In the first six months of 2022, hospitals across the U.S. reported 57 data breaches to the HHS Office for Civil Rights. Almost 80% of the hospital data breaches (45) were hacking incidents or breaches related to poor information technology. Two of the breaches compromised more than 2.5 million individuals’ records. The OCR investigations are not likely to be gentle, nor the penalties small.
Too many hospitals continue to roll the dice with their patients’ protected health information (PHI). This high-risk strategy is a ticking time bomb and it’s difficult to understand—especially since the cost of operating an effective, HIPAA-compliant security program is typically far less than the costs that result from a data breach. As an example, the average cost of a data breach in 2020 was $7.1 million. (And this is before inflation.)
Failures in Hospital HIPAA Compliance
The Director of the HHS Office for Civil Rights (OCR), Lisa J. Pino, is pushing for stronger cybersecurity and compliance in the healthcare industry, starting now. The OCR is responsible for HIPAA enforcement, and for that reason actively conducts compliance reviews and investigates complaints of violations as well as data breaches. Upon confirming non-compliance, OCR publishes a press release describing the specific HIPAA violations found, the financial penalty imposed on the violator, and the corrective action plan detailing remediation requirements. OCR generally monitors the violator for three years to ensure the corrective action plan is thoroughly implemented.
Based on remarks OCR Director Pino made in February 2022, she is unlikely to tolerate having the same violations continue to recur throughout the industry, as has been the case in recent years. In two examples of widespread negligence, OCR has found “systemic noncompliance with the HIPAA Security Rule” and “failure to implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.”
In addition to these fundamental failures, there are six common compliance failures found repeatedly during OCR investigations, according to press releases posted on the OCR website newsroom. They are:
- Failure to conduct an enterprise-wide risk analysis
- Failure to implement risk management and audit controls
- Failure to maintain documentation of HIPAA Security Rule policies and procedures
- Failure to conduct information system activity reviews
- Failure to perform periodic technical and nontechnical evaluations in response to environmental or operational changes affecting the security of PHI
- Failure to implement procedures to verify that a person or entity seeking access to PHI is the one claimed.
If OCR visited your hospital today to conduct a compliance review or an investigation, how would you fare? Do you know which of these failures would be found in your hospital?
How Can This Still Be Happening?
The Health Insurance Portability and Accountability Act (HIPAA) has been firmly established since 1996 to protect the privacy and security of patient information. The Privacy Rule became effective in 2003, the Security Rule in 2005, and the Breach Notification Rule in 2009. The HHS Office for Civil Rights began enforcing HIPAA requirements in the same timeframes.
With two decades of HIPAA history behind us, more than a decade of mandatory compliance and federal compliance enforcement, and no shortage of resources to help hospitals achieve compliance, many question why compliance failures continue to occur.
Over time, OCR has moved from an early, lenient stance based on the violator “not knowing” the law to a more stringent position finding violators guilty of “willful negligence.” Penalties for compliance failures reflect accordingly and are frequently in the millions of dollars.
Healthcare Plagued by Non-Compliance
Despite all this, failure to comply with the HIPAA Security Rule and HIPAA Privacy Rule is a widespread and ongoing problem, and one that too often results in data beaches. The healthcare industry is plagued by non-compliance issues every year. 2020 was a record year for data breaches in healthcare, which cost an average of $7.1 million per incident according to the Ponemon Institute.
In addition to the cost of breach detection and response activities, data breach costs can include legal fees, lawsuit settlements, OCR penalties, and victim notification. They can include the cost of public relations, marketing, and sales efforts to regain the trust of affected patients and their families. And, finally, many hospitals suffer from lost billing and revenue in the wake of a data breach, especially if it is a massive or splashy one.
Three Massive Hospital Data Breaches in 2022
Of the 57 data breaches reported to OCR between January 1 and July 5, 2022, most of the 45 hacking incidents involved network servers. For enterprising hackers, these can be gateways to hospital networks, electronic PHI, and other digital assets. The three largest of these hacks are summarized below.
- Broward Health North – Florida. The hack of Broward Health North, one of four Florida hospitals operated by Broward Health, potentially affects more than 1.35 million individuals. The hospital reported in January that its systems had been breached by a hacker who gained access through the office of a third-party medical provider. Data removed from the server included Social Security numbers, phone numbers, birth dates, addresses, email addresses, financial account information, insurance information and account numbers, medical record numbers, and driver’s license numbers. Although there is no evidence, at least so far, that this data has been abused, a class action lawsuit has been filed against the hospital for “failing to implement adequate safeguards, leaving sensitive patient information vulnerable to hacking.”
