By Richard Bailey, lead IT consultant, Atlantic.Net.
The Health Insurance Portability and Accountability Act of 1996 is a day-to-day concern for medical professionals and healthcare management teams in the United States. HIPAA, and the subsequent Privacy and Security amendments of 2003, were created to protect the confidentiality of Protected Health Information (PHI).
The Breach Notification Rule was added in 2009 to include specific laws about how to respond to a breach, and the Final Omnibus Rule was added in 2013 to harden the enforcement rules and response requirements.
A HIPAA breach is a serious concern, it can be very costly, instantly creating financial and reputational damage. A breach must be responded to appropriately by the HIPAA-covered entities and any impacted Business Associates.
The threat landscape has definitely changed in 2020/2021, COVID-19 has changed the way front-line healthcare is delivered, and it has also put great pressure on upholding the data integrity of PHI, despite some concessions being offered by the Office for Civil Rights (OCR) during the pandemic.
Between March 2020 and March 2021, there have been 530 reported data breaches to the OCR, this includes both confirmed data breaches, and breaches that are currently under investigation. These figures suggest that 26,023,940 patient records have been exposed in data breaches in one single year, quite a staggering figure.
What is a HIPAA data breach?
There are two types of breaches classified by the U.S Department of Health and Human Services (HHS). A breach that does not disclose PHI is considered “not a breach.” A breach that does disclose PHI must be classified as either an intentional or unintentional disclosure. Deliberate disclosure is considered a very serious breach and typically involves significant penalties.
The primary cause of breaches is usually a lost or stolen computing device, such as laptops, cell phones, and tablets. Many losses are attributed to employee carelessness or employee mistakes or unintentional actions. The other major cause is third-party involvement, this could be hackers, malicious actors, and so on.
covered entity and a business associate. It is a HIPAA law created to ensure that all of the HIPAA compliance risks (administrative, physical, and technical) are identified, and a roadmap is designed to plan the fixes necessary to resolve the issues found.
The risk assessment was not part of the original Health Insurance Portability and Accountability Act of 1996. Instead, it was first introduced in the 2003 Privacy Rule and Security Rule amendments and was then further expanded upon in the Final Omnibus Rule of 2013.
HIPAA legislation defines a Covered Entity (CE) as anyone that handles PHI during day-to-day business operations. Most businesses working in the healthcare industry are considered Covered Entities.
The U.S. Department of Health and Human Services (HHS) officially defines a CE as; Healthcare Providers such as doctors, dentists, nursing homes, pharmacies, health insurance companies, HMOs, Medicare, Medicaid, and Clearinghouses.
A business associate is any third party business or organization that handles individually identifiable health data on behalf of a covered entity, and the risk assessment is often considered the starting point to achieve HIPAA compliance.
What is a risk assessment?
A risk assessment is commonly the first task undertaken when a covered entity and a business associate enter into Business Associate Agreement (BAA). Its purpose is to identify areas within the business that process, store, and transmit protected health information (PHI) that are in the scope of HIPAA compliance.
PHI is patient data that the law is meant to safeguard, such as data that can be used to identify an individual personally. Examples may include patient names, email addresses, social security numbers, insurance certificates, and so on.
The Health Insurance Portability and Accountability Act (HIPAA), a bill passed initially in 1996, consists of a set of rules and regulations that protect the privacy and security of health information and provide individuals with certain rights to their health information.
Health and health-related entities play a pivotal role in protecting the privacy and security of sensitive data, so it is important that those entities are perfectly aware of what constitutes a breach under HIPAA terms, in addition to knowing what the actual regulations say and are all about. Check below some examples of HIPAA breaches.
Foreword: not all data breaches are HIPAA breaches
It is common for someone to think that, under HIPAA, any data breach constitutes an immediate breach of HIPAA regulations. However, this is not always the case, and the reason for that is quite simple.
Breaches are something relatively common and that happens in virtually all industries. Even tech giants fall victim to breaches caused by attacks so, even if a company holds strongly to each and every HIPAA regulation, it is impossible to guarantee 100% security, which is especially true considering how fast technology and hackers evolve.
As one might expect, one of the most recorded types of data breaches has to do with one of HIPAA’s core goals, which is the protection of healthcare records. Usually committed by employees, this breach can often result in termination and even in criminal charges for the offender. While relatively uncommon, the entity can also be fined.
Lack of PHI access controls
Protected Health Information (PHI) is the name for any information about health status, provision of health care, or payment for health care that is created or collected by a health or health-related entity and is also a central point of HIPAA.
In fact, HIPAA clearly establishes, in its HIPAA Security Rules, that entities and their partners (i.e., other entities they communicate PHI and other sensitive data with) need to ensure that PHI can only be accessed by authorized individuals. This is a common breach and is often met with high financial fines.
Failure to encrypt (or similar protection) PHI
One of the most effective ways to ensure PHI privacy and safety is to use encryption on all stages of PHI usage, including offline storage, online storage, and data transmission over a network. Encryption is very safe – in fact, so safe that breaches of encrypted PHI do not have to be reported (unless the decryption key is also stolen or if the data is re-encrypted, a situation in which the responsible entity would also lose access to that data).
