cloud services, and more, all before data gets to the hospital.

What if there is a failure? What happens to you if your healthcare is depending on a consumer device? Who is responsible for the security and accuracy of the data through the system? Wanna bet that everyone will be pointing their finger at someone else?

SAFETY

What will protect you from your devices? There are an increasing numbers of stories of consumer products and autonomous cars – the Internet of Things (IoT) – being hacked.

In August, 2017, the FDA issued a warning that a pacemaker was vulnerable to hackers who could remotely kill the battery or modify the performance of the pacemaker. Killing the battery could kill the patient. Remember that this recall occurred because a pacemaker is a medical device governed by the FDA, which doesn’t govern consumer healthcare products.

The Equifax breach, the Spectre and Meltdown flaws in computer microchips, and hackers hijacking baby monitors and surveillance cameras, all show the importance of being able to apply software and firmware patches and updates.

It took a long time for the government to require car companies to recall vehicles for safety problems. How many people will be hurt, or die, before consumer health care products get regulated?

LIABILITY

At CES, AIG Insurance presented this graphic of survey results showing who is liable for a driverless vehicle crash.

Imagine personal injury attorneys salivating over consumer health care product failures. Imagine new types of insurance coverage – or new types of policy exceptions – related to managing healthcare based on consumer product data.

STANDARDS & REGULATIONS

What’s the difference between a medical device and a consumer health care product? What defines a heart monitor? How accurate is a scale? How will a consumer health care product receive security patches? How will consumers be notified their health care products aren’t safe?

Do we want the federal government involved? In 1966, the National Traffic and Motor Vehicle Safety Act required auto manufacturers to notify the government and consumers of safety defects, and recall vehicles. Could our dysfunctional Congress ever agree on a plan to regulate consumer health care products?

What about the industry policing itself? At his annual briefing at CES, electronics industry veteran Shelly Palmer made his case for a Self-Regulatory Organization (SRO) to create and enforce standards to protect consumers from risks associated with the Internet of Things.

The model for this could be PCI-DSS, the Payment Card Industry Data Security Standards, that govern organizations that accept and process credit cards. This standard is self-regulated by a council founded by the credit card companies, and is not overseen by federal or state agencies. It covers credit card processing from end-to-end, from certifying the swipe device on the store’s counter all the way through the merchant processors and banks.

According to its website, the council “provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.

If you are a healthcare professional, isn’t this the level of integrity and security you want for consumer products sending patient data to you?

Who would take on the responsibility, not to mention the liability, of policing consumer products sending data to healthcare organizations? The Consumer Technology Association (CTA), or the Health Information Management Systems Society (HIMSS)?

Will it take a disaster for us to find out?

Maybe I will find some answers at the HIMSS health IT conference. I sure hope so.

Nearly 6 Million Patient Records Breached In 2017

Posted on February 1, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Just how bad a year was 2017 for health data? According to one study, it was 5.6 million patient records bad.

According to health data security firm Protenus, which partnered with DataBreaches.net to conduct its research, last year saw an average of at least one health data breach per day. The researchers based their analysis on 477 health data breaches reported to the public last year.

While Protenus only had 407 such incidents, those alone affected 5,579,438 patient records. The gross number of exposed records fell dramatically from 2016, which saw 27.3 million records compromised by breaches. However, the large number of records exposed in 2016 stems from the fact that there were a few massive incidents that year.

According to researchers, the largest breach reported in 2017 stemmed from a rogue insider, a hospital employee who inappropriately accessed billing information on 697,800 patients. The rest of the top 10 largest data breaches sprung from insider errors, hacking, and one other incident involving insider wrongdoing.

Insider wrongdoing seems to be a particular problem, accounting for 37% of the total number of breaches last year. These insider incidents affected 30% of compromised patient data, or more than 1.7 million records.

As bad as those stats may be, however, ransomware and malware seem to be even bigger threats. As the study notes, last year a tidal wave of hacking incidents involving malware and ransomware hit healthcare organizations.

Not surprisingly, last year’s wave of attacks seems to be part of a larger trend. According to a Malwarebytes report, ransomware attacks on businesses overall increased 90 percent last year, led by GlobeImposter and WannaCry incidents.

That being said, healthcare appears to be a particularly popular target for cybercriminals. In 2016, healthcare organizations reported 30 incidents of ransomware and malware attacks, and last year, 64 organizations reported attacks of this kind. While the increase in ransomware reports could be due to organizations being more careful about reporting such incidents, researchers warn that the volume of such attacks may be growing.

So what does this suggest about the threat landscape going forward?  In short, it doesn’t seem likely the situation will improve much over the next 12 months. The report suggests that last year’s trend of one breach per day should continue this year. Moreover, we may see a growth in the number of incidents reported to HHS, though again, this could be because the industry is getting better at breach detection.

If nothing else, one might hope that healthcare organizations get better at detecting attacks quickly. Researchers noted that of the 144 healthcare data breaches for which they have data, it took an average of 308 days for the organization to find out about the breach. Surely we can do better than this.

HHS HIPAA Breach Wall of Shame Updated

Posted on August 28, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HHS has recently updated the HHS Wall of Shame…I mean the HIPAA Breach Reporting Tool (HBRT). Whatever you want to call the tool, you can find the most updated version here. Here’s a short description from the press release about the updates to the breach notification tool:

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) today launched a revised web tool that puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how all breaches of health information are investigated and successfully resolved. The HIPAA Breach Reporting Tool (HBRT) features improved navigation for both those looking for information on breaches and ease-of-use for organizations reporting incidents. The tool also helps educate industry on the types of breaches that are occurring, industry-wide or within particular sectors, and how breaches are commonly resolved following investigations launched by OCR, which can help industry improve the security posture of their organizations.

The new design is nice and it makes sense to finally archive some of the breaches on the list. How long should we condemn an organization that’s had a breach by having them on the list? Of course, it is still available on the archive.

Since the start of the HIPAA Breach notification tool (October 2009), there have been 1674 breach notifications (only includes breaches of 500 people or more). In just the last 24 months they’ve posted 364 breaches with nearly 28 million individuals affected. I’ll have to get my friends at Qlik to import the data to do more analysis of the data. Here’s a look at the data the tool provides:

The tool includes: the name of the entity; state where the entity is located; number of individuals affected by the breach; the date of the breach; type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure); and location of the breached information (e.g., laptop, paper records, desktop computer).

I wish they included more details on what caused the breach and more practical ways to defend against the various breaches. That would make the list a lot more actionable. However, I also understand why that would be a hard task to accomplish.

Just looking over some of the recent breaches, I wasn’t shocked by the number of hacking incidents that are being reported. We’ve widely reported on these types of hacking incidents as well. However, I was pretty shocked by how many of the recent breaches were by email. Once again, I wish I had a lot more information about what actually happened with these email breaches. Looks like HHS collects it when someone files a breach. I guess I understand why they can’t share the individual answers, but it would be nice to have some summary reports of actions taken by those that were breached.

What do you think of HHS’ updates to this tool? Is it useful in helping them reach their goal of making the industry safer? Is there something else they could do with the tool to make it work better? We look forward to reading your thoughts in the comments.