Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

A HIPAA Life Sentence… and SO Many Lessons

Posted on November 15, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

In 2012 Accretive Health Care was banned from doing business in Minnesota for 2 – 6 years for a HIPAA violation.

In 2018 New York State suspended a nurse’s license for a year for a HIPAA violation.

But, a life sentence?

The New Jersey Attorney General announced a $ 200,000 HIPAA and consumer fraud penalty against an out-of-business Georgia medical transcription company. In 2016 ATA Consulting LLC d/b/a Best Medical Transcription breached the medical records of over 1,650 people treated by three New Jersey healthcare providers by publicly exposing their medical records to the Internet. And, their customer, Virtua Health, paid a $ 418,000 settlement for violations of both HIPAA and the New Jersey Consumer Fraud Act.

Tushar Mathur, owner of Best Medical Transcription, agreed to a permanent ban on managing or owning a business in New Jersey.

Wow.

A life sentence for a HIPAA violation.

And the medical clinic paying a $ 418,000 penalty for the actions of its vendor.

By a state, not the federal government.

What can you learn from this?

1. It’s shocking to see how many servers have been misconfigured, or protected data being stored on web servers, exposing patient records to the Internet. These HIPAA penalties were all for exposing patient records through the Internet:

LESSONS –

  • Have your servers installed by a certified professional using a detailed checklist to ensure that no data is exposed to the Internet.
  • Make sure your organization has enough data breach insurance to cover millions of dollars in penalties; that you live up to all the requirements of your policy; and that you consistently implement the security controls you said you have in place on your insurance application.
  • Make sure your outsourced IT provider has enough Errors & Omissions insurance to cover your penalties

2. Many doctors and business owners tell me that “the federal government will never get them” or that they are “too small to be of interest” to federal regulators.

LESSONS –

  • Regulators go after small businesses, which doesn’t always make headlines. The Federal Trade Commission forced a 20-employee medical lab to go out of business. The business owner fought the FTC and ultimately won in court, but his business was gone.
  • Don’t ignore your risk that your state Attorney General (who probably wants to be governor) wants by getting headlines about protecting consumers. The HITECH Act (2009) gave state Attorneys General the authority to enforce HIPAA. Violations also can be tied to consumer protection laws, not just HIPAA.
  • Lawyers are representing patients whose information was released without authorization. Patients have successfully sued doctors for HIPAA violations.
  • Doctors shouldn’t laugh off HIPAA or just complain (INCORRECTLY) that it interferes with patient care. A doctor went to jail for a HIPAA violation.

3. HIPAA is only one regulation with which you must comply.

LESSONS –

  • Don’t think that a ‘We Make HIPAA Easy’ web-based solution is enough to protect your assets from all your regulatory challenges.
  • Don’t think that a self-conducted Security Risk Analysis is a substitute for a professionally-designed HIPAA compliance program that will meet all the federal and state requirements you must follow.
  • Don’t think that an IT Security company doing a vulnerability or penetration test is a substitute for a HIPAA Security Risk Analysis or a robust compliance program.
  • Every state now has data breach laws the state Attorneys General love to enforce. These consumer protection laws protect Personally Identifiable Information (PII) held by medical practices. State laws have different requirements than HIPAA. For example, HIPAA requires that patients be notified no later than 60 days after a data breach. California requires just 15 days.
  • Because of the opioid crisis, many types of medical practices are now offering substance abuse treatment, which requires additional confidentiality measures. So do HIV, mental health, and STD treatments. You need to address all the regulations that apply to you.

4. Don’t blindly trust your vendors.

LESSONS –

  • Signing a Business Associate Agreement (BAA) isn’t evidence that your vendor really complies with HIPAA. According to the NJ Attorney General, Best Transcription signed a BAA with Virtua Health but:
  • Failed to conduct an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held;
  • Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule;
  • Failed to implement policies and procedures to protect ePHI from improper alteration or destruction;
  • Failed to notify VMG of the breach of unsecured PHI; and
  • Improperly used and/or disclosed ePHI in contravention of its obligations under its Business Associate Agreement with VMG.

Make sure your vendors understand their HIPAA obligations. Even after five years, my experience is that many Business Associates have failed to keep up with the changes required by the 2013 HIPAA Omnibus Final Rule. Many talk about HIPAA in their sales and marketing but do not comply.

Remember that you are responsible for the actions of your vendors.