While HIPAA does not enforce the use of encryption, it is by far the best option to store and transmit PHI. If it is not used, an alternative kind of protection needs to be used – otherwise, PHI data breaches will surely happen.
The data backup plan was established as a mandatory stage of HIPAA compliance to create, implement and maintain a set of rules and procedures for healthcare organizations to follow when managing the backup and restore requirements of electronic protected health information (ePHI). A data backup plan is part of the HIPAA Security Rule and encompasses wider contingency planning processes that any chosen business associate (BA) or managed service provider (MSP) must be able to demonstrate a compliant backup service capable of backing up and restoring exact copies of healthcare data when required.
The data backup plan should be integrated within a wider contingency plan because it is designed as a failsafe for the protection of patient data. Most MSPs will already be offering disaster recovery technology capable of moving over data and services to a secondary location almost instantaneously. But backups are often considered the last line of defense in the event of a catastrophic system failure. It allows for data restoration capability to be available in the worst possible scenarios.
Augusta University Medical Center reported that it had become a victim of phishing for the second time within a 12-month period although fewer than 1 percent of patients were impacted by the second effort. A trio of cybercrime rings took over 26,000 open MongoDB servers and demanded ransom for the owner to retain the data. A successful intrusion of Medical Oncology Hematology Consultants was detected, with 19,203 compromised patient records; however, by that point, the hackers had been inside the system for 20 days.
Kaleida Health announced that it had been victimized by phishing, with 744 patients affected; actually, though, that was adding to a previous tally – with 3,544 total records accessed. Ransomware brought down Pacific Alliance Medical Center; two months later, the firm said that 266,123 patients were impacted.
What do all of these situations and figures have in common? They are all Health Insurance Portability and Accountability Act (HIPAA) violations that took place in 2017. Also, you don’t want to be that organization. Forget the threat to your credibility (perhaps especially the much-dreaded Wall of Shame; the sheer expense is overwhelming. For any data breach, the average drop in revenue experienced by a healthcare firm is $3.7 million
So, with all that said (i.e., since it is more common than anyone would like, and since these cyberattacks are so incredibly costly), it is only reasonable to look over some HIPAA fundamentals and review security best practices for protecting HIPAA compliant data. With the information you collect, you can strategize implementation of the most strongly protected possible system.
Here are a few tips so that your environment can integrate best practices for securing the protected health information (PHI) that is under your watch:
Encryption is critical. Just look at a study published in Perspectives in Health Information Management in 2014. While this research is slightly dated, it is compelling because it is a true big data study that looked at all the breaches of HIPAA-protected files that were currently within the HHS Department’s system. At the time of the report, which used all events through September 22, 2013, 27 million people’s records had been compromised, via successful attacks of 674 covered entities and 153 business associates. Forms of intrusion included hacking, improper disposal, loss, theft, unauthorized access, etc. Breaches occurred in various digital environments both through devices and backends, as well as through hard-copy paper documents.
When you look at the data on types of breaches as pieces of the whole, you see how prominent theft is. Here are the top five types of breach in descending order of volume, with the number of individuals, covered entities, and business associates affected in each case (numbers that have now grown substantially): 1. theft – 12,785,150 people (via 344 CEs and 52 BAs); 2. loss – 7,359,407 people (via 74 CEs and 23 BAs); 3. hacking or IT event – 1,901,111 people (via 59 CEs and 20 BAs); 4. unauthorized access – 1,334,118 people (via 136 CEs and 44 BAs); and, 5. improper disposal – 649,294 people (via 32 CEs and 5 BAs).
The key concern here is that these issues are not just about theft. If it were just about laptops being stolen, that would not be as much of a problem because the criminals would not be able to get anything of them necessarily. All of these cases are ones in which the information on the devices that was stolen was unencrypted. In other words, all you need to do is encrypt that data – and even if it does get stolen, you don’t need to worry about it as a violation.
Assess your risk
Conduct a complete risk assessment of all the elements of your ecosystem that store, process, or transfer ePHI, along with other ways in which your information may be exposed physically. Related to the data center environment (whether it’s internal, third-party or hybrid), you want to ask these questions: Are natural disasters common in the location of the data center? Is there a responsible party associated with all hardware components? Have you assessed the security mechanisms that are now in place and any risks that are present? Have you taken into account all ways in which ePHI is accessed or manipulated within your system? Consider the creation, receipt, maintenance and transfer of this information.
Training is fundamental
It is easy, especially related to electronic protected health information, to become obsessed with the systems and to forget about the huge potential for human error. Your staff must be properly trained, especially since the threat landscape is evolving, with an increasingly sophisticated toolset for accessing the data. A very simple yet devastating mistake that is often made is phishing, when a staff member either clicks on a link or submits data, such as usernames or a Social Security number that, thereby, connects them in to a fraudulent system. It is horrifying but true that something as simple as a fake email could create a point of entry for malware or viruses.