- Baptist Medical Center – Texas. At Baptist Medical Center in San Antonio, malicious code was installed in the hospital’s network, enabling an unauthorized party to access servers housing ePHI. Baptist reported that more than 1.24 million individuals are potentially affected by this breach. During the same reporting timeframe, four other hospitals in Texas also reported data breaches.
- Yuma Regional Medical Center – Arizona. An attack in April 2022 forced Yuma Regional Medical Center to take its systems offline temporarily. According to the incident notice on the hospital’s website, a subsequent investigation revealed that an unauthorized person gained access to the network between April 21 and 25 and removed files that included names, Social Security numbers, insurance data, and some individual care information. More than 737,000 individuals are potentially affected.
As OCR investigates these hospital data breaches and the 54 others reported in 2022, its findings will be published, penalties will be imposed, corrective action plans will be enforced, and violators will be monitored. Is this what you want for your hospital?
Four Steps to Hospital HIPAA Compliance
So, what does a smart hospital do with all this information? You act on it, and promptly. The journey to true HIPAA compliance for a hospital can be completed in these four steps:
Step 1 – Consultation. Schedule a preliminary, complimentary consultation with a hospital HIPAA compliance and healthcare cybersecurity expert. Do your due diligence and demand proven experience as well as credentials and certifications. 24By7Security should be at the top of your list.
Step 2 – Assessment. The next crucial step is to schedule your HIPAA Security Risk Assessment. Our team of certified professionals has completed more than 600 risk assessments—the vast majority for healthcare providers. The HIPAA Security Rule specifies that the required risk analysis should “encompass the potential risks to and vulnerabilities of the confidentiality, integrity, and availability of all e-PHI that is created, received, maintained, or transmitted by a healthcare organization.” (See 45 CFR § 164.306(a).) OCR Director Pino has said, “I cannot underscore enough the importance of enterprise-wide risk analysis. Risk management strategies need to be comprehensive in scope.”
If you haven’t conducted a HIPAA assessment in a few years, this assessment will serve as a vital baseline. It will also demonstrate your intent to comply with the security safeguards required by HIPAA. Only by conducting an assessment that is enterprise-wide can you identify your vulnerabilities and remediate them effectively. And, should a data breach occur despite achieving HIPAA compliance for your hospital, the OCR will take a much different approach to resolution than if you were non-compliant.
Step 3 – Remediation. Upon completion of your assessment, review the Report of Findings and take the necessary actions to begin remediating your security vulnerabilities. The Report of Findings will prioritize vulnerabilities to guide your focus and actions. Depending on findings, you may need to create or update privacy and security policies to thoroughly address HIPAA Privacy and Security Rule requirements.
Step 4 – Training. Employees are the weakest links in any security chain. Human error and oversight are responsible for countless breaches, hacks, and other security incidents throughout the healthcare industry—not just in hospitals. In addition to cybersecurity awareness training and HIPAA training, employees need to be trained to recognize phishing schemes, email scams, and other social engineering ploys that dupe so many unsuspecting individuals and lead to pain for their employers.
For the most expert and cost-efficient experience, take your journey to full compliance with 24By7Security.
Summary
The ongoing data breaches that plague hospitals and others in the healthcare industry are the result of widespread failure to comply with HIPAA requirements. The Security Rule in particular is designed to protect hospitals and their patients from embarrassing compromises of PHI. This protection begins with a mandatory security risk assessment to enable hospitals to discover their security gaps and close them.
Failure to comply with the HIPAA Security Rule or other requirements of HIPAA can trigger an investigation by the OCR. Resulting penalties and costs can be severe, especially if a compliance failure has led to a compromise of protected health information. These costs, often in the millions of dollars per investigation, typically far exceed the budget for operating an effective, HIPAA-compliant security program in your hospital.
Why give OCR a reason to knock on your door?
Why give a whistleblower an opportunity?
And why wait for a data breach to happen to you?
Sign up for your mandatory risk assessment by August 31st and receive a 10% incentive, compliments of 24By7Security, your hospital HIPAA compliance specialists.