Editorial

Editorial: Lessons for American Healthcare Providers from the Australian Medibank Health Record Breach

The U.S. healthcare industry is currently engaged in a cyber war against a widely dispersed set of adversaries, which include hordes of financially-motivated hackers and organized cybercriminal groups, hacktivists, and nation-state-sponsored threat actors. Ransomware has become an epidemic, and while there are signs that attacks are leveling off or decreasing, the healthcare industry has yet to see such a dip, now being the most targeted sector.

One trend that has emerged is an increase in extortion-only attacks. Rather than breaching networks, exfiltrating data, and then encrypting files, ransomware is not used. Sensitive data is stolen and demands are issued for its safe return and to prevent the sale or publication of the data, with the file encryption element of the attack abandoned as it is time-consuming and noisy. One attack that has made the headlines – the cyberattack on the Australian health insurer, Medibank Private Ltd – confirms the global nature of the current cyber war, which healthcare organizations around the world are struggling to win. The attack stands out due to the scale of the data theft and the callousness of the perpetrators.

The Medibank Cyberattack

Medibank Private Ltd. is the largest private health insurer in Australia, covering around one in six Australians. On October 13, 2022, Medibank detected suspicious activity within its network. The unauthorized access was terminated, and initially, Medibank CEO David Koczkar issued a statement saying no evidence was found that customer data was accessed. Medibank was then contacted on October 17, 2022, by the threat actor behind the attack seeking payment to prevent the release of stolen data. Threats were issued to publish the stolen data, starting with a sample of the data of some of the most prominent customers, including politicians, actors, activists, social media personalities, and people with “very interesting diagnoses.” Medibank confirmed data theft had occurred on October 20.

Access to the network was gained, sensitive data was stolen, and a ransom demand was issued to prevent the publication and sale of the stolen data of 9.7 million current and former customers. The ransom demand was $9.7m, or $1 for each of the affected individuals. The attack has been attributed to an unnamed Russian cybercriminal group, with reports suggesting REvil was behind the attack. REvil’s data leak site redirects to the site where the Medibank data is being published. REvil was one of the most prolific cybercriminal groups in operation; however, following the arrests of several alleged key members of the group, Russia’s federal security services (FSB) said REvil no longer exists. Whether this attack signals the rebirth of REvil, or if it was conducted by an affiliated group has yet to be confirmed. The Australian Federal Police (AFP) claims to know which group is behind the attack.

Medibank said the threat actor infiltrated its systems using “high-level credentials,” which had the necessary clearance to access large amounts of data, and that multi-factor authentication was protecting those accounts. How those credentials were stolen and MFA was bypassed has not been made public.

The Hackers Show No Mercy

Medibank said it received council from cybersecurity experts regarding paying the ransom, and the consensus was that if the ransom was paid, there was only a limited chance that the stolen data would be returned, that all copies would be deleted, and that there would be no sale or misuse of the data. The decision was then made not to pay the ransom, the implications of which were felt last week when the threat actor started to publish samples of the stolen data, initially posting two lists of data each containing around 100 records.

One was referred to as a “naughty list” which included the data of individuals who had claimed for treatment for drug addiction and mental health issues, and a “good list” that included claims for more generic hospital procedures. That was followed by the publication of another file that included details of around 300 individuals who had claimed for healthcare services related to the termination of pregnancies, then another file was published containing the details of 240 customers who had claimed for alcoholism-related treatments. The information of more than 480,000 customers has now been leaked. Medibank is standing by its initial decision not to make payment.

Medibank has reported to the Australian Stock Exchange that it is expecting a financial hit of around $25m to $35m, not including any regulatory fines or litigation. In terms of the latter, there could well be several lawsuits filed. Lawyers around the country are currently assessing the potential for suing Medibank over the data breach and are assessing the harm that has come from the exposure of highly sensitive data. The breach mitigation and legal costs will have to be covered by Medibank, as chief financial officer, Mark Rogers, confirmed that there was no cyber insurance policy in place due to the excessive cost.

Lessons US Healthcare Organizations Can Learn from the Medibank Cyberattack

The Medibank cyberattack is horrific – for Medibank and especially the 9.7 million affected individuals, and the repercussions will be felt for a long time to come. The situation is still evolving, but there are already lessons to be learned from this hugely damaging cyberattack.

