In the first six months of 2022, hospitals across the U.S. reported 57 data breaches to the HHS Office for Civil Rights. Almost 80% of the hospital data breaches (45) were hacking incidents or breaches related to poor information technology. Two of the breaches compromised more than 2.5 million individuals’ records. The OCR investigations are not likely to be gentle, nor the penalties small.
Too many hospitals continue to roll the dice with their patients’ protected health information (PHI). This high-risk strategy is a ticking time bomb and it’s difficult to understand—especially since the cost of operating an effective, HIPAA-compliant security program is typically far less than the costs that result from a data breach. As an example, the average cost of a data breach in 2020 was $7.1 million. (And this is before inflation.)
The Director of the HHS Office for Civil Rights (OCR), Lisa J. Pino, is pushing for stronger cybersecurity and compliance in the healthcare industry, starting now. The OCR is responsible for HIPAA enforcement, and for that reason actively conducts compliance reviews and investigates complaints of violations as well as data breaches. Upon confirming non-compliance, OCR publishes a press release describing the specific HIPAA violations found, the financial penalty imposed on the violator, and the corrective action plan detailing remediation requirements. OCR generally monitors the violator for three years to ensure the corrective action plan is thoroughly implemented.
Based on remarks OCR Director Pino made in February 2022, she is unlikely to tolerate having the same violations continue to recur throughout the industry, as has been the case in recent years. In two examples of widespread negligence, OCR has found “systemic noncompliance with the HIPAA Security Rule” and “failure to implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.”
In addition to these fundamental failures, there are six common compliance failures found repeatedly during OCR investigations, according to press releases posted on the OCR website newsroom. They are:
If OCR visited your hospital today to conduct a compliance review or an investigation, how would you fare? Do you know which of these failures would be found in your hospital?
The Health Insurance Portability and Accountability Act (HIPAA) has been firmly established since 1996 to protect the privacy and security of patient information. The Privacy Rule became effective in 2003, the Security Rule in 2005, and the Breach Notification Rule in 2009. The HHS Office for Civil Rights began enforcing HIPAA requirements in the same timeframes.
With two decades of HIPAA history behind us, more than a decade of mandatory compliance and federal compliance enforcement, and no shortage of resources to help hospitals achieve compliance, many question why compliance failures continue to occur.
Over time, OCR has moved from an early, lenient stance based on the violator “not knowing” the law to a more stringent position finding violators guilty of “willful negligence.” Penalties for compliance failures reflect accordingly and are frequently in the millions of dollars.
Despite all this, failure to comply with the HIPAA Security Rule and HIPAA Privacy Rule is a widespread and ongoing problem, and one that too often results in data beaches. The healthcare industry is plagued by non-compliance issues every year. 2020 was a record year for data breaches in healthcare, which cost an average of $7.1 million per incident according to the Ponemon Institute.
In addition to the cost of breach detection and response activities, data breach costs can include legal fees, lawsuit settlements, OCR penalties, and victim notification. They can include the cost of public relations, marketing, and sales efforts to regain the trust of affected patients and their families. And, finally, many hospitals suffer from lost billing and revenue in the wake of a data breach, especially if it is a massive or splashy one.
Of the 57 data breaches reported to OCR between January 1 and July 5, 2022, most of the 45 hacking incidents involved network servers. For enterprising hackers, these can be gateways to hospital networks, electronic PHI, and other digital assets. The three largest of these hacks are summarized below.
As OCR investigates these hospital data breaches and the 54 others reported in 2022, its findings will be published, penalties will be imposed, corrective action plans will be enforced, and violators will be monitored. Is this what you want for your hospital?
So, what does a smart hospital do with all this information? You act on it, and promptly. The journey to true HIPAA compliance for a hospital can be completed in these four steps:
Step 2 – Assessment. The next crucial step is to schedule your HIPAA Security Risk Assessment. Our team of certified professionals has completed more than 600 risk assessments—the vast majority for healthcare providers. The HIPAA Security Rule specifies that the required risk analysis should “encompass the potential risks to and vulnerabilities of the confidentiality, integrity, and availability of all e-PHI that is created, received, maintained, or transmitted by a healthcare organization.” (See 45 CFR § 164.306(a).) OCR Director Pino has said, “I cannot underscore enough the importance of enterprise-wide risk analysis. Risk management strategies need to be comprehensive in scope.”
If you haven’t conducted a HIPAA assessment in a few years, this assessment will serve as a vital baseline. It will also demonstrate your intent to comply with the security safeguards required by HIPAA. Only by conducting an assessment that is enterprise-wide can you identify your vulnerabilities and remediate them effectively. And, should a data breach occur despite achieving HIPAA compliance for your hospital, the OCR will take a much different approach to resolution than if you were non-compliant.
Step 3 – Remediation. Upon completion of your assessment, review the Report of Findings and take the necessary actions to begin remediating your security vulnerabilities. The Report of Findings will prioritize vulnerabilities to guide your focus and actions. Depending on findings, you may need to create or update privacy and security policies to thoroughly address HIPAA Privacy and Security Rule requirements.
Step 4 – Training. Employees are the weakest links in any security chain. Human error and oversight are responsible for countless breaches, hacks, and other security incidents throughout the healthcare industry—not just in hospitals. In addition to cybersecurity awareness training and HIPAA training, employees need to be trained to recognize phishing schemes, email scams, and other social engineering ploys that dupe so many unsuspecting individuals and lead to pain for their employers.
For the most expert and cost-efficient experience, take your journey to full compliance with 24By7Security.
The ongoing data breaches that plague hospitals and others in the healthcare industry are the result of widespread failure to comply with HIPAA requirements. The Security Rule in particular is designed to protect hospitals and their patients from embarrassing compromises of PHI. This protection begins with a mandatory security risk assessment to enable hospitals to discover their security gaps and close them.
Failure to comply with the HIPAA Security Rule or other requirements of HIPAA can trigger an investigation by the OCR. Resulting penalties and costs can be severe, especially if a compliance failure has led to a compromise of protected health information. These costs, often in the millions of dollars per investigation, typically far exceed the budget for operating an effective, HIPAA-compliant security program in your hospital.
Why give OCR a reason to knock on your door?
Why give a whistleblower an opportunity?
And why wait for a data breach to happen to you?
Sign up for your mandatory risk assessment by August 31st and receive a 10% incentive, compliments of 24By7Security, your hospital HIPAA compliance specialists.