By Navin Balakrishnaraja, practice director for healthcare IT Services, All Covered (IT services division of Konica Minolta).
Technology continues to advance the healthcare industry, providing more precision and improved delivery of care. However, it’s more important and even more challenging than ever for organizations to secure patient information and keep health data safe.
Advancements in cybersecurity measures need to go hand in hand with privacy and still a necessity. The frequency of data breaches in the healthcare industry has been on the rise and healthcare is now the most targeted sector by cybercriminals.
According to the Ponemon Institute, the average cost of a healthcare breach resulted in $7.13 million, a 10% increase from 2019. Healthcare has been a primary target in recent ransomware attacks, as you’ve probably seen the headlines and continue to hear it all over media.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have received “credible information of increased and imminent cybercrime threats” aimed at hospitals and healthcare providers in the United States. They released an advisory of this targeted activity to all healthcare networks and that it appears that targeted attacks are only going to escalate.
Because of the immutable, high-value nature of electronic patient health information (ePHI), health data is a gold mine to cybercriminals. On the dark web, the cost of one record averages around more than $400 per record. A large shift in ransomware deployment operations has taken place. Cybercriminals are like psychologists, staying one step ahead of tools and user sophistication. Many of them depend on malware, but the focus has been on gaining privileged access and exploring target networks to disable security processes.
Also, the malwares do vulnerability scans on their end to see where they can inflict maximum damage to organizations. For example, the cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware.
Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on a victim’s machine. This example shows what organizations are running up against, making cyberattacks more intricate in nature.
Jobs in healthcare
As part of an ongoing effort to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun the second phase of audits for HIPAA covered entities. The first phase of the audits was conducted in 2011 and 2012 and evaluated the controls and processes implemented by 115 covered entities in order to comply with HIPAA’s requirements. This second phase of audits builds upon the findings of that first audit, and will address compliance efforts by both covered entities and their business associates.
The second phase of the OCR audits is focused primarily on compliance with HIPAA directives related to privacy, security, and breach notifications. Currently, details about the specific documentation that will be required is unavailable, but the OCR has noted that the audit will only deal with compliance with federal guidelines. Compliance with state regulations will not be addressed at all. Still, even though the specifics of the audit are still under wraps, now is a great time to review your own compliance with HIPAA rules and begin gathering documentation.
The HIPAA Audit Process: An Overview
Earlier this summer, the OCR sent notification to all HIPAA-covered entities requiring them to confirm the contact details for their organization and all business associates that handle protected data by the end of July. Once contact details are confirmed, the OCR will send out preliminary surveys to gather more information about specific organizations and their data protection protocols. From those survey responses, several hundred organizations will be chosen for desk audits, which means that they will be required to submit specific, requested documentation as instructed.
While the Phase 2 audits have many health care executives concerned, the OCR has noted that only several hundred entities will be selected for an audit, and of those, a very small percentage (only about 25 to 50 organizations total) are expected to move on to a full, on-site audit. Still, because there is no way of knowing whether your organization will be selected for audit, you need to prepare and be ready to go should that be the case.
The OCR is quick to point out that the Phase 2 auditing process is not intended to be punitive, and that the purpose is rather to identify best practices and potential weaknesses as a means to provide better guidance to covered entities on how to more effectively comply with HIPAA regulations. That being said, regulators do note that should there be serious deficiencies discovered during the process, then there could be sanctions or other corrective actions taken.
Jobs in healthcare