Cybersecurity must be a board-level issue

Even with considerable investment in cybersecurity, defenses can be breached. The security posture of Medibank at the time of the attack is unclear, but one issue that has come to light is the lack of board involvement in cybersecurity at Medibank. Medibank chairman, Mike Wilkins, confirmed there were no cybersecurity or IT experts on the board, something that is all too common at healthcare organizations. Given the high risk of a cyberattack and its potential implications, board-level oversight of cybersecurity is essential. According to Deloitte, which has been called in to investigate the security breach, “Boards have now started looking at cyber risk as an enterprise-wide risk management issue, rather than a pure IT security issue, owing to its firmwide implications… Cybersecurity oversight has now become the most important topic for the Board after strategic planning.”

Hope for the Best, But Plan for the Worst

It is often only when a cyberattack occurs that cybersecurity gets the investment it needs, yet it should come as no surprise to any healthcare organization about the high risk of an attack occurring, given the frequency with that they are now being reported. Koczkar has stated that Medibank had planned for such an attack and was able to immediately implement its cyber response strategy for exactly this type of event; however, while an incident response plan had been implemented, shareholders have been voicing concerns about Medibank’s level of preparedness for such an attack, not just in terms of incident response, but the measures that had been implemented to prevent such a breach. Healthcare organizations can hope for the best, but they need to assume that a cyberattack is inevitable and ensure appropriate defenses are in place. It is also vital to not just develop and implement a breach response plan, but to practice the incident response with tabletop exercises, involving all teams involved in the response.

The Importance of Transparent Communication with Customers and Shareholders

The decision of whether or not to pay the ransom is not straightforward, and while there are very good reasons for not paying a ransom, there are repercussions for any decision, as this attack has shown. Medibank clearly stated the reasons why the ransom was not paid, and it was clearly communicated that their decision was in line with the recommendations of the Australian government.

Medibank appears to have opted for a strategy of damage limitation to protect the company’s reputation by downplaying the seriousness of the breach, and that approach has backfired. The CEO first issued a statement that no evidence of data theft had been found, then issued another statement that the attack appeared to be a precursor to a ransomware attack, before finally admitting that data theft had occurred.

Shareholders have been demanding answers with share prices falling sharply, forcing three halts on trading. Many are furious about the management of the breach and the level of transparency of Medibank post-breach, with little information or reassurances provided. Transparency and clear communication with shareholders and customers can go a long way toward protecting a company’s reputation after a data breach, especially one where the perpetrators have been telling shareholders to sell all their shares.

Zero-Trust and Phishing Resistant Multi-factor Authentication

It is currently unclear how credentials were obtained and MFA bypassed, but phishing is a reasonable assumption. While it is important to protect all accounts with multi-factor authentication, especially accounts with high levels of privileges, not all forms of MFA provide the same level of protection. Healthcare organizations should follow the advice of CISA and implement phishing-resistant MFA. A change of mindset is also required for security, shifting from traditional perimeter defenses to zero-trust, with the latter assuming that a network has already been breached, with controls implemented to validate all stages of digital interactions to limit the potential for lateral movement.

The Importance of Cyber Insurance

Medibank will face a huge financial hit from the attack, the initial estimates of which appear to be very low. While the average cost of a healthcare data breach is now $10,1 million, according to the IBM Security 2022 Cost of a Data Breach Report, the cost of mega data breaches of 1 million to 10 million records was calculated to be $49 million, and $180 million for breaches of 10M-20M records. Bloomberg Intelligence suggests the breach cost could rise as high as $450 million if customers sue for damages. Cyber insurance is unlikely to pay all breach-related costs, but the failure to have any cyber insurance policy is a serious risk, and that decision could prove to be incredibly costly.

Greater Protection for Highly Sensitive Data

The nature of the data published by the attacker is shocking. In the United States, disclosure of the details of individuals who have had a legal abortion could cause incredible harm and potentially put women at risk of criminal charges. These data types, along with other highly sensitive information such as substance disorder treatment information, data of domestic violence victims, and patients with stigmatized diseases such as HIV, should be subject to far more stringent protections, as far as is possible, due to the harm that can be caused if that information is exposed. In the Medibank attack, patient data in all of those categories was obtained and published.

