Healthcare Data Breaches are Costly and Embarrassing, but Providers Have the Power to Reduce the Impact Substantially
For 12 consecutive years, healthcare has led all other industries in the sheer number of data breaches experienced by its members, including healthcare providers, business associates, and health insurers. And while these breaches are frequent, embarrassing, and expensive, healthcare industry members have the power today to reduce cyberattacks and the data breaches that often result. There are five high-value security best practices healthcare providers and business associates can implement today, and three compelling reasons why.
Reason 1: The High Cost of Healthcare Data Breaches
According to the latest Cost of a Data Breach Report published by IBM Security, in 2022 the average cost of a healthcare data breach exceeded $10 million, up from $9.2 million in 2021.
Those costs add up fast when you realize they include expenses such as victim notifications, system recovery actions, network downtime, operational downtime, reputational damage, rebranding costs, lost business, ransom payments, civil and legal financial settlements, and penalties imposed by the HHS Office for Civil Rights (OCR), which is charged with enforcing HIPAA regulations including the Security Rule, Privacy Rule, and Breach Notification Rule.
Seven years after Banner Health suffered a hack that disclosed the electronic protected health information (ePHI) of more than 2.8 million individuals, the Phoenix-based non-profit health system paid $1,250,000 to the OCR and is implementing a mandatory corrective action plan to resolve their violations in order to protect the security of ePHI going forward. It’s one example of dozens of reported HIPAA violations and settlements each year.
A suspected ransomware attack brought Tallahassee Memorial Healthcare to its knees the night of Thursday, February 2, 2023. Within days of the attack, the Jacksonville office of the Federal Bureau of Investigation was engaged to aid in the investigation. For nearly two weeks after, the hospital was forced to rely on paper documentation as its systems remained offline. It was finally brought back online in a controlled fashion on February 15, 2023. The results of the OCR investigation will probably not be known for several years.
Ransomware was also responsible for the data breach at Lehigh Valley Health Network in February 2023. In October 2022, a ransomware attack caused a month-long network outage at CommonSpirit Health that had cost the provider $150 million as of March 2023.
Reason 2: HIPAA Requires All Data Breaches to be Reported
All healthcare organizations that suffer data breaches must report details to the HHS Office for Civil Rights. The HIPAA Breach Notification Rule includes the following basic requirements:
- If an organization experiences a data breach that potentially exposes or compromises unsecured (i.e., unencrypted) ePHI, all affected individuals must be notified as soon as possible.
- If the breach affects 500 or more individuals, the HHS OCR must be notified within 60 days of the breach discovery.
- Breaches affecting fewer than 500 can be reported to HHS within the year in which they occur.
Failure to adhere to these requirements after a data breach will incur consequences with the OCR, including contributing to higher penalties.
Healthcare Data Breaches Affecting 500 or More Individuals
The HIPAA Journal has tracked breaches affecting 500 or more individuals, as reported to the OCR, since 2009. With few exceptions, the number of reported breaches has risen steadily each year, as the chart illustrates (through May 2023).
Between January 1 and June 30, 2023, 315 security incidents were reported to the OCR. More than three-quarters (76%) cited hacking as the cause of the breach. Other causes reported were improper disposal, theft, and unauthorized disclosure.
Of the 315 security incidents reported in the first half of 2023, the majority were attributed to healthcare providers (60%). Business associates had primary responsibility for 82 incidents (26% of the 315) but were also involved in another 35 incidents. By comparison, health plans were responsible for just 14% of the reported breaches. Clearly, healthcare providers and their business associates have abundant opportunities to strengthen and extend their cybersecurity measures and achieve more robust HIPAA compliance. Five proven security best practices make it easy.
Reason 3: Poorly Secured Medical Devices Pose Serious Threats
Medical devices and hospital equipment can be expensive to procure, and the return on investment can take years. Too frequently, they lack adequate security safeguards—despite the fact that most of those developed in the past decade are intelligent devices with built-in computers and internet connectivity. This renders them vulnerable to hacking, ransomware attacks, and other criminal exploitation, which causes serious concerns for hospital executives.
A recent survey by the Ponemon Institute offers several insights from healthcare executives:
- Two-thirds of healthcare executives (67%) agree or strongly agree that internet connectivity presents a very real threat to patient data and security.
- Nearly that number (64%) cited insecure medical devices as the threats they were most concerned about. Not surprising in light of the fact that most hospitals and larger healthcare organizations maintain 26,000 connected devices.
