Have You Seen Any of These Headlines?
“Healthcare data breach: 2.4m records potentially exposed at Forefront Dermatology”
“Data breach may have compromised up to 68,000 Advocate Aurora Health patients’ info”
“Data Breach at UC San Diego Health”
“US medical imaging center reports possible data breach after emails ‘accessed’”
“Hackers Breach San Diego Hospital, Gaining Access to Patients’… Well, Uh, Everything”
“Ransomware attackers wanted $80,000 from York Animal Hospital”
Cause of the Threat Increase
That’s just a small sampling of article headlines from recent weeks divulging the constant flood of breach disclosures from healthcare organizations. These are not all massive conglomerates; the cyber criminals have even ransomed a small animal hospital in York, Maine (population 12,529). So, what’s with the rise in cyber attacks on healthcare? It’s all about the value of data on the Dark Web. Recent reports reveal that medical information is worth eight to ten times more than financial material. And, with the additional increases in ‘double-ransom’ threats (this is where the threat actors steal data and lock down the networks, demanding ransom for the decryption and prevention of the data release), it’s time for everyone to elevate their cyber resiliency stance, change the culture of security apathy, and have a role in preventing healthcare from being a hot target. And, if you think your organization is too small (this applies to every industry) to be on criminals’ radar, you are just plain wrong. Two in five SMBs were impacted by ransomware in 2020, and nearly 60% of companies that experience a cyber attack go out of business.
These are the Changes Being Made
As a result of the rise of healthcare breaches (From Jan 1 – July 31, 2021, there have been 397 breaches reported to the Office of Civil Rights (OCR), which is required for any affecting 500+ individuals, and totaling more than 27.7 million records), there are changes underway with the framework of the HIPAA Security Rule. The evolution is to implement NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) on top of current rules. Even the largest healthcare entities are struggling to conduct “accurate and thorough” Security Risk Assessments (SRAs) because the HIPPA Security Rule already included 42 requirements for data protection, now complicated further by the recent addition of 5 NIST CSF Functions, 23 Categories, 108 Subcategories, and many Informative References for the subcategories.
Healthcare Organization Significant Financial Risk
Healthcare organizations must show “continuous improvement, and failure to conduct “accurate and thorough” SRAs or implement adequate security can result in significant fines and potentially years-long bans from Medicare reimbursements following multi-year investigations by the OCR. The fines range from $100,000 for a single practitioner office into the multiple millions, and since OCR retains the fines, they may be well-motivated to increase audits and investigations. However, there are also incentives for following the latest framework which can increase a healthcare organization’s Medicare reimbursements for 2021 up to an additional 7%. Now is the time for everyone in healthcare to ensure they have partners, systems, and technology solutions in place to effectively protect personal health information, show continuous improvement with cyber security, and capitalize on these available incentives. Don’t make your organization then next breach headline, and ask yourself: are we prepared for an OCR audit and investigation?