The Australia Cyber Security Minister, Clare O’Neil, said that the damage caused by the Medibank cyberattack is “potentially irreparable”. It may be too late for Medibank, but as more information about the attack and response comes to light, the lessons learned will be invaluable to healthcare organizations around the world and may help them prevent similar incidents and manage successful attacks better to reduce the damage caused.

Steve Alder 

Editor-in-Chief, HIPAA Journal

The post Editorial: Lessons for American Healthcare Providers from the Australian Medibank Health Record Breach appeared first on HIPAA Journal.

Editorial: 5 Reasons Why HIPAA Training is Important

HIPAA training is important beyond “ticking the box” of HIPAA compliance. In this article, we explain how a fully trained and compliant workforce can deliver multiple benefits for organizations subject to HIPAA and provide 5 reasons why HIPAA training is important.

HIPAA training is a requirement of the Privacy and Security Rules. According to the Privacy Rule, Covered Entities must train workforce members on the HIPAA-related policies and procedures relevant to their roles; while, according to the Security Rule, both Covered Entities and Business Associates must implement a security awareness and training program for all members of the workforce – even those with no access to ePHI.

#1. Reduce the Risk of HIPAA Violations

HIPAA training should be more than a box-checking exercise for compliance. The purpose of training workforces on HIPAA-related policies and security awareness is so they can perform their roles compliantly and avoid making mistakes that could result in a privacy violation. One of the most important reasons for training is to ensure the privacy of protected health information and prevent HIPAA violations.

#2. Demonstrate a Good Faith Effort

Sometimes, despite an organization´s best efforts, employees may violate the HIPAA Rules. All violations must be reported to the HHS´ Office for Civil Rights (OCR) and OCR may choose to investigate. If an investigation is initiated, a HIPAA-regulated entity will need to demonstrate its good faith effort to achieve HIPAA compliance. Providing evidence that training has been provided to the workforce will demonstrate that this was an isolated incident, which could result in the avoidance of sanctions and penalties.

#3. Provide an Efficient Workplace Structure

With effective HIPAA training, members of the workforce not only know what they have to do to be HIPAA compliant but also why they need to act in a specific way with respect to protected health information. This provides an efficient workplace structure in which time-wasting due to a lack of knowledge is minimized. Effectively, the cost of HIPAA training pays for itself in increased productivity, which – in a healthcare setting – can have benefits for patient care, Medicare star ratings, and profitability.

#4. Stronger Defense Against Cyberattacks

HIPAA training is important because all members of the workforce need to understand how to be HIPAA compliant. Security awareness training is important as employees are trained on security best practices to prevent the exposure of protected health information and to make it harder for malicious actors to gain access to patient data. The security awareness training requirements of HIPAA help to improve an organization’s security posture and prevent data breaches.

#5. Encourage Openness by Patients

Research suggests that when patients trust their healthcare providers to keep their personal information private and confidential, they tend to be more open about their symptoms and voice health concerns with their healthcare providers. More openness by patients helps healthcare providers make more accurate diagnoses and better-informed treatment decisions – which can improve patient outcomes. One of the best ways of ensuring patient privacy is HIPAA compliance, and ensuring regular training is provided to the workforce.

Conclusion: HIPAA Training is Important Beyond Ticking the Box

OCR maintains a “breach portal” which is a publicly available record of all data breaches of 500 or more records, all of which are investigated by OCR. The archive contains cases that have been closed, including resolutions with a financial penalty, corrective action plan, or technical assistance. Almost one-third of the resolved cases have included a requirement for the Covered Entity or Business Associate to provide more training or increase the frequency of existing security awareness training.

This shows that many organizations are not taking the importance of HIPAA and security awareness training seriously enough. While the provision of HIPAA and security awareness training doesn´t guarantee violations will not occur, being able to demonstrate an effective training program will lessen the sanctions imposed by OCR. In some cases, this can significantly reduce the indirect costs associated with revising policies and procedures, providing training on the revisions, and the business disruption this will cause.