WHEN YOU ARE LYING AWAKE TONIGHT, ASK YOURSELF:

  • Are you really sure you can survive an investigation by your state attorney general?
  • Are you really sure your Business Associate vendors have conducted a HIPAA risk analysis; have implemented HIPAA security measures; have implemented HIPAA policies and procedures, are really protecting your PHI, and will notify you if there is a breach?
  • Are you willing to bet $ 418,000 (what Virtua paid) on it?
  • If you are a Business Associate, what do you think it will feel like if you are banned for life from doing business?

Doctors send patients to specialists all the time. Whether you are a medical provider or a vendor, do you have the trained and certified specialists you need that can help with all your regulatory challenges? Does your team need expert help to validate what is you and your vendors are doing and help you address any gaps?

Don’t risk your assets. Don’t risk a life sentence.

 

 

Number Of Health Data Breaches Grew Steadily Over Last Several Years

Posted on October 5, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

New research has found that while the number of patient records exposed per breach has varied widely, the number of health data breaches reported grew substantially between 2010 and 2017.

The study, which was conducted by researchers with Massachusetts General Hospital, was published in JAMA. Its aim was to look at the changes in data breach patterns as EHRs have come into wider use.

The authors analyzed 2,149 reported breaches over the previous seven years. The number of records breached for incident varied from 500 to almost 79 million patient records.

Researchers behind the study put breaches reported in three categories: those taking place at healthcare provider sites, within health plans, and at business associate locations.

One thing that stuck out from among the data points was that over that seven-year period, the number of breaches increased from 199 the first year to 344 in 2017. During that period, the only year that did not see an increase in incident volume was 2015.

Another notable if unsurprising conclusion drawn by the researchers was that while 70% of all breaches took place within provider organizations, incidents involving health plans accounted for 63% of all breached records.

Overall, the greatest number of patient records breached was due to compromised network servers or email messages. However, the top reasons for breaches have varied from year-to-year, the analysis found.

For example, the most common type of breach reported in 2010 was theft of physical records. The most commonly breached type of media that year was laptop computer data storage, followed by paper and film records.

Meanwhile, by 2017 data hacking or other information technology incidents accounted for the largest number of breaches, followed by unauthorized access to or disclosure of patient data. In addition, a large number of breaches could be attributed to compromised network servers or email messages.

The number of patient records exposed differed depending on what media was breached. For example, while the total of 510 breaches of paper and film records impact about 3.4 million patient records, 410 breaches of network servers affected nearly 140 million records.

HIPAA Breach Investigations – What You Should Know

Posted on September 5, 2018 I Written By

The following is a guest blog post by Moazzam Adnan Raja, Vice President of Marketing at Atlantic.Net.

Correctly handling a HIPAA breach recovery will benefit from a well-prepared and systematic approach. Investigation is one of a few key elements to consider, alongside speed, notification, and risk assessment. The specific issue of time deserves closer examination, as does the incorporation of risk management and auditing processes.

4 pillars of HIPAA breach response

Here are four key elements or pillars of a strong HIPAA breach response, a framework provided by Brach Eichler healthcare attorney Lani M. Dornfeld, that can be helpful in guiding your own response, as well as setting expectations with your healthcare hosts and other business associates:

Speed – Moving rapidly in response to a breach is fundamental to limiting the damage. Put together an investigation and response team, which should include the HIPAA security officer and HIPAA privacy officer, along with an attorney as necessary. You may want to standardly include your attorneys, along with members of a HIPAA compliance committee, if your organization is larger and requires more sophisticated oversight. The board of trustees and board of directors could also be included.

Investigation – The way that an investigation is conducted will depend heavily on the nature and scope of the breach. There is, of course, the issue of responsibility to patients but also liability to the organization. For the latter, Dornfeld noted, “If cloaking the investigation in the attorney-client privilege will be to your strategic advantage, then you will need to be counseled about how to manage the flow of information to maintain the privilege.” Breaches often occur because of internal errors by your staff, such as disclosure without proper authorization (e.g., telling a friend confidential patient information) or accidental disclosure to the incorrect party (e.g., sending a letter to the wrong address). Incredibly, insiders are responsible for more than half (58%) of healthcare breaches impacting electronic protected health information (ePHI), per a study released in March by Verizon. When breaches occur due to the insider threat, at the minimum, you want to conduct private interviews with relevant parties, with another person there to assist in asking questions and determining perceived honesty. Beyond what you are able to glean from interviews, it will also help to get any supporting evidence – which may include copies of social media posts, letters, or emails, as well as information from the data system. (Related to investigation, see the discussion of time below.)

