The trend for HIPAA compliance is toward more breaches and complex breaches than seen in earlier years of efforts to follow the privacy rule, say some experts. A sharp increase in cyberattacks also may be coming this year. Most HIPAA breaches in the past were of a rather low-tech nature, even if they involved lost computers and data files. Laptops were stolen, jump drives were lost, and paper documents were mishandled. But that is changing now, partly because the digital revolution has completely changed how healthcare organizations handle data, says Steven Marco, CISA, ITIL, HPSA, president and founder of HIPAA One, a consulting group in Lindon, UT.
“It used to be that the breaches were not very frequent. When they happened, they often involved the theft of electronic media. That type of physical data loss represented your highest likelihood of having to report a breach,” Marco says. “Server incidents were almost unheard of. We’ve seen a drastic change with a trend toward each incident involving more individuals, rather than many incidents involving a small number. Each cyber incident now typically involves tens of thousands of individuals. That trend is not changing any time soon.”
The nature of attacks on covered entities is changing at the same time, says Bobby Seegmiller, senior vice president and founding partner of HIPAA One. Healthcare organizations have become much savvier about how to protect their data from outside threats, but they still struggle with internal security, he says.
“Some of these hospitals are like Fort Knox with all the security they have to keep someone from coming in either physically or through a cyberattack — but their own employees are leaving the back door wide open,” Seegmiller says. “The hospital puts up all this security and it is undermined by the employee who opens an email and responds to a phishing attack.”
Employee training is critical, but that is not enough, Seegmiller stresses. It is important to test employees periodically with a real-world scenario such as sending a fake email that includes all the hallmarks of a phishing attempt and see who takes the bait, he says. “We’re finding that about one in three will click on the link,” he says.
Marco predicts that cyber security attacks will increase by 50% in 2020. “There is an industry for cyber criminals that did not exist years ago. There is a market on the dark web for financial information and private information that is driving these criminals to work harder and find new ways to access this product they need to sell,” Marco observes. “We will see more use of ransomware also, because organizations are paying the ransom, and the criminals know that every hospital needs to make payroll. If [criminals] see that it works, they will keep trying to get ransomware into your systems.”
Marco also notes there have been ransomware attacks in which the healthcare organization refused to pay the ransom and did not report a breach, but still accessed data from backups. In those cases, the danger may not be over if the hackers could access protected data.
“I would anticipate that these hackers will get frustrated and eventually start releasing PHI [protected health information] from those organizations that did not pay,” Marco says. “Any organization in that position should be prepared for that possibility and have a plan in place for responding. It is possible that any patient whose PHI was released could complain to Health and Human Services, and it’s now a reportable breach.”
New compliance requirements also are possible in 2020. This will put added stress on covered entities to bolster their HIPAA protections at the same time they need to do more to protect themselves against cyberattacks, Marco explains.
“There’s a big push for privacy right now, and there is a good chance HIPAA will be amended to align with the public sentiment in favor of patients having more control over their health information,” he predicts.
Seegmiller notes the likelihood of undergoing an Office for Civil Rights audit also has increased in recent years. The rate of audits several years ago was so low that covered entities believed they would never be audited and grew lax in some areas of compliance, particularly the risk assessment requirement, he explains.
“We’re seeing a new trend with state attorneys general, who were deputized in the HITECH Act in 2009 to conduct these audits, getting more interested in HIPAA audits. It may be because they saw that the feds were collecting all these penalties from their audits, even though they were infrequent, and they saw a chance to get in on that,” Seegmiller observes. “It’s a revenue source. We’re seeing more attorney general audits that we didn’t see in the past.”
Marco notes there are simple steps for improving HIPAA security that often are overlooked. For example, the commonly used Microsoft Office 365 software includes privacy and security options that can be effective in reducing vulnerability to cyberattacks, but covered entities do not activate them, he says. Using two-factor authentication also can be highly effective in deterring fraudulent logins, Marco adds. This method usually requires sending a simple code to the authorized user’s mobile phone to verify the person’s identity before completing the login process.
“Multifactor authentication with a code sent by text message wards off 99.999% of attacks trying to compromise user accounts,” Marco says. “That’s a huge measure of safety that requires little investment or effort.”