In addition, HIPAA training can help with the creation of an efficient workplace structure, build stronger defenses against cyberattacks, and encourage openness by patients that results in better patient outcomes. Covered Entities and Business Associates that are unsure about any potential gaps in their training programs should seek professional compliance advice.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: 5 Reasons Why HIPAA Training is Important appeared first on HIPAA Journal.

Editorial: 5 Gaps in HIPAA and How They Are Being Filled

There are – and always have been – gaps in HIPAA and, after more than a quarter of a century, some have yet to be addressed.

Most of the gaps in HIPAA are attributable to omissions from the original Act, provisions of HIPAA and HITECH that have never been enacted, and the increasing use of technology in healthcare. We have identified 5 gaps in HIPAA (there are plenty more) and discuss how these are being – or have been – filled.

The passage of HIPAA resulted in multiple benefits for the health insurance industry, the healthcare industry, and the people that they serve. For example, the Administrative Requirements (Part 162) helped reduce insurance fraud and accelerated eligibility inquiries, authorization requests, and claims processing.

The reduction in insurance fraud meant that plan members did not have to cover the cost of HIPAA´s portability provisions through increased premiums, while patients requiring health services did not have to wait so long for treatment to be provided. Additionally, the passage of HIPAA led to the creation of a federal floor for the privacy of individually identifiable health information.

Despite these benefits, there are gaps in HIPAA, the Rules that evolved from HIPAA, and subsequent legislation that could further benefit the health insurance industry, the healthcare industry, and the people they serve. We look at five of the gaps in HIPAA, explain their consequences, and discuss how they are being – or have been – filled.

#1. Healthcare Providers Not Covered by HIPAA and the Privacy of Health Information

At the time HIPAA was passed in 1996, many healthcare providers did not qualify as Covered Entities because they did not conduct electronic transactions for which the Department of Health and Human Services (HHS) had established standards under the Transactions Rule. Despite the increasing use of technology, there are still some healthcare providers who do not qualify as Covered Entities.

These include – but are not limited to – medical practitioners who only accept direct payments from patients, vendors of personal health records that connect with devices such as exercise trackers, and healthcare facilities that use non-electronic channels for covered transactions. (In 2013, HHS confirmed that paper-to-paper, non-digital faxes are not covered transactions).

This gap in HIPAA – in which not all healthcare providers qualify as Covered Entities – means there are occasions when health information is not covered by the Privacy and Security Rules. Fortunately, this gap is increasingly being filled by state legislators passing privacy laws that provide as many – if not more – privacy protections as HIPAA.

#2. Health Care Data Collected by Personal Health Records

A common misconception about HIPAA is that all healthcare data is subject to its protection. As discussed above, this is not the case because not all healthcare providers qualify as Covered Entities. However, the issue of personal health records deserves its own section in this article because – until recently – the oversight of personal health records has been minimal.

Not only do mHealth apps lack HIPAA-compliant privacy and security protections, but users are also unable to request access to sensitive data stored by the vendor – contrary to the HIPAA rights principles of the Privacy Rule. Furthermore, vendors have been sharing users´ data with third parties – despite promising to keep it private – with no control over how it is further used or disclosed.

This gap in HIPAA is currently being closed by the Federal Trade Commission (FTC) – which has the authority to pursue civil action against any company that discloses sensitive consumer data after promising to keep it private under the Deceptive Trade Practices clause of the FTC Act. The agency also has the authority to pursue enforcement action against vendors of personal health records if they experience a data breach and fail to report it as required by the Breach Notification Rule.

#3. The National Patient Identifier

In the text of HIPAA, there is a section entitled “General Requirements for the Adoption of Standards” which requires the Secretary of the Department of Health and Human Services to “adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider. While unique health identifiers have been adopted by employers, health plans, and healthcare providers, there is a gap in HIPAA relating to National Patient Identifiers.

The purpose of National Patient Identifiers (NPIs) is to increase efficiency, save costs, facilitate interoperability, support accurate data registries, and improve security (because if a patient´s NPI is compromised, all that is breached is health data and no other identifiers). They also have the potential to improve patient safety by making it more difficult for patient records to be mismatched. Despite these clear benefits, Congress has prevented the HHS from implementing NPIs by withholding funding. Despite the benefits, the cost of implementing NPIs was forecast (in 2008) to be between $1.5 billion and $11.5 billion.