Notification – Letting all pertinent parties know about healthcare data breaches is critical. Notification should occur quickly and always within 60 days of breach discovery (unless advised by law enforcement that notification would problematize its own investigations), per the Breach Notification Rule. When you notify patients or others that ePHI has been exposed, your communications should be clearly worded. They should mention the specific data involved (such as lab results or Social Security numbers) and the steps the company is taking toward investigation and mitigation. It should also let the patient know what protective steps they can personally take, along with how to get further details or ask questions.

Risk assessment – After the investigation is finished, you and the legal team can use the insight from it, along with whatever you have already done toward mitigation, to conduct a HIPAA-compliant risk assessment. The risk analysis parameters from the HHS explain that a full assessment should be conducted related to any threats to the availability, integrity, and confidentiality of health data. The HHS notes that the risk analysis is an important basis of information since it can be used to guide what is considered a “reasonable and appropriate” step (the determining factor for a HIPAA-compliant approach). While HIPAA is flexible on many parameters, it mandates that risk assessments be performed routinely (related to all ePHI systems) when contracting with new business associates (related to that specific information), and when security incidents occur (related to that specific information). Any access to ePHI that is disallowed by the Privacy Rule’s subpart E must be disallowed. Any time at which health data is accessed or used in a way that is noncompliant with those guidelines will be assumed breaches – except if your risk assessment can show that there is, in fact, low likelihood of a compromise. (Related to risk assessment, see the section on risk management and audits below.)

The specific issue of time

Time should be central to investigations, as indicated by Mayer Brown healthcare attorney Laura Hammargren. There is disagreement over whether the moment of discovery of a breach should be considered the moment when you reveal a potential breach or the moment when you have finished assessing the situation and understand what occurred.

While there may still be some debate related to discovery, the law is clear at least on the parameter of 24 hours. Discovery of a breach of ePHI occurs “as of the first day on which the breach is known to the organization, or, if exercising reasonable diligence would have been known to the organization,” noted Dornfeld.

Security events are common in which it is unclear if data was compromised or not. It can take a significant amount of time to confirm whether a breach occurred, and exactly how it might have occurred. Some means of assault are incredibly complex. Attackers may make it extraordinarily challenging to track their moves – in which case it can be a painstaking task to find out the data that they possibly accessed and removed.

Another concern of a HIPAA breach investigation is figuring out the length of time the intruder had access, which can have a huge influence on the breadth of the breach.

Risk management & audits

The risk assessment is part of the larger picture of risk management. When you are approaching a healthcare data breach investigation, you will benefit from comprehensive risk management and auditing processes. Through these safeguards, you will be much readier to send out notifications promptly, as well as to give clear information to police and other law enforcement officials.

Risk management is simplified when you have strong business associate agreements (BAAs), through which your standards can extend to third parties. By working with established, next-generation, HIPAA compliant cloud storage provider, you will have peace-of-mind that risks are properly controlled, backed by third-party certifications and audits.

Atlantic.Net is a proud sponsor of EMRandHIPAA.com. Atlantic.Net provides HIPAA compliant hosting, backed by 100% uptime guarantee.

About Moazzam Adnan Raja
Moazzam Adnan Raja has been the Vice President of Marketing at Atlantic.Net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.

More Than 3 Million Patient Records Breached During Q2 2018

Posted on August 15, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new study by data security vendor Protenus has concluded that more than 3 million patient records were breached during the second quarter of 2018, in a sharp swing upward from the previous quarter with no obvious explanation.

The Protenus Breach Barometer study, which drew on both reports to HHS and media disclosures, found that there were 143 data breach incidents between April and June 2018, affecting 3,143,642 million patient records. The number of affected records has almost tripled from Q1 of this year, when 1.13 million records were breached.

During this quarter, roughly 30% of privacy violations were by healthcare organizations that had previously reported a data breach. The report suggests that it is because they might not have identified existing threats or improved security training for employees either. (It could also be because cyberattackers smell blood in the water.)

Protenus concluded that among hospital teams, an investigator monitors around 4,000 EHR users, and that each was responsible for an average of 2.5 hospitals and 25 cases each. The average case took about 11 days to resolve, which sounds reasonable until you consider how much can happen while systems remain exposed.

