For 12 consecutive years, healthcare has led all other industries in the sheer number of data breaches experienced by its members, including healthcare providers, business associates, and health insurers. And while these breaches are frequent, embarrassing, and expensive, healthcare industry members have the power today to reduce cyberattacks and the data breaches that often result. There are five high-value security best practices healthcare providers and business associates can implement today, and three compelling reasons why.
According to the latest Cost of a Data Breach Report published by IBM Security, in 2022 the average cost of a healthcare data breach exceeded $10 million, up from $9.2 million in 2021.
Those costs add up fast when you realize they include expenses such as victim notifications, system recovery actions, network downtime, operational downtime, reputational damage, rebranding costs, lost business, ransom payments, civil and legal financial settlements, and penalties imposed by the HHS Office for Civil Rights (OCR), which is charged with enforcing HIPAA regulations including the Security Rule, Privacy Rule, and Breach Notification Rule.
Seven years after Banner Health suffered a hack that disclosed the electronic protected health information (ePHI) of more than 2.8 million individuals, the Phoenix-based non-profit health system paid $1,250,000 to the OCR and is implementing a mandatory corrective action plan to resolve their violations in order to protect the security of ePHI going forward. It’s one example of dozens of reported HIPAA violations and settlements each year.
A suspected ransomware attack brought Tallahassee Memorial Healthcare to its knees the night of Thursday, February 2, 2023. Within days of the attack, the Jacksonville office of the Federal Bureau of Investigation was engaged to aid in the investigation. For nearly two weeks after, the hospital was forced to rely on paper documentation as its systems remained offline. It was finally brought back online in a controlled fashion on February 15, 2023. The results of the OCR investigation will probably not be known for several years.
Ransomware was also responsible for the data breach at Lehigh Valley Health Network in February 2023. In October 2022, a ransomware attack caused a month-long network outage at CommonSpirit Health that had cost the provider $150 million as of March 2023.
All healthcare organizations that suffer data breaches must report details to the HHS Office for Civil Rights. The HIPAA Breach Notification Rule includes the following basic requirements:
Failure to adhere to these requirements after a data breach will incur consequences with the OCR, including contributing to higher penalties.
The HIPAA Journal has tracked breaches affecting 500 or more individuals, as reported to the OCR, since 2009. With few exceptions, the number of reported breaches has risen steadily each year, as the chart illustrates (through May 2023).
Of the 315 security incidents reported in the first half of 2023, the majority were attributed to healthcare providers (60%). Business associates had primary responsibility for 82 incidents (26% of the 315) but were also involved in another 35 incidents. By comparison, health plans were responsible for just 14% of the reported breaches. Clearly, healthcare providers and their business associates have abundant opportunities to strengthen and extend their cybersecurity measures and achieve more robust HIPAA compliance. Five proven security best practices make it easy.
Medical devices and hospital equipment can be expensive to procure, and the return on investment can take years. Too frequently, they lack adequate security safeguards—despite the fact that most of those developed in the past decade are intelligent devices with built-in computers and internet connectivity. This renders them vulnerable to hacking, ransomware attacks, and other criminal exploitation, which causes serious concerns for hospital executives.
A recent survey by the Ponemon Institute offers several insights from healthcare executives:
In recognition of the widespread vulnerability of internet-connected medical devices and legacy devices, the Food and Drug Administration in 2023 was granted the power to ensure that cybersecurity protections are built into new medical devices from inception to render them more effective in protecting patient safety and data security.
Section 3305 of the Consolidated Appropriations Act 2023, titled Ensuring Cybersecurity of Medical Devices, updated the federal Food, Drug & Cosmetic Act by adding a new Section, 524B, on Ensuring Cybersecurity of Devices. The new cybersecurity requirements govern all applications for approval of medical devices submitted to the Food and Drug Administration after March 29, 2023.
Among the specifics of Section 524B, new medical devices must come with a bill of materials for the software components which, like any computer software, must be able to accept security patches and software updates. The new requirements will ultimately result in intelligent, computer-driven medical devices being treated as such, with all appropriate security safeguards.
Dovetailing with this new requirement, the 10-year-old Medical Device Reporting regulation (21 CFR Part 803) imposes mandatory requirements for manufacturers, importers, and device user facilities to report certain device-related adverse events and product problems to the FDA, including prompt identification, timely investigation, reporting, documentation, and filing of device-related death, serious injury, and malfunction information.
Between the new and existing regulations, the FDA is now well-equipped to enforce cybersecurity requirements for new medical devices going forward.
2023 marks the 20th celebration of Cybersecurity Awareness Month, a collaboration between the U.S. government and private industry to raise awareness about user cybersecurity behavior and the importance of online security.
The Cybersecurity Infrastructure Agency (CISA) and the National Cybersecurity Alliance partner to provide useful resources and communications that make it easier for organizations to advise their employees, patients, and customers about responsible cybersecurity.
Numerous expert sources in cybersecurity and compliance have identified a specific set of five proven security best practices that can have an enormous and immediate impact on your online security and the protection of patient ePHI.
Most of these measures are mandated by the HIPAA Security Rule, but all of them constitute accepted security best practices for reducing cyberattacks on your organization and the costly data breaches that result. To save time and expense, many healthcare organizations outsource their HIPAA-required risk assessments and cybersecurity awareness training to professional cybersecurity and compliance firms.
In 2022 the average cost of a healthcare data breach exceeded $10 million, up from $9.2 million the previous year. These expenses include victim notifications, system recovery actions, network downtime, operational downtime, reputational damage, rebranding costs, lost business, ransom payments, civil and legal financial settlements, and penalties and mandatory corrective actions imposed by the HHS Office for Civil Rights.
Healthcare providers and business associates continue to experience the greatest number of security incidents in the industry and have the greatest opportunities to address security vulnerabilities, including those associated with account logins and software updates, phishing schemes, and intelligent internet-connected medical devices. Today, five high-value security best practices can be readily adopted by members of the healthcare industry to meet the dual cybersecurity and compliance requirements of HIPAA and substantially reduce risk for their patients and patient data. And with three compelling reasons to do so, why would you wait?