“Healthcare data breach: 2.4m records potentially exposed at Forefront Dermatology.”
“Data breach may have compromised up to 68,000 Advocate Aurora Health patients’ info.”
“Data Breach at UC San Diego Health.”
“US medical imaging center reports possible data breach after emails ‘accessed’.”
“Hackers Breach San Diego Hospital, Gaining Access to Patients’… Well, Uh, Everything.”
“Ransomware attackers wanted $80,000 from York Animal Hospital.”
That’s just a small sampling of recent headlines exposing the constant flood of breach disclosures from healthcare organizations. It is important to note that these are not all massive conglomerates. Cyber criminals have even ransomed a small animal hospital in York, Maine (population: 12,529). So, what’s with the rise in cyber-attacks on healthcare? It’s all about the value of data on the Dark Web.
Preventing healthcare from becoming a hot target
Recent reports reveal that medical information is worth eight to ten times more than financial material. And, with the additional increases in ‘double-ransom’ threats (this is where the threat actors steal data and lock down the networks, demanding ransom for the decryption and prevention of the data release), it’s time for everyone to elevate their cyber resiliency stance, change the culture of security apathy, and play a role in preventing healthcare from being a hot target.
And, if you think your organization is too small (this applies to every industry) to be on criminals’ radar, you are wrong. Two in five SMBs were impacted by ransomware in 2020, and nearly 60 percent of companies that experience a cyber-attack go out of business.
From Jan 1 – July 31, 2021, there have been 397 breaches reported to the Office of Civil Rights (OCR), which is required for all breaches affecting 500+ individuals and totaling more than 27.7 million records. As a result of the rise of healthcare breaches, there are changes underway with the framework of the HIPAA Security Rule.
The evolution is to implement NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) on top of current rules. Even the largest healthcare entities are struggling to conduct “accurate and thorough” Security Risk Assessments (SRAs) because the HIPPA Security Rule already included 42 requirements for data protection, now complicated further by the recent addition of 5 NIST CSF Functions, 23 Categories, 108 Subcategories, and many Informative References for the subcategories.
Lack of accurate and thorough audits can result in fines
Healthcare organizations must show continuous improvement, and failure to conduct “accurate and thorough” SRAs or implement adequate security can result in significant fines and potentially years-long bans from Medicare reimbursements following multi-year investigations by the OCR. The fines range from $100,000 for a single practitioner office into the multiple millions, and since OCR retains the fines, they may be well-motivated to increase audits and investigations.
However, there are also incentives for following the latest framework which can increase a healthcare organization’s Medicare reimbursements for 2021 up to an additional 7 percent.
Now is the time for everyone in healthcare to ensure they have partners, systems, and technology solutions in place to effectively protect personal health information, show continuous improvement with cyber security, and capitalize on these available incentives. Don’t be the next breach headline. Instead, ask yourself: are your clients prepared for an OCR audit and investigation?
Photo: wutzkohphoto / Shutterstock