With investigators being stretched so thin, not only external attackers but also internal threats become harder to manage. The research found that on average, 9.21 per 1,000 healthcare employees breached patient privacy during the second quarter of this year. This is up from 5.08 employee threats found during Q1 of this year, which the study attributes to better detection methods rather than an increase in events.

All told, Protenus said, insiders were responsible for 31% of the total number of reported breaches for this period. Among incidents where details were disclosed, 422,180 records were breached, or 13.4% of total breached patient records during Q2 2018. The top cause of data breaches was hacking, which accounted for 36.62% of disclosed incidents. A total of 16.2% of incidents involved loss or theft of data, with another 16.2% due to unknown causes.

In tackling insider events, the study sorted such incidents into two groups, “insider error” or “insider wrongdoing.” Its definition for insider error included incidents which had no malicious intent or could otherwise be qualified as human error, while it described the theft of information, snooping in patient files and other cases where employees knowingly violated the law as insider wrongdoing.

Protenus found 25 publicly-disclosed incidents of insider error between April and June 2018. The 14 of which for which details were disclosed affected 343,036 patient records.

Meanwhile, the researchers found 18 incidents involving insider wrongdoing, with 13 events for which data was disclosed. The number of patient records breached as a result of insider wrongdoing climbed substantially over the past two quarters, from 4,597 during Q1 to 70,562 during Q2 of 2018.

As in the first quarter, the largest category of insider-related breaches (71.4%) between April and June 2018 was healthcare employees taking a look at family members’ health records. Other insider wrongdoing incidents including phishing attacks, insider credential sharing, downloading records for sale and identity theft.

Are You Investing Enough in IT Security?

Posted on July 20, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Would you put a $ 10 fence around a $ 100 horse?

Does it make sense to put a $ 100 fence around a $ 10 horse?

For the right security, you need to know what your horse is worth.

The same concepts apply to protecting your data. What is your data worth?

Ask Cottage Health , which had two data breaches, totaling 55,000 records., and settled a $ 4.1 million lawsuit with patients, then paid a $ 2 million California penalty. They were sued by their insurer, which wanted the $ 4.1 million settlement money back, after it discovered Cottage Health had not consistently implemented the security controls it claimed on its insurance application. The $ 6.1 million in the settlement and penalty does not include its costs for legal fees, credit monitoring, notifying patients, public relations, or recovering the business lost from patients who moved to another provider.

One of our clients was audited for HIPAA compliance by the venture capital firm that wanted to invest in their company. Another client had us do a compliance assessment on a healthcare company they wanted to purchase. In both cases, HIPAA compliance was worth millions of dollars.

We asked a client how much the financial impact would be on their business if they lost the sensitive personal data they collected about business partners, and had to notify everyone. The owner said they would be out of business, costing millions of dollars.

Breaches result in lawsuits, with settlements in the millions. If you are a licensed or certified professional, you can lose your license or certification if you are breached.

Federal HIPAA penalties in 2014 – 2015 were $ 14 million. In 2016 – 2017 they tripled to $ 42 million. In 2018, they have already reached $ 7.9 million.

Data is worth more than gold.

Instead of words and images in a computer, think of your data as a pile of gold bars that is worth protecting.

When we work with our clients, we help you identify the types of data you have, where it is located, and how it is protected. We recently worked with a client that came to us for help protecting their patient information. They were shocked when we showed them that they had bigger risks related to the data they stored about workforce members, and job applicants they did not hire, than the people they served.

  • What data do you have that is regulated, that you must protect to comply with laws and other regulations?
  • What fines and lawsuit judgments might you face if your data is breached?
  • Beyond HIPAA that protects patient information, do you know your state data breach laws that apply to employee data?
  • Do you know the regulations that protect credit card data?
  • Do you have enough of the right type of insurance to protect your finances if you are breached?

Everyone has unregulated data that is sensitive or proprietary, that could hurt your business if it is lost, stolen, or accessed by a competitor or someone who wants to hurt you? Salaries, trade secrets, employment records, pricing models, merger and acquisition plans, lawsuit files, have all been stolen.

As part of our assessments, we search the Dark Web (the criminal side of the Internet) to see if our clients have employee passwords for sale by hackers. Over 90% have had at least one employee’s credentials stolen and offered for sale.

