Healthcare Ransomware Attacks Involve 20% of Stored Sensitive Data

Posted by Steve Alder

Ransomware groups target the healthcare sector because a successful attack gives them access to large amounts of sensitive data that can be easily monetized and used as leverage to get a ransom paid. Healthcare organizations are also heavily reliant on access to data to operate, therefore there is a higher probability that a ransom will be paid to regain access to encrypted data. Attacks on the sector are also increasing. According to Recorded Future, there were 358 ransomware attacks on healthcare organizations in 2023, a year-on-year increase of 46%.

A recent study by the cybersecurity firm Rubrik assessed the impact of ransomware attacks and found that attacks on healthcare providers impact more data than other industry sectors. Researchers at Rubrik Zero Labs determined that 20% of a healthcare organization’s sensitive data holdings are affected by a ransomware encryption event, compared to 6% in other industry sectors. That means 20% of healthcare data is encrypted, deleted, or stolen in an attack.

Healthcare organizations generally hold more sensitive data than other industry sectors. According to Rubrik’s analysis, healthcare organizations typically need to secure 50% more data than the global average, with healthcare organizations holding an average of 42 million sensitive data records compared to the global average of 28 million sensitive records.  The amount of data stored grows at a faster rate than other industries. In 2023, a typical healthcare organization saw its data estate grow by 27% compared to 23% for a typical global organization, and the number of sensitive data records in healthcare grew by 63% in the past year compared to the global average of 13%.

The data for Rubrik’s report – The State of Data Security: Measuring Your Data’s Risk – came from telemetry across the company’s customer base of 6,100 organizations and a study conducted by the Wakefield Research of more than 1,600 IT and security leaders. Across all industry sectors, 94% of IT security leaders said they had experienced a significant cyberattack in 2023, and an average of 30 attacks in the past year. One-third of IT security leaders said they had been affected by at least one ransomware attack, and 93% of organizations paid a ransom, with 58% of those paying to prevent the leaking of stolen data.

Dependence on the cloud is growing, with cloud architecture used to store 13 % of an organization’s data on average, compared to 9% the previous year. According to Rubrik’s telemetry, cloud storage has inherent risks as there are security blind spots. Rubrik reports that 70% of all cloud-stored data is in object storage, which typically has much lower security coverage than other areas. 88% of all data stored in object storage is not confirmed as machine-readable or is not covered by prominent security technologies and services, and more than 25% of object storage data is subject to regulatory or legal requirements, such as HIPAA.

“Despite the fallout of cyberattacks dominating headlines, data risk is an issue that continues to be murky — especially in terms of what security teams can actually change and what they cannot,” said Steven Stone, Head of Rubrik Zero Labs. “With this report, we aim to provide quantifiable insights that IT and security leaders can bring back to their organization to drive greater cyber resilience-in particular with their partners in the business and governance teams.”

The post Healthcare Ransomware Attacks Involve 20% of Stored Sensitive Data appeared first on HIPAA Journal.

Test Post With DIA & MIA

Posted by Ian

The purpose of HIPAA compliance software is to provide a framework to guide a HIPAA-covered entity or business associate through the process of becoming HIPAA-compliant and ensuring continued compliance with HIPAA and HITECH Act Rules.

The HIPAA software helps compliance officers navigate the nuances of HIPAA and ensure all applicable provisions of the HIPAA Privacy, Security, and Breach Notification Rules are satisfied. The software also proves a company has made a good faith effort to comply with HIPAA by maintaining full documentation of compliance activities.

This ensures that if a company is audited by the HHS’ Office for Civil Rights (OCR) or is investigated by OCR or state attorneys general over a data breach, the organization can demonstrate no aspect of HIPAA has been missed, all policies and procedures are in order, members of the workforce have received training, and appropriate technical, physical, and administrative safeguards have been implemented and are being maintained.

It should be noted that the use of HIPAA compliance software will not absolve companies of liability in every circumstance (i.e., in the event of an employee violating HIPAA), but regulators do take a covered entity’s or business associate’s good faith efforts to comply with HIPAA into account when deciding whether a financial penalty or other sanction is appropriate.

If you are a vendor looking for information on how to make your software solution HIPAA compliant please click here.

