Federal Health Officials: Lenient Security Practices to Blame for Quickening Pace of HIPAA Violations

When a patient visits their local medical practice or community hospital, they are entrusting the organization with their most sensitive information—such as medical data, health insurance IDs and social security numbers. The medical practice that is left with this information has a team of doctors who promised to “first do no harm,” meaning that his or her first consideration is the patients’ well-being—which includes protecting their privacy. However, without the proper security tools in place, they are putting their patients at great risk for becoming victim to cybercrime and exposing their personal information.

Let’s take a closer look at why medical practices have become the primary target of cyber criminals and how it has called for a recent harshening in HIPAA regulations.

Breaches in Healthcare

Over the past year, healthcare organizations have seen an 82 percent year-over-year increase in large breaches—ones that affect at least 500 people per incident. This is a result of too many healthcare organizations (both large and small) maintaining a weak security posture with limited security controls in place. In turn, it has made them the primary target of cyber criminals who were successful at executing a record number of breaches in 2017.

According to an analysis of records from the U.S. Department of Health and Human Services Office of Civil Rights (OCR), the 221 major breaches reported under HIPAA regulations in 2017 reflect a 66 percent increase over the 133 breaches reported in the previous year. The records from OCR tell us that they have identified a pattern in which most of the breaches have involved at least 500 records compromised per incident. This pattern tells us that cyber security threats aimed at healthcare organizations are significantly on the rise—and that cyber criminals have made healthcare organizations their primary target. Why? Because cyber criminals are all too aware that these establishments are allocating minimal resources to security and therefore have made themselves a primary target.

The OCR is very concerned about this increase in cyber-attacks on healthcare organizations—and rightfully so because every time a hacker successfully penetrates a hospital’s network, the patients become victims. Whether the hacker holds the patient’s medical records for ransom or if the patient’s personal identifiable information (PII) is stolen and used to commit identify fraud, the patient becomes a victim due to their local hospital or medical practice not implementing the proper security tools. This begs the question if doctors are following through with their commitment to “first do no harm” when it comes to their patients. This phrase is only meant to address medical treatment and procedures; but with the rise of cyber-attacks and the resulting adverse effects on patients, it becomes questionable if the term should also apply to protecting patient’s personal medical data.

Mitigating Risk Through Regulation

In an attempt to mitigate these risks, the OCR is continuing to empower healthcare organizations by providing them with the proper guidance and resources through their HIPAA Security Guidance webpage. The website offers information on risk analysis, remote use, mobile device and ransomware. Healthcare organizations can use this as an educational resource where they can better understand what is required of them in terms of HIPAA and what the consequences of non-compliance can be.

In 2016, a record number of $23.5 million dollars was collected in settlement payments from healthcare organizations that mishandled protected health information (PHI) and therefore earned themselves a HIPAA violation. As of May 2017, that number was on track to exceed the previous year with $14.7 million dollars collected before the year was even half way over.

With such harsh financial and reputational damage at stake, healthcare organizations should become more conscientious with security and partner with an MSP like you. If that is not enough to force them to take the proper security procedures, they should remember the oath they took, and their promise to “first do no harm,” as it is clear that having a lax security posture causes significant harm to their patients.


Handpicked for you:

Download HIPAA compliance eBook