Healthcare hacking incidents are increasing, there are new regulatory requirements and compliance initiatives due to Dobbs and Pixel use, and lawsuits against healthcare organizations over privacy violations are soaring. HIPAA-regulated entities and other organizations that operate in the healthcare space are now facing increased scrutiny of their data security practices and compliance programs, and the coming 12 months will likely see an increase in enforcement actions and lawsuits over privacy violations.
The recently published BakerHostetler Data Security Incident Response Report (DSIR) draws attention to these issues and provides insights into the threat landscape to help organizations determine how to prioritize their efforts and investments. The report, now in its 9th year, was based on 1,160 security incidents managed by BakerHostetler’s Digital Assets and Data Management Practice Group in 2022.
After a surge in ransomware attacks in 2021, 2022 saw a reduction in attacks; however, there was a surge in ransomware activity toward the end of the year and that surge has continued in 2023. That surge has coincided with increases in ransom demands, paid ransoms, and ransomware recovery times. In 2022, the average ransom demand and payment increased in 6 out of the 8 industries tracked. In healthcare, the average ransom demand was $3,257,688 (median: $1,475,000) in 2022, and the average payment increased by 78% to $1,562,141 (median: $500,000). Across all industry sectors, paid ransoms increased by 15% to $600,688.
Network intrusions also increased and were the most common type of security incident, accounting for almost half of all data incidents covered in the report. BakerHostetler notes that companies have been getting better at detecting and containing these incidents, with dwell time decreasing from an average of 66 days in 2021 to 39 days in 2022. The time taken for containment fell from 4 days to 3 days, and investigation time decreased from 41 days in 2021 to 36 days in 2022.
The increase in hacking and ransomware attacks has prompted companies to invest more heavily in cybersecurity, and while security defenses have been enhanced, cybercriminals have found new ways of circumventing those defenses and attacking systems. Techniques that have proven successful in 2022 include MFA bombing, social engineering, SEO poisoning, and EDR-evading malware.
The cost of cyberattacks increased significantly in 2022, with forensic investigation costs increasing by 20% from last year in addition to increases in the cost of business disruption, data reviews, notification, and indemnity claims. Legal costs from data breaches have also increased significantly as it is now common for multiple lawsuits to be filed in response to data breaches.
Data breaches of 10,001 to 500,000 records see an average of 12-13 lawsuits filed and lawsuits are even being filed for smaller data breaches, with breaches of less than 1,000 records typically seeing 4 lawsuits filed. According to BakerHostetler, lawsuits have doubled since last year and we are now at a stage where legal action is almost a certainty following a data breach. There have been increases in lawsuits for violations of state privacy laws, and with a further 4 states enacting new privacy legislation in 2022 and one more due to introduce a new privacy law in 2023, the compliance landscape is becoming more complicated.
In the summer of 2022, a report was published by the Markup/STAT detailing an analysis of the use of pixels (tracking technologies) on hospital websites. These code snippets are typically added to websites to track visitor activity to improve websites and services, but the code also transmits identifiable visitor information to third parties. The extent to which these tools were being used – without the knowledge of website visitors – attracted attention from the HHS’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) with both issuing guidance on the use of these tools. OCR and the FTC have confirmed that Pixel-related violations of HIPAA and the FTC Act are now an enforcement priority, with the FTC having already taken action against entities over the use of these tracking tools. Law firms have been quick to sue healthcare organizations over these privacy breaches. More than 50 lawsuits have been filed against healthcare organizations in response to Pixel-related breaches since June 2022 when the report was published.
A further study of the use of Pixels by healthcare organizations suggests almost 99% of US non-federal acute care hospital websites had pixels on their websites that could transmit sensitive data, yet only a handful of healthcare organizations have disclosed Pixel-related data breaches to OCR so far. There could well be a surge in HIPAA enforcement actions by OCR and huge numbers of lawsuits filed in response to these breaches over the coming months.
There are also likely to be enforcement actions against HIPAA-regulated entities and non-HIPAA-regulated entities in the healthcare space for privacy violations involving reproductive health information, as both the FTC and OCR have stated that reproductive health information privacy will be an enforcement priority. OCR’s HIPAA Right of Access enforcement initiative is still ongoing, and compliance remains a priority for OCR.
BakerHostetler has also issued a warning about HIPAA compliance for non-healthcare entities, stressing that HIPAA applies to employer-sponsored health plans. There was an increase in data breaches at employer health plans in 2022 and these are likely to come under increased regulatory scrutiny, not just by OCR but also the Department of Labor which is increasingly conducting follow on investigations focusing on the overall cybersecurity posture of these plans. State Attorneys general have also started taking a much more active interest in the activities of healthcare entities, with investigations by state attorneys general into violations of HIPAA and state laws increasing in 2022.
BakerHostetler also identified a major increase in snooping incidents in 2022. These incidents include healthcare employees snooping on healthcare records and attempting to divert controlled substances. The increase confirms how important it is to create and monitor logs of system activity to detect malicious insider activity quickly. BakerHostetler notes that having systems in place that monitor for system activity anomalies is also key to rapidly detecting hacking and ransomware incidents.
“Securing an enterprise is a significant challenge — there are a lot of risks and just spending more money does not automatically equate to more effective security,” said Craig Hoffman, co-leader of BakerHostetler’s national Digital Risk Advisory and Cybersecurity team. “We see a lot of incidents, including what allowed them to occur and what was done to address the issue. Because enterprises do not have unlimited budgets and staff to implement and maintain new solutions, being able to share objective data about security incidents — from causes to fixes to consequences — helps clients decide where to prioritize their efforts.”
The post Organizations Face Increased Scrutiny of Health Data Breaches appeared first on HIPAA Journal.
