By Richard Bailey, lead IT consultant, Atlantic.Net.
The Health Insurance Portability and Accountability Act of 1996 is a day-to-day concern for medical professionals and healthcare management teams in the United States. HIPAA, and the subsequent Privacy and Security amendments of 2003, were created to protect the confidentiality of Protected Health Information (PHI).
The Breach Notification Rule was added in 2009 to include specific laws about how to respond to a breach, and the Final Omnibus Rule was added in 2013 to harden the enforcement rules and response requirements.
A HIPAA breach is a serious concern, it can be very costly, instantly creating financial and reputational damage. A breach must be responded to appropriately by the HIPAA-covered entities and any impacted Business Associates.
The threat landscape has definitely changed in 2020/2021, COVID-19 has changed the way front-line healthcare is delivered, and it has also put great pressure on upholding the data integrity of PHI, despite some concessions being offered by the Office for Civil Rights (OCR) during the pandemic.
Between March 2020 and March 2021, there have been 530 reported data breaches to the OCR, this includes both confirmed data breaches, and breaches that are currently under investigation. These figures suggest that 26,023,940 patient records have been exposed in data breaches in one single year, quite a staggering figure.
What is a HIPAA data breach?
There are two types of breaches classified by the U.S Department of Health and Human Services (HHS). A breach that does not disclose PHI is considered “not a breach.” A breach that does disclose PHI must be classified as either an intentional or unintentional disclosure. Deliberate disclosure is considered a very serious breach and typically involves significant penalties.
The primary cause of breaches is usually a lost or stolen computing device, such as laptops, cell phones, and tablets. Many losses are attributed to employee carelessness or employee mistakes or unintentional actions. The other major cause is third-party involvement, this could be hackers, malicious actors, and so on.
How to respond to a breach
How a healthcare organization responds to a breach depends entirely on the severity of the breach. The HHS rules that a breach affecting 500 or more Individuals must be reported to the HHS without reasonable delay. Any breach affecting fewer than 500 Individuals must be reported within 60 days of the breach.
In all scenarios, there are several expectations put upon the healthcare organization. It is expected that the breach should be stopped immediately by working with third-party providers or getting external cybersecurity advice.
Our experts have devised the following strategy as a good benchmark of how to respond to a data breach.
- Breach Identification – using event data from multiple sources, such as automated alerts, monitoring, sensors, or logs
- Determine the impact of the breach
- Information is communicated to appropriate parties
- A pre-prepared response plan is executed during or after the breach
- Events are reported consistently as per HIPAA requirements (patients and/or media)
- Information is shared consistently as per a response plan
- Investigate the incident from logs taken from detection systems
- Attempt to understand the impact of the incident (Minor/Major)
- Data Breach must be contained
- Data Breach must be resolved/fixed
- Debrief and lessons learned where newly identified vulnerabilities are mitigated or documented as accepted risks.
A key element to the HIPAA Breach Notification Rule is that a covered entity must report the breach to the HHS and OCR, and it must be reported promptly. The covered entity is expected to investigate the incident to understand the cause of the breach, what data was stolen, and by whom. Understand the time frame of the incident and details of what data was accessed and when.
While the investigation is underway, your teams should already be responding to the incident. Work out the state of the current backup datasets and determine if there is a need to invoke DR. All HIPAA-compliant entities should have at least a backup of the existing IT Infrastructure, and preferably a disaster recovery capability to failover services.
Any backdoor access needs to be blocked at the network layer, restore infrastructure from backup, patch servers, fix any exploits on the network infrastructure, and change all passwords. This will no doubt involve many sleepless nights for your IT department, but it is necessary to return to business as usual and restore confidence in the business.
The Insider threat
If the perpetrator is identified as an in-house employee, action must be taken. If the breach was accidental then as a minimum, an education program must be created for the person to learn and understand what has happened, including the repercussions. If the breach was intentional, disciplinary action is needed – up to and including dismissal and reporting to the authorities.
Likewise, action should be taken if the source of the data breach is an external actor, either a hacker or possibly a third-party provider. Bringing onboard external security experts is a great way to dichotomize the incident to determine the threat actors.
Honest and open communication channels need to be established early in the investigation. Patients have the right to get notice of a breach, and there may be a requirement to report the incident to the media.
Understand what happened
The Final Omnibus rule introduced a number of laws to force healthcare organizations to fully understand what happened during a breach. The nature and extent of the PHI stolen, and who gained unauthorized access. Regulators need to know if PHI was actually viewed or copied, this information can be gathered from Intrusion Protection Systems verbose logging, and action must be taken to mitigate the threat.
A data breach should be treated as a disaster scenario, no one plans to be breached, but there is a valid reason why a breach has occurred. Fully debriefing personnel after the breach has been contained is a great way to fact find and determine the chain of events. It is not a blame game, it is a gathering to fully understand the situation, understand how the hackers gain access, determine the vulnerability exploited to gain unauthorized access, and most importantly take action to make sure it never happens again. It is always a good idea to be proactive and familiarize yourself with the latest healthcare technology trends; this way you are always ahead of the curve.