Health insurers Premera Blue Cross and Anthem Inc. are the most recent victims of cyberattacks targeting healthcare entities to access the medical data and financial information of millions. Computer security software company, Websense Security Labs, predicted earlier that such cyberthefts would be on the rise in 2015. Websense claims security attacks on the computer networks of hospitals rose over 600% in 2014. This trend is unlikely to change with data security continuing to be a low priority for many healthcare organizations, despite increasing use of electronic health records and medical devices connected to hospital networks.

The case of theft involving healthcare entities implicates various Health Insurance Portability and Accountability Act (HIPAA) Rules. Specifically, the HIPAA Privacy Rule establishes federal standards for the use, protection, and disclosure of individuals’ health information – called protected health information (PHI) by organizations subject to the Rule. Similarly, the HIPAA Security Rules establishes federal standards for using and protecting PHI that is held or transferred in electronic form – a.k.a. electronic PHI (ePHI). Finally, the HIPAA Breach Notification Rule requires, among other things, covered entities and business associates to report any unauthorized acquisition, access, use, or disclosure of PHI of 500 or more individuals to the U.S. Department of Human and Health Services (HHS) Office for Civil Rights (OCR).

Cyberthefts of ePHI have been occurring for a number of years, and they may range from intentional and planned attacks by hackers to innocuous software problems. As an example of the latter, in March 2012, Anchorage Community Mental Health Services (ACMHS) – a five-facility, non-profit mental-health care provider – self-reported a breach of ePHI affecting over 2,700 patients due to malware compromising the security of its information technology resources. While ACMHS had security policies and procedures in place, they had not been followed or updated in nearly a decade. This included not regularly updating their IT resources with available patches, as well as running outdated and unsupported software. After an OCR investigation, ACMHS agreed to pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.

A November 2013 report by the HHS Office of Inspector General (OIG) criticizing the OCR’s oversight and enforcement efforts spurred an increase in breach notifications and corrective actions. Accordingly, the past year saw dozens of investigated HIPAA breaches, and such incidents have affected over 31 million patients overall since 2009. Breaches involving unsecured online databases and servers have incurred fines ranging from $100,000 to $4.8 million. While punitive measures are still rare, the OCR typically levies large financial penalties when an entity demonstrates continued disregard of risk assessment or repeated failures to establish safeguards. The most severe penalties are reserved for entities that ignore the need for risk assessment, delay implementation of changes warranted by an assessment, or fail to appropriately address violations that have already occurred.

While financial services and retail organizations have been the traditional targets of criminals and, as a result, have developed more experience and insight mitigating the risk of cybertheft, healthcare organizations and providers typically cannot spend as much on IT as many other industries. Moreover, healthcare organizations are not in a position to upgrade as rapidly as other industries to changing and more sophisticated online threats. This makes healthcare organizations and their security systems – even those among the largest in the industry – a relatively “easy” target, as Websense and many others have indicated. For example, Tennessee-based Community Health Systems (CHS) – a Fortune 500 company that operates over 200 hospitals across the nation – reported last year that a Chinese group of hackers had infiltrated their computer network and stolen data involving nearly 4.5 million patients.

Such cybersecurity incidents will continue to happen until both covered entities and business associates get serious about implementing the necessary controls for ensuring the safety and security of ePHI. This means developing comprehensive HIPAA policies and procedures, undertaking frequent and regular security awareness trainings and risk assessments, employing encryption for all data and across all mobile devices, and instilling an overall culture of compliance. Similarly, healthcare lawyers must stay abreast of changing regulations in the field of healthcare IT to help their clients meet regulatory requirements and protect their patients.

Neil Issar

Comments are closed.