Avoid Taking Shortcuts with HIPAA Compliance Software

Many compliance solutions only address specific elements of HIPAA compliance, such as the risk assessment. While HIPAA risk assessment software is a good place to start, it only covers one required provision of the HIPAA Security Rule.

Software that only covers specific aspects of HIPAA compliance will not help covered entities and business associates assess and demonstrate they are fully compliant. Even if covered entities and business associates are confident about their compliance programs, it is best to use a comprehensive software solution that covers all the required and addressable implementation specifications of HIPAA, the HITECH Act breach notification requirements, and even state laws.

A comprehensive compliance software solution may be more expensive in the short-term; but, by efficiently guiding covered entities and business associates though the full compliance process, costs can be reduced, all gaps can be identified and addressed, and the risk of regulatory fines for noncompliance can be reduced to a minimal level.

Best HIPAA Compliance Software

HIPAA Compliance Software For Compliance OfficersThe best HIPAA compliance software is a comprehensive compliance solution that walks users through setting up, implementing, and maintaining HIPAA policies and procedures, tracks staff training, and ensures all appropriate safeguards are implemented to meet HIPAA Privacy and Security Rule requirements.

Many HIPAA compliance software solutions include templates for policies and HIPAA documents, such as business associate agreements. While these are certainly useful and can save compliance officers a great deal of time, HIPAA requires all policies and procedures to specific and relevant to each organization.

The best HIPAA compliance software solutions make it easy for policies, procedures, and HIPAA documentation to be customized to cover the specific ways that the organization creates, receives, uses, stores, and transmits protected health information.

The top HIPAA compliance solutions also help with the management of business associates. Business associates can be fined directly for HIPAA violations, but HIPAA covered entities also have a responsibility to ensure vendors are fully compliant. A HIPAA breach at a business associate will have many negative implications for a covered entity.

Some HIPAA compliance software solutions allow covered entities to send self-audits to business associates, monitor the results of the audits, and track and maintain business associate agreements.

You should also look for a software solution that lets you track employee HIPAA and security awareness training to ensure that every member of the workforce has received and – where required – has attested to receiving training.

Last but not least, even the best HIPAA compliance software solutions are not guaranteed to resolve all HIPAA compliance issues. If problems are experienced, support staff should be available to guide you through the compliance process and answer any questions you may have about HIPAA. Look for a software provider that offers regular sessions with compliance experts who will be able to answer any HIPAA questions and assess your compliance program and progress.

Assessing Suitable HIPAA Compliance Software Vendors

Finding a suitable vendor of HIPAA compliance software can be a challenge. We suggest the following tips for finding a suitable software vendor to ensure the service provided for you is comprehensive and does not leave any unidentified gaps in your compliance efforts:

  • Avoid HIPAA training courses that promise compliance certification within a matter of minutes
  • Select vendors that offer compliance solutions tailored to your specific needs
  • Ensure somebody is available to answer any questions and guide you through the compliance process
  • Check the vendor offers a solution that supports continued compliance rather than simply providing a one-off assessment
  • Request verifiable testimonials from the vendor.

HIPAA Compliance Software Vs. HIPAA Compliant Software

The terms “HIPAA compliant software” and “HIPAA compliance software” are frequently used interchangeably by some software vendors, although the two terms mean something quite different.

“HIPAA compliance software” is more often than not an app or service that guides a business through its compliance efforts. This type of software can either help with specific elements of HIPAA compliance (i.e. Security Rule risk assessments) or provide a total solution for every element of HIPAA compliance.

HIPAA compliant software is usually an app or service for healthcare organizations that includes all the necessary privacy and security safeguards to meet the requirements of HIPAA – for instance, secure messaging solutions, hosting services, and secure cloud storage services. HIPAA compliant software does not guarantee compliance. It is the responsibility of users of the software solutions to ensure the software is used in a HIPAA-compliant manner.

If you are a vendor looking for information on how to make your software solution HIPAA compliant please click here.

HIPAA Risk Assessment Software

ScreenshotOne of the most important elements of the HIPAA Security Rule is the risk analysis or risk assessment. The purpose of the risk assessment is to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI). If the risk assessment is not performed, healthcare organizations cannot be sure that all risks have been identified, which means it will not be possible to reduce those risks to a reasonable and acceptable level through the HIPAA risk management process.