- Virtually the same number (63%) see vulnerabilities in legacy systems as the primary threats to patient data and security. Typically, legacy systems are older and maybe unsupported by security patches and other updates, even though many are intelligent and/or connected to the internet.
FDA Now Empowered to Enforce Security of Medical Devices
In recognition of the widespread vulnerability of internet-connected medical devices and legacy devices, the Food and Drug Administration in 2023 was granted the power to ensure that cybersecurity protections are built into new medical devices from inception to render them more effective in protecting patient safety and data security.
Section 3305 of the Consolidated Appropriations Act 2023, titled Ensuring Cybersecurity of Medical Devices, updated the federal Food, Drug & Cosmetic Act by adding a new Section, 524B, on Ensuring Cybersecurity of Devices. The new cybersecurity requirements govern all applications for approval of medical devices submitted to the Food and Drug Administration after March 29, 2023.
Among the specifics of Section 524B, new medical devices must come with a bill of materials for the software components which, like any computer software, must be able to accept security patches and software updates. The new requirements will ultimately result in intelligent, computer-driven medical devices being treated as such, with all appropriate security safeguards.
Dovetailing with this new requirement, the 10-year-old Medical Device Reporting regulation (21 CFR Part 803) imposes mandatory requirements for manufacturers, importers, and device user facilities to report certain device-related adverse events and product problems to the FDA, including prompt identification, timely investigation, reporting, documentation, and filing of device-related death, serious injury, and malfunction information.
Between the new and existing regulations, the FDA is now well-equipped to enforce cybersecurity requirements for new medical devices going forward.
Five High-Value Security Measures Hospitals Can Implement Today
2023 marks the 20th celebration of Cybersecurity Awareness Month, a collaboration between the U.S. government and private industry to raise awareness about user cybersecurity behavior and the importance of online security.
The Cybersecurity Infrastructure Agency (CISA) and the National Cybersecurity Alliance partner to provide useful resources and communications that make it easier for organizations to advise their employees, patients, and customers about responsible cybersecurity.
Numerous expert sources in cybersecurity and compliance have identified a specific set of five proven security best practices that can have an enormous and immediate impact on your online security and the protection of patient ePHI.
- Passwords. Require employees to use strong and separate passwords for all accounts, force password changes every 90 days, terminate passwords when employees leave the organization, and require the use of a company-provided password management tool to maintain passwords and keep them secure.
- MFA. Enforce multifactor authentication for employee sign-on to organization accounts, and encourage MFA use in logging into external accounts. Multifactor authentication provides an important additional level of security for online accounts, websites, and other digital platforms.
- Phishing. Recognize and report phishing scams, which often lead to ransomware exploits that can freeze company data and cost the organization hundreds of thousands of dollars. Because phishing schemes are always evolving, target different employee and management levels, and can be conducted by phone or email, thorough and regular employee training is absolutely essential.
- Software. Keep all device software current by installing updates when they are provided by vendors, and enable vendor auto-updates to be accepted. Software updates for hospital equipment and digital devices frequently include security upgrades, which is why this practice is so important.
- Risk Assessments. Conduct regular security risk assessments throughout your organization to identify vulnerabilities, prioritize them, and develop plans to resolve them within a reasonable period of time effectively. Risk assessments are foundational to the effective security of protected health information, according to the OCR.
Most of these measures are mandated by the HIPAA Security Rule, but all of them constitute accepted security best practices for reducing cyberattacks on your organization and the costly data breaches that result. To save time and expense, many healthcare organizations outsource their HIPAA-required risk assessments and cybersecurity awareness training to professional cybersecurity and compliance firms.
Summary
In 2022 the average cost of a healthcare data breach exceeded $10 million, up from $9.2 million the previous year. These expenses include victim notifications, system recovery actions, network downtime, operational downtime, reputational damage, rebranding costs, lost business, ransom payments, civil and legal financial settlements, and penalties and mandatory corrective actions imposed by the HHS Office for Civil Rights.
Healthcare providers and business associates continue to experience the greatest number of security incidents in the industry and have the greatest opportunities to address security vulnerabilities, including those associated with account logins and software updates, phishing schemes, and intelligent internet-connected medical devices. Today, five high-value security best practices can be readily adopted by members of the healthcare industry to meet the dual cybersecurity and compliance requirements of HIPAA and substantially reduce risk for their patients and patient data. And with three compelling reasons to do so, why would you wait?