Most of our clients start out not knowing the value of their risks. They hadn’t approved IT security purchases, because the costs were high, and they didn’t know if security was worth the investment.

So, how much should you invest in protecting your data?

The recently-released 2018 Cost of a Data Breach report shows, through research of actual breaches, that in 2017 the average cost to a breached organization for a single lost healthcare record was $408. Across all industries the cost was $ 233 per record. Only a third of the cost was for the direct response to the breach – notifying patients, hiring lawyers and IT security experts, and paying for credit monitoring. Two-thirds of the $ 408/record was the financial effect on the healthcare organizations, by losing patients after violating their trust.

Here is a calculation you can use to estimate the value of protecting your patient data.

Number of Patient Records x $ 408 (cost per record of a breach) = $ ________________ in risk.

Example: 25,000 records x $ 408 = $ 10.2 million. (If this number startles you, imagine if your costs were only 25% of the total, which is still $ 2.5 million.)

Other ways to put a dollar value on your risk

  • How much would a breach affect the market value of your business?
  • How much investment capital do you need for expansion?
  • Personally, what will your retirement look like if you had to pay $ 1 million, $ 2 million, or more, to cover the costs of a breach?
  • What would your life be like if you went out of business?

Know the value of your cyber security risk. Do the math.

Ask your IT department, or an outsourced independent IT security consultant, to assess your risks, and recommend what you need to be fully protected. Our assessments calculate your risks based on dollars, and provide ‘under the skin’ data about the current status of your security. Don’t settle for guesses.

Base your security investment on the value of your risks, not just the general idea that your data needs to be protected.

And, if you own a $ 100 horse, upgrade your $ 10 fence.

MD Anderson Fined $4.3 Million For HIPAA Violations

Posted on June 21, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

An administrative law judge has ruled that MD Anderson Cancer Center must pay $4.3 million to the HHS Office of Civil Rights due to multiple HIPAA violations. This is the fourth largest penalty ever awarded to OCR.

OCR kicked off an investigation of MD Anderson in the wake of three separate data breach reports in 2012 and 2013. One of the breaches sprung from the theft of an unencrypted laptop from the home of an MD Anderson employee. The other two involved the loss of unencrypted USB thumb drives which held protected health information on over 33,500 patients.

Maybe — just maybe — MD Anderson could’ve gotten away with this or paid a much smaller fine. But given the circumstances, it was not going to get away that easily.

OCR found that while the organization had written encryption policies going back to 2006, it wasn’t following them that closely. What’s more, MD Anderson’s own risk analyses had found that a lack of device-level encryption could threaten the security of ePHI.

Adding insult to injury, MD Anderson didn’t begin to adopt enterprise-wide security technology until 2011. Also, it didn’t take action to encrypt data on its devices containing ePHI during the period between March 2011 and January 2013.

In defending itself, the organization argued that it was not obligated to encrypt data on its devices. It also claimed that the ePHI which was breached was for research, which meant that it was not subject to HIPAA penalties. In addition, its attorneys argued that the penalties accrued to OCR were unreasonable.

The administrative law judge wasn’t buying it. In fact, the judge took an axe to its arguments, saying that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” noting that its leaders “not only recognized, but [also] restated many times.” That’s strong language, the like of which I’ve never seen in HIPAA cases before.

You won’t be surprised to learn that the administrative law judge agreed to OCR’s sanctions, which included penalties for each day of MD Anderson’s lack of HIPAA compliance and for each record of individuals breached.

All I can say is wow. Could the Cancer Center’s leaders possibly have more chutzpah? It’s bad enough to have patient data breached three times. Defending yourself by essentially saying it was no big deal is even worse. If I were the judge I would’ve thrown the book at them too.

Exec Tells Congress That New Health Data Threats Are Emerging

Posted on June 20, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A senior security executive with a major academic health system has told Congress that in addition to attacks by random attackers, healthcare organizations are facing new threats which are changing the health security landscape.

Erik Decker, chief security and privacy officer with the University of Chicago Medicine, testified on behalf of the Association for Executives in Healthcare Information Security in mid-June. He made his comments in support of the reauthorization of the Pandemic and All-Hazards Preparedness Act, whose purpose is to improve the U.S. public health and medical preparedness for emergencies.

In his testimony, Decker laid out how the nature of provider and public health preparedness has changed as digital health technology has become the backbone of the industry.