However, in 2015, Congress partially relented its stance by passing the Medicare Access and CHIP Reauthorization Act which requires the Centers for Medicare and Medicaid to remove Social Security Numbers from Medicare cards and replace them with Medicare Beneficiary Numbers. Advocates of NPIs are hoping that the introduction of Medicare Beneficiary Numbers (which went into effect in January 2020) will demonstrate to Congress that the benefits of NPIs far outweigh the costs.

#4. Not Making Business Associates Directly Liable for HIPAA Violations

Prior to the HITECH amendments implemented in the Final Omnibus Rule, Business Associates were not directly liable for HIPAA violations. Additionally, Covered Entities were not required to oversee the means by which Business Associates complied with the Privacy and Security Rules, nor ensure their Business Associates complied with the terms of their Business Associate Agreements.

Consequently, when data breaches occurred due to a lack of compliance by Business Associates, there was no accountability. The HHS´ Office for Civil Rights had no authority to take enforcement action against Business Associates, while the Covered Entities for whom the Business Associates were performing a service could claim they were unaware of the lack of compliance and escape sanctions.

This gap in HIPAA was closed by the HITECH (Omnibus Rule) amendments and the Breach Notification Rule, which requires Business Associates to report data breaches to Covered Entities within sixty days of the discovery of the breach – even if only one record has been breached. Subsequently, multiple Business Associates have been issued with HIPAA violation fines and Corrective Action Plans.

#5. OCR´s Failure to Issue (Enough) Financial Penalties

The HHS´ Office for Civil Rights (OCR) has followed a policy of leniency in enforcement actions for HIPAA violations – often favoring voluntary compliance and technical assistance ahead of civil monetary penalties and financial settlements. To date (September 2022), OCR has imposed civil monetary penalties or reached settlements in only 126 cases. In two rounds of HIPAA compliance audits, widespread non-compliance was identified, yet no financial penalties were issued.

While the risk of financial penalties may have been an incentive for some to get compliant, many HIPAA-regulated entities only made a cursory effort to achieve compliance with the HIPAA Rules, with some HIPAA requirements ignored entirely. While there was a risk of a financial penalty, very few penalties were actually being imposed. Only one penalty was issued in each of 2008 and 2009, 2 in 2010, 3 in 2011, and 6 in 2012. OCR has stepped up HIPAA enforcement in recent years, with 20 issued so far this year.

There is a school of thought that if the HSS will impose financial penalties for data breaches, why go to the expense of ensuring full compliance? The reluctance to invest in security to prevent cyberattacks and data breaches has now been addressed with the introduction of a partial safe harbor for organizations that have adopted ‘recognized security practices’ continuously for 12 months prior to a data breach. The reward is OCR will consider those measures when making determinations about financial penalties, and the extent and length of audits and investigations will be reduced.

Part of the reason for the lack of financial penalties is funding. OCR is a big department with a wide remit, and investigations of HIPAA violations are expensive. Its budget for enforcement is also being stretched further due to the huge number of data breaches that are now occurring. OCR requested a 55% increase in funding for 2023 to support its HIPAA enforcement efforts, but that request is still under review. Had OCR pursued financial penalties more aggressively over the past decade, it would have been easier to justify an increase in funding – notwithstanding that more organizations might have been more motivated to get compliant. OCR will also soon have to share a proportion of the funds it raises through its enforcement actions with victims of HIPAA violations, so without the funding increase, HIPAA enforcement may suffer even more.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: 5 Gaps in HIPAA and How They Are Being Filled appeared first on HIPAA Journal.

Editorial: Why Do Criminals Target Medical Records

The healthcare industry is extensively targeted by cybercriminals, who seek access to healthcare networks for a range of nefarious purposes. Medical records are highly prized, but why are medical records so valuable to criminals?

Hackers are going to great lengths to gain access to healthcare network. Data compiled by HIPAA Journal from breach reports submitted to the HHS’ Office for Civil Rights (OCR) show the number of data breaches reported by HIPAA-regulated entities continues to increase every year. 2021 saw 714 data breaches of 500 or more records reported to the OCR – an 11% increase from the previous year. Almost three-quarters of those breaches were classified as hacking/IT incidents.