Even though the risk assessment is foundational element of HIPAA compliance, it is one of the provisions of HIPAA that causes healthcare organizations the most problems. The failure to conduct an organization-wide HIPAA-compliant risk assessment is the single most common HIPAA violation penalized by OCR in its enforcement actions.

The use of HIPAA risk assessment software helps to ensure that the risk assessment is completed to the standard demanded by HIPAA, by guiding organizations through the whole process and ensuring all identified risks are tracked along with the efforts made by the company to remediate those risks.

HIPAA Compliance Certification for Software

There is no officially recognized HIPAA compliance certification for software, as any certification only confirms a software solution has incorporated all of the required safeguards to meet the requirements of HIPAA Rules. HIPAA compliance certification for software only confirms a solution is compliant at the moment when the compliance certificate is issued.

That said, many training and software companies issue HIPAA compliance certification to companies that have demonstrated compliance through the use of the software. These HIPAA compliance certifications may not be officially recognized by OCR and state attorneys general, but they do serve an important purpose.

They provide assurances that policies and procedures have been introduced in line with HIPAA, demonstrate a company is fully aware of its responsibilities under HIPAA and has provided appropriate training to employees, and confirm that software meets or exceeds the minimum standards for privacy and security demanded by HIPAA.

Vendors looking to break into the healthcare market will need to demonstrate to prospective healthcare clients that they are aware of their responsibilities with respect to HIPAA and provide “reasonable assurances” to the covered entity that they are compliant. This is achieved through the signing of a business associate agreement, but the use of HIPAA compliance software and any accompanying HIPAA compliance certification will help. It can be used to differentiate a company’s products and services and stand out from the competition.

Summary

It can be time-consuming finding a suitable vendor with a product to match your specific needs. There is no “one-size-fits-all” solution to HIPAA compliance, but the effort you put into identifying and addressing HIPAA compliance shortfalls is likely to pay dividends in the long run. Ensuring all aspects of HIPAA are satisfied should improve your security posture and help you prevent costly data breaches.

The software will ensure that no provision of HIPAA is overlooked, thus helping the company avoid regulatory fines for noncompliance.

FAQs

Is HIPAA compliance software the same for covered entities and business associates?

HIPAA compliance software is not the same for covered entities and business associates. While both covered entities and business associates are required to comply with all “applicable” standards of the HIPAA Administrative Simplification Regulations, a covered entity would likely need more comprehensive guidance through the complexities of the HIPAA Privacy Rule. In addition, topics such as business associate management would most often be unique to covered entities.

What is the most important feature of HIPAA compliance software for covered entities?

The most important feature of HIPAA compliance software for covered entities depends on whether gaps exist in the covered entity´s compliance efforts and what they are. For some covered entities, the risk assessment and analysis software may be most important. For others it may be helpful with responding to an OCR audit or HIPAA breach.

What is the most important feature of HIPAA compliance software for business associates?

The most important feature of HIPAA compliance software for business associates will again depend on whether gaps exist in the business associate’s compliance efforts and what they are. However, one of the most important benefits of HIPAA compliance software for business associates is understanding business associate agreements. Too often, business associates sign unnecessary agreements, exposing themselves to liability if a covered entity is at fault for a data breach.

Is there any HIPAA software my organization should avoid?

With regards to HIPAA software your organization should avoid, be wary of any software vendor that offers compliance training or compliance certification “within an hour” or “for less than $20” – especially those who certify HIPAA compliance with a pass mark of less than 100%. While a certificate with a 75% compliance score may look good on your website, anyone familiar with HIPAA will know this means your organization is 25% non-compliant.

Where can I find out more about HIPAA compliance software?

You can find out more about HIPAA compliance software by taking advantage of our reader offer to see a demo of the Compliancy Group’s HIPAA compliance software in action. This will not only give you the opportunity to see what HIPAA software does, but also to ask questions about how the software can be customized to be suitable for your organization and the nature of its operations.

What is the purpose of HIPAA compliance software?