He described how healthcare information use has evolved, explaining to legislators how the digitization of healthcare has created a “hyper-connected” environment in which systems such as EHRs, revenue cycle platforms, imaging and ERP software are linked to specialty applications, the cloud and connected medical devices.

He also told them about the increasing need for healthcare organizations to share data smoothly, and the impact this has had on the healthcare data infrastructure. “There is increasing reliance on these data being available, and confidential, to support these nuanced clinical workflows,” he said. “With the adoption of this technology, the technical ecosystem has exploded in complexity.”

While the emergence of these complex digital health offers many advantages, it has led to a growth in the number and type of cybersecurity problems providers face, Decker noted. New threats he identified include:

* The development of underground markets and exchanges of sensitive information and services such as Hacking-as-a Service
* The emergence of sophisticated hacking groups deploying ransomware
* New cyberattacks by terrorist organizations
* Efforts by nation states to steal intellectual property to create national economic advantages

This led to the key point of his testimony: “We can no longer think of preparedness relative only to natural disasters or pandemics,” Decker said. “It’s imperative that we acknowledge the criticality of cybersecurity threats levied against the nation’s healthcare system.”

To address such problems, Decker suggests, healthcare organizations will need help from the federal government. For example, he pointed out, HHS efforts made a big difference when it jumped in quickly and worked closely with healthcare leaders responding to WannaCry attacks in mid-2017.

Meanwhile, to encourage the healthcare industry to adopt strong cybersecurity practices, it’s important to offer providers some incentives, including a financial subsidy or safe harbors from enforcement actions, he argued.

The State Of Healthcare Cybersecurity (Part 2)

Posted on May 22, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In Part 1 of this series, which drew data from a study by Black Book Market Research, I described how insecure healthcare leaders felt their cybersecurity protections to be. I also noted that a large number of providers are struggling to recruit senior health IT experts, and as a result are basically winging it when it comes to breach protection.

Healthcare organizations’ data security problems run deeper than that, however, the study suggests. Not only are C-level execs finding security investments to be troublesome, IT managers responding to the survey admit that they, too, feel that they are not fully prepared to defend their institution’s data.

To begin with, 74% of surveyed CIOs admitted that they failed to evaluate the total cost of ownership before signing a deal with a cybersecurity solution or service provider, and 89% said they bought their cybersecurity solution to be compliant with security regs, and often, not necessarily to reduce security risks.

And the failure to protect critical information doesn’t stop there.  For example, 57% of IT managers said that they hadn’t taken stock of the full variety of cybersecurity solutions that currently exist, notably mobile security environments, intrusion detection, attack prevention, forensics and testing.

Also, many healthcare institutions seem to react only after they’ve been invaded. According to Black Book, 58% of hospitals didn’t select their current security vendor until after a data security incident, and 32% of healthcare organizations hadn’t scanned for vulnerabilities before an attack.

What’s more, 83% of healthcare organizations haven’t staged a cybersecurity drill which included an incident response process, which arguably leaves them particularly unprepared. Not only that, when an attack comes, some won’t catch it right away, as 29% said they don’t have an adequate solution to instantly detect and respond to cyberattacks.

Meanwhile, 16% of respondents reported being uncomfortable working with vendors that do a hard sell when they find security flaws and vulnerabilities. These insecurities aren’t surprising given that 60% of healthcare enterprises haven’t formally identified specific security objectives and requirements and integrated them into a strategic and tactical plan for breach prevention.

Given how unfocused many security plans are, it’s not surprising that 22% of provider organizations believe their cybersecurity position will worsen between now and the second quarter of 2019. Only 12% of hospitals and 9% of physician organizations reported that they expected to see cybersecurity improvements.

The bottom line here is that if the Black Book research is correct, many healthcare organizations are frighteningly unprepared to protect their data, much less survive a serious attack relatively unscathed. For everyone’s sake, let’s hope that providers wise up to the need for strategic, substantial investments in security technology and staff.

The State Of Healthcare Cybersecurity (Part 1)

Posted on May 21, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare data has never been under more outside threats than it is today. For a number of reasons, this data has become more attractive to cybercriminals and can be sold on the dark web for a pretty penny. Not only that, emerging threats like ransomware attacks are hitting home and wreaking havoc with the institutions they target.

Unfortunately, according to a new study by Black Book Market Research, healthcare organizations don’t seem to be adequately prepared for this onslaught.

