Last October, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Department of Health and Human Services (HHS)issued a joint cybersecurity advisory regarding ransomware activity targeting the healthcare and public health sector.
In it, the agency said it had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” and urged providers to take precautions to protect their networks from these threats.
In its June Work Plan, OIG said it will now begin to audit HHS to determine whether its Office of Civil Rights (OCR) has performed periodic audits of hospitals to assess their compliance with HIPAA Security, Privacy and Breach Notification rules and determine whether those audits effectively assessed electronic personal health information (ePHI). The rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
In addition, the agency said it will determine whether the Centers for Medicare & Medicaid’s certification process for participation in the Medicare program requires hospitals participating in the Medicare program to implement minimum security safeguards to prevent and detect cyberattacks, ensure continuity of patient care, and protect beneficiary data.
Also, OIG will conduct security assessments at 10 hospitals to determine whether they have adequately implemented HIPAA security requirements or effective cybersecurity measures to prevent, detect, and recover from cyberattacks.
As we have seen in recent months, cyberattacks are on the rise in all sectors. The world’s largest meat processing company, JBS, and Colonial Pipeline were among the most recent targets of hackers demanding ransom.
A report issued by Bitglass, a U.S.-based provider of threat protection services, found the number of reported healthcare breaches spiked 55.1 percent in 2020, compared to 2019, exposing the information of more than 24 million people.
California led the way with the most incidents (49) followed by Texas (43) and New York (39). Florida and Pennsylvania rounded out the top five with 38 breaches each. Not only do these attacks result in the acquisition of sensitive personal data, but they also cause systems to shut down, resulting in a litany of other issues impacting patient care.
While studies have found that the average ransom payout in the healthcare sector is a little more than $900,000 (far less than the millions demanded from JBS and Colonial Pipeline), such breaches are resulting in a growing number of class action lawsuits against those who fail to protect patient data.
Last year, there were 15 HIPAA-related settlements, many of them having to do with data breaches, including Premera Blue Cross, which agreed to pay OCR $6.85 million to settle potential violations centering on an email phishing attack that lasted nine months and exposed 10.4 million individuals protected health information.
As OIG and other government agencies turn their focus to the failings of healthcare systems and providers to ensure that patient data is secure, it would be in their best interest to ensure they have systems in place to protect that information.
The Health Law Offices of Anthony C. Vitale can assist you with establishing HIPAA guidelines and to help you make sure you are following all HIPAA regulations. Contact us for additional information at 305-358-4500 or send us an email to firstname.lastname@example.org and let’s discuss how we might be able to assist you.