Healthcare organizations, especially healthcare providers, are attractive targets for hackers as they store huge amounts of valuable patient data. Large health systems store millions of patient records and even relatively small healthcare providers may store the records of hundreds of thousands of patients. The stored data is highly detailed, including demographic data, Social Security numbers, financial information, health insurance information, and medical and clinical data, and that information can be easily monetized.

How do Hackers Make Money from Stolen Medical Data?

Healthcare records are so valuable because they can be used to commit a multitude of crimes. Social Security numbers, dates of birth, and demographic data can be used to commit identity theft to obtain loans and credit cards in victims’ names. Healthcare data can be used to impersonate patients to obtain expensive medical services, Medicare and Medicaid benefits, healthcare devices, and prescription medications. Healthcare records also contain the necessary information to allow fraudulent tax returns to be filed to obtain rebates.

In contrast to credit card numbers and other financial information, healthcare data has an incredibly long lifespan and can often be misused for long periods undetected. Credit card companies monitor for fraud and rapidly block cards and accounts if suspicious activity is detected, but misuse of healthcare data is harder to identify and can be misused in many ways before any malicious activity is detected. During that time, criminals can run up huge debts – far more than is usually possible with stolen credit card information.

Stolen data can be used to develop convincing spear phishing, smishing, and vishing campaigns, where the attacker impersonates a hospital or health insurer. Medical records contain highly sensitive information about medical conditions, pregnancies, abortions, and sexual health tests, and that information can easily be used for extortion and blackmail.

Patient data stolen from healthcare organizations is often processed and packaged with other illegally obtained data to create full record sets (fullz) that contain extensive information on individuals, often in intimate detail. These full record sets are often sold on dark web sites to other criminals who use the data to obtain documentation such as Social Security cards, driver’s license numbers, and passports. The documentation allows an identity kit to be created, which can then be sold for considerable profit to identity thieves or other criminals to support an extensive range of criminal activities.

Healthcare Data Can be Used as Leverage

Many of the hacking incidents now being reported by healthcare providers involve the use of ransomware. Ransomware is used to encrypt files and prevent access, with the aim of causing massive disruption to business operations. Faced with an inability to operate, businesses are forced to pay the attackers for the keys to decrypt their data. Without access to critical systems, and especially if medical records are encrypted, patient safety is put at risk. Attacks on healthcare providers are therefore more likely to see ransoms paid than attacks on other sectors that are less reliant on data, which is why many ransomware gangs target the healthcare industry.

These attacks prevent access to data, but recovery is possible from backups. In response, the Maze ransomware gang started exfiltrating data before encrypting files and using the stolen data as leverage to pressure victims into paying the ransom. Threats were issued to publish or sell the data if payment was not made.

Even if data can be recovered from backups, many healthcare organizations felt compelled to pay to prevent the misuse of patient data. This tactic has been so successful that many cybercriminal gangs are dispensing with encryption and are now just kidnapping data. It’s faster, attacks are less likely to be detected, and the effort required is much lower, allowing more healthcare organizations to be attacked. There may be no threat of data loss, but the reputational damage that results from the exposure of patient data can be substantial.

Healthcare Organizations are an Easy Target

Healthcare organizations store large amounts of high-value data which makes them an attractive target for hackers and healthcare organizations are often easy to attack. The IT environments of healthcare organizations are often complex and difficult to secure. Devices and software continue to be used that have reached end-of-life, as upgrading is costly and often problematic. Many healthcare providers use software solutions that have been developed to work on specific – and now obsolete – operating systems and cannot be transferred to supported operating systems.

Vast numbers of connected devices are used in hospitals. IBM’s research suggests an average of 10-15 devices are used per hospital bed, with the number of medical and IoT devices growing at a considerable rate. Keeping track of those devices and ensuring they are secured and kept up to date is a major challenge. Securing medical and IoT devices can also be problematic, as many devices have not been developed with security in mind.

Healthcare professionals need easy access to patient data. Members of the care team often work from different locations, so remote access is required, which introduces further risks. Healthcare environments are busy, and employees are often overstretched, which inevitably results in human vulnerabilities, which can be easily exploited. The healthcare industry is particularly susceptible to phishing attacks due to a combination of busy working environments, overstretched staff, and a lack of regular security awareness training. A 2021 study by MediaPro on 850 healthcare employees saw 72% of employees rated as a security risk, with only 28% demonstrating they had the skills to recognize and avoid phishing attacks.