The purpose of HIPAA compliance software is to provide a framework to guide HIPAA-covered entities and business associates through the process of becoming HIPAA-compliant and ensuring continued compliance with HIPAA and HITECH Act Rules. The software helps compliance officers navigate the nuances of HIPAA and ensures all applicable provisions of the HIPAA Privacy, Security, and Breach Notification Rules are satisfied.

How can HIPAA compliance software help during an investigation or audit by OCR inspectors?

HIPAA compliance software can help during an investigation or audit by OCR inspectors by providing full documentation of compliance efforts. The documentation demonstrates that the organization has made a good faith effort to comply with HIPAA, that all applicable policies and procedures are in order, and that workforce members have received training.

Does HIPAA compliance software absolve organizations of liability in the event of a data breach?

HIPAA compliance software does not absolve organizations of liability in the event of a data breach because there are several types of events compliance software is not capable of preventing – for example, an employee stealing PHI for personal gain. However, the implementation and use of HIPAA compliance software can help demonstrate an organization’s good faith efforts to be compliant when regulators investigate a data breach.

What features should be included in the best software for HIPAA compliance?

The features that should be included in the best software for HIPAA compliance include features to help develop, implement, and maintain HIPAA policies and procedures, track staff training, ensure appropriate safeguards are implemented, and allow the customization of policies, procedures, and documentation. The best software for HIPAA compliance should also assist with the management of business associates and be supported by knowledgeable and available compliance experts.

Is there an officially recognized HIPAA compliance certification for software?

There is no officially recognized HIPAA compliance certification for software. However, some companies issue HIPAA compliance certifications to vendors who have demonstrated compliance with HIPAA by implementing measures to comply with the Security and Breach Notification Rules, and who have developed software with the capabilities to support HIPAA compliance by users.

The post Test Post With DIA & MIA appeared first on HIPAA Journal.

Federal Judge Tosses CommonSpirit Health Data Breach Lawsuit Due to Lack of Standing

Posted by Steve Alder

A federal court judge has recommended a class action lawsuit against CommonSpririt Health over its 2022 data breach should be dismissed due to the failure of the plaintiff to demonstrate that they had been harmed by the data breach.

CommonSpirit Health suffered a ransomware attack on October 2, 2022, that affected more than 100 CommonSpirit Health facilities across the United States. A threat actor gained access to its systems on September 16, 2022, and had access to those systems until October 3, 2022. The forensic investigation and document review confirmed that the protected health information of more than 623,000 patients had been exposed. The exposed data included full names, addresses, healthcare providers, medical record numbers, treatment/prescription information, dates of medical services, other health insurance information, and patient’s facility/account numbers.

Multiple class action lawsuits were filed against CommonSpririt Health over the cyberattack and data breach which made similar claims. The lawsuits alleged CommonSpirit Health was negligent due to the failure to implement reasonable and appropriate safeguards to ensure the privacy of the protected health information it held and delayed issuing breach notifications, which were not sent until April 5, 2023.

One of those lawsuits, Bonnie Maser v. CommonSpirit Health, alleged that the plaintiff suffered injuries as a result of the breach, including more than $3,000 in bank account fraud that led to the closure of her account. As a result of the fraud, the plaintiff could not afford to pay her rent, lost her housing, her credit score dropped 60 points, and she claimed to continue to suffer harm, including panic attacks caused by the stress of the data breach. Maser’s lawsuit alleged negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and unjust enrichment.

CommonSpirit Health argued that the plaintiff failed to allege a concrete or imminent harm to support Article III standing, failed to adequately allege the minimum amount in controversy under the Class Action Fairness Act, and failed to state a claim upon which relief could be granted. U.S. Magistrate Judge Suan Prose recommended that the lawsuit be dismissed due to a lack of Article III standing, as the plaintiff failed to demonstrate that the fraudulent charges were fairly traceable to the data breach.

This was the second such lawsuit against CommonSpirit Health to be tossed due to a lack of standing.  Two lawsuits against CommonSpirit Health that were filed in Illinois and were consolidated into a single lawsuit – Jose Antonio Koch individually and on behalf of his two minor children, and another by Leeroy Perkins – was also dismissed due to a lack of standing by District Court Judge Harry D. Leineweber.

The post Federal Judge Tosses CommonSpirit Health Data Breach Lawsuit Due to Lack of Standing appeared first on HIPAA Journal.