The survey, which collected responses from more than 2,464 security pros working at 680 provider organizations, found that health IT leaders aren’t confident they can defend themselves against cyberattacks. In fact, 96% of IT professionals who responded said that the attackers are significantly ahead of them and could probably cut through the protection their organizations have in place.

Given that stat, it’s not surprising that over 90% of healthcare organizations have seen a data breach since Q3 2016. Worse, almost 50% reported that they had more than five data breaches during this period. Not only that, more than 180 million records have been stolen since 2015, a staggering haul which affects roughly one in every 12 healthcare consumers.

On the surface, it might seem surprising that healthcare organizations haven’t toughened their defenses given the number of threats they face. Actually, they are, but they’re being outgunned. It’s not that they’re not making cybersecurity investments, but both the level of investment and their strategy for deployment may be inadequate.

In a surprisingly frank set of disclosures, one-third of hospital executives that bought cybersecurity solutions between 2016 and 2018 said they did so blindly without much vision or understanding of what they were getting for their money. Respondents said that 92% of data security product and services buying decisions were made at the C-level, and the process didn’t include any users or affected department managers.

One reason that C-level executives with little relevant knowledge are making security investment decisions because they don’t have anyone senior to consult – and the problem is extremely common.

The survey found that 84% of hospitals responding had no dedicated security executive in place. Most say that it’s difficult to recruit a qualified chief security officer, which is why they’re going bare on data security and stumbling through the buying process as best they can.

Some organizations are responding to the shortage of C-level tech talent by outsourcing the function. Twenty-one percent said they outsource security to partners, consultants or selected security-as-a-service options as a placeholder.

Given this interest in outsourcing, healthcare organizations are signing deals with security services and outsourcing companies five times more often than they’re buying cybersecurity products and software. Vendors, in turn, are responding by diversifying the portfolio of services they offer. Still, that’s unlikely to be enough over the long term.

All of this suggests that the healthcare industry is in a security crisis. I’ll offer more details on the situation in part two of this series.

More Than 1.1 Million Patient Records Breached During Q1 of 2018

Posted on May 14, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Well, this isn’t a pretty picture. According to research by Protenus, roughly 1.3 million patient records were breached between January and March of this year. (The actual number is 1,129,744 records, for those who like to be precise.)

During that quarter, the healthcare industry saw an average of at least one data breach per day, racking up 110 health data breaches during this period, according to the Protenus Breach Barometer.

The researchers found that the single largest breach taking place during Q1 2018 was an intrusion involving an Oklahoma-based healthcare organization. The breach, which exposed patient billing information for 279,856 patients, resulted from an unauthorized third-party gaining access to the health system’s network.

If you assume that the other breaches were also executed by external cyberattackers, think again. According to the data, healthcare staffers represented a far bigger risk of being involved with security violations.

The data suggests that such insiders were most likely to illegally access data on the family members, a problem which accounted for 77.1% of privacy violations in the first quarter of this year. Accessing records on coworkers was the second most common insider-related violation, followed by accessing neighbor and VIP records.

Not only that, Protenus researchers found that if a healthcare employee breaches patient privacy once, there’s a greater than 20% chance they will breach privacy again in three months’ time. Worse, there’s a greater than 54% chance they will do so again in a years’ time. That’s a pretty nasty form of compounding risk.

Not only that, do healthcare institutions catch breaches right away? According to Protenus research, it takes healthcare organizations an average of 244 days to detect breaches once they take place. As readers know, some of these events involve information being exposed to the Internet, offering private information to the public via an unprotected interface. Also pretty ugly, and also a source of lousy PR for the organization.

This research is a sobering follow-up to the company’s year-end report for 2017. Last year, according to Protenus research, there was an average of one health data breach per year in 2017. The 407 incidents it identified affected 5,579,438 patient records.

The largest breach taking place in last year involved a rogue insider, a hospital employee, who inappropriately accessed billing information on 697,800 patients. The rest of the top 10 largest data breaches largely sprang from insider errors.

Wow. If it wasn’t evident already, it’s pretty clear now that healthcare organizations need to tighten up their internal data security measures and training substantially.

While there will always be some folks who want to snoop on celebrity records to find imaging medical information on their ex, and some who plan to sell the information outright, a greater number simply need to be reminded what the rules are. (Or so I assume and fervently hope.)