Federal Health Officials: Lenient Security Practices to Blame for Quickening Pace of HIPAA Violations


    Breaches in Healthcare

    Over the past year, healthcare organizations have seen an 82 percent year-over-year increase in large breaches—ones that affect at least 500 people per incident. This is a result of too many healthcare organizations (both large and small) maintaining a weak security posture with limited security controls in place. In turn, it has made them the primary target of cyber criminals who were successful at executing a record number of breaches in 2017.

    According to an analysis of records from the U.S. Department of Health and Human Services Office of Civil Rights (OCR), the 221 major breaches reported under HIPAA regulations in 2017 reflect a 66 percent increase over the 133 breaches reported in the previous year. The records from OCR tell us that they have identified a pattern in which most of the breaches have involved at least 500 records compromised per incident. This pattern reveals cyber security threats aimed at healthcare organizations are on a significant rise. It is clear that cyber criminals have made healthcare organizations their primary target. Why? Because cyber criminals are quite aware of the minimal allocation of resources to security by these establishment are making thems a primary targets.

    The OCR is very concerned about this increase in cyber-attacks on healthcare organizations—and rightfully so because every time a medical practice network is successfully penetrated, the patients are potential victims. The patient’s medical records can be held for ransom OR if the patient’s personal identifiable information (PII) is stolen, it can sold and used to commit identify fraud. In any case, the patient becomes a victim due to their local hospital or medical practice not implementing the proper security tools! This begs the question if doctors are following through with their commitment to “first do no harm” when it comes to their patients. The origination of this phrase was intended to address medical treatment and procedures; but with the rise of cyber-attacks and the resulting adverse effects on patients, it also applies to protecting patient’s personal medical data.

    Mitigating Risk Through Regulation

    In an attempt to mitigate these risks, the OCR is continuing to empower healthcare organizations by providing them with the proper guidance and resources through their HIPAA Security Guidance webpage. The website offers information on risk analysis, remote use, mobile device and ransomware. Healthcare organizations can use this as an educational resource where they can better understand what is required of them in terms of HIPAA and what the consequences of non-compliance can be.

    In 2016, a record number of $23.5 million dollars was collected in settlement payments from healthcare organizations that mishandled protected health information (PHI) and therefore earned themselves a HIPAA violation. As of May 2017, that number was on track to exceed the previous year with $14.7 million dollars collected before the year was even half way over.

    With such harsh financial and reputational damage at stake, healthcare organizations should become more conscientious with security and partner with an MSP like you. If that is not enough to force them to take the proper security procedures, they should remember the oath they took, and their promise to “first do no harm,” as it is clear that having a lax security posture causes significant harm to their patients.