Further, many healthcare organizations are still heavily reliant on traditional security solutions, such as network and endpoint technologies, which are not effective at securing cloud infrastructure and IoT devices.

How Can Healthcare Cybersecurity Be Improved?

Phishing, ransomware, and malware attacks on the healthcare industry are profitable, and that is unlikely to change, so healthcare organizations need to concentrate on improving their defenses and strengthening their cyber posture to make it harder for cyber actors to succeed.

The starting point should be a comprehensive risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI. Audits and investigations by OCR often identify failures with risk analyses, which are commonly not comprehensive in scope. Healthcare organizations need to ensure that they identify all systems, devices, and locations where ePHI is stored and conduct a comprehensive organization-wide risk analysis and manage and reduce the identified risks in a timely manner.

Cybersecurity best practices need to be followed, including conducting regular vulnerability scans, patching promptly, backing up data, implementing network segmentation, creating and maintaining an accurate inventory of all devices connected to the networks, and implementing robust access controls with multi-factor authentication.

Regular security awareness training for the workforce is a vital part of improving security posture. Security awareness training should have a strong emphasis on phishing and other attack methods that target employees and should be accompanied by phishing simulations.

Given the rapidly evolving threat landscape and the difficulty of securing the sprawling attack surface, healthcare organizations should also strongly consider implementing zero-trust architectures to protect systems and data when threat actors succeed in breaching their perimeter defenses.

Steve Alder

Editor-in-Chief, HIPAA Journal

The post Editorial: Why Do Criminals Target Medical Records appeared first on HIPAA Journal.

Editorial: How Does HIPAA Improve Healthcare?

Questions are often sent to HIPAA Journal about the Health Insurance Portability and Accountability Act, one of which is how HIPAA has improved healthcare. In this post, I explain some of the main ways that healthcare has been improved by HIPAA for healthcare providers, health plans, and patients.

How Does HIPAA Improve Healthcare?

There has been a lot of criticism about HIPAA in the past and it continues to be a pain point for many healthcare providers. Compliance with the HIPAA Rules can be challenging, and healthcare professionals may feel that HIPAA unnecessarily limits their ability to deliver healthcare efficiently.

While the HIPAA Rules may be a cause of frustration and seem overly restrictive is some respects, HIPAA has done a great deal to improve healthcare. To appreciate some of the key benefits of this landmark piece of healthcare legislation, you need to cast your mind back to before HIPAA was signed into law in 1996 – Several years prior to the introduction of the HIPAA Privacy and Security Rules, for which HIPAA is now best known.

HIPAA Made Health Insurance Portable and Improved the Continuity of Coverage

The main purposes of HIPAA, at least at the time when the legislation was first introduced, had nothing to do with healthcare data privacy and security. One of the main purposes of HIPAA was to ensure the portability of health insurance and the continuity of health insurance coverage when people lost or changed their jobs. Prior to HIPAA, many people felt they were stuck in their jobs because they rightly felt that if they were to leave their employment, they would lose their health insurance coverage. This was known as job lock and was common, as most Americans have health insurance provided by their employer and an employee could not take those benefits with them when they left employment. The change brought about by HIPAA helped to improve labor market mobility by ensuring healthcare benefits were not lost.

HIPAA Improved Efficiency and Reduced Waste and Fraud

Another important goal of HIPAA was to improve efficiency in the healthcare industry and reduce the considerable administrative burden on healthcare organizations. Prior to HIPAA, a great deal of time and money was wasted on inefficient processes, it was easy to mismatch patient data, and the process of conducting eligibility checks was cumbersome. This was largely due to there being no national standards for all healthcare organizations to adhere to, and that resulted in an incredible amount of wastage. The cost of that inefficiency reduced the profits of healthcare organizations and ultimately meant higher costs for patients.

Inefficient processes and the lack of standards created an environment ripe for abuse, and there were considerable losses to healthcare fraud which contributed to the rising costs of healthcare. The improvements made to efficiency through standardizing healthcare transactions and the use of the same code sets have helped to keep the costs of healthcare down and reduce the potential for fraud. Less wastage means lower costs, which means more money is available for improving healthcare services, and the removal of the inefficiencies has helped health plans keep the costs of health insurance down. Healthcare costs may currently be high, but they would be considerably higher were it not for HIPAA. In the 1980s and 1990s, healthcare costs were rising by around 10% per year, whereas after the introduction of HIPAA the increases have been around half that level.

The improvements to efficiency through the standardization of healthcare transactions have also helped to improve patient safety by reducing medical errors. While patient mismatching does still occur – there is still no national identifier despite it being a requirement of HIPAA in 1996 – HIPAA has helped to improve patient safety.

HIPAA Improved Patient Privacy

HIPAA called for the Secretary of the Department of Health and Human Services to recommend privacy standards, which lead to the introduction of the HIPAA Privacy Rule. While the Privacy Rule has been heavily criticized – sometimes justly – It has greatly improved healthcare for patients by ensuring the privacy of their healthcare data.

The restrictions on uses and disclosures of healthcare data imposed by the HIPAA Privacy Rule have huge benefits for patients. The HIPAA Privacy Rule prohibits disclosures of patient information to people who do not have a legitimate reason for having that information and limits disclosures without patient consent. The Privacy Rule prohibits healthcare workers from discovering the healthcare secrets of their acquaintances, co-workers, and neighbors. It stops receptionists from accessing the intimate healthcare information of patients. By ensuring patient privacy, patients are more likely to feel comfortable sharing sensitive information with their caregivers, knowing that it is not permitted for that information to be discussed or shared outside of the care setting.

The HIPAA Privacy Rule has also allowed patients to restrict with whom their healthcare information can be shared, allowing them to prevent certain family members from accessing their data or having sensitive medical information shared with their employer.

The HIPAA Privacy Rule also gave patients the right to obtain a copy of their healthcare data, which empowers them to take a more active role in their own healthcare and share their healthcare data with whomsoever they wish. If a patient wants to change healthcare providers, they can take their records with them, which means avoiding having to cover the cost of having medical tests repeated.

Patients can check their healthcare information for errors and have those errors corrected. They can identify any misrecording of their information or mismatching of healthcare data. Patient safety has been improved by involving patients more in their healthcare.

Before the HIPAA Privacy Rule was introduced, healthcare providers did not have to provide patients with a copy of their healthcare data at all, and if they did agree to share the information with patients, there were no restrictions on what they could charge for doing so.

HIPAA Protects Electronic Healthcare Data

The move to electronic health records helped to improve efficiency in healthcare but increased the potential for healthcare data to be viewed by unauthorized individuals. In the digital age, many safeguards are required to keep electronic data protected.

The HIPAA Security Rule requires covered entities to anticipate threats and proactively take steps to safeguard against them. The HIPAA Security Rule sets minimum standards for data security that all HIPAA-covered entities are required to implement, which helps to keep electronic healthcare data private and confidential. Many of the healthcare data breaches that are now being reported are due to errors and failures to fully comply with the minimum standards of HIPAA.

Another benefit of HIPAA is patients and health plan members must be told about any breaches of their personal healthcare data, which allows them to take steps to protect themselves against identity theft and fraud. Without the HIPAA Breach Notification Rule, there would be no federal requirement for healthcare organizations to notify patients about breaches. Individual states would be left to decide on whether notifications were necessary and how quickly they would need to be provided.

You only need to look at the current patchwork of laws at the state level to see how much privacy and security protections vary depending on where people live. HIPAA has created standards for the privacy and security of healthcare data that apply across the United States and territories, ensuring minimum standards must be met, no matter where a person lives.

Summary

These are just some of the main ways that HIPAA has improved healthcare: Ensuring the continuity of health insurance coverage, improving efficiency, reducing the potential for medical errors, combatting the considerable amount of fraud and abuse in healthcare, giving patients rights over their healthcare data, and protecting patient privacy and preventing unauthorized access and disclosures of healthcare data.

HIPAA has helped to reduce the cost of healthcare, has improved patient safety, and helps to protect Americans from identity theft and fraud. HIPAA may be far from perfect, but the benefits of the legislation and subsequent amendments are considerable.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: How Does HIPAA Improve Healthcare? appeared first on HIPAA Journal.