[BreachExchange] Deeper Dive: The Changing Landscape of Healthcare Data Breaches

Fri Apr 8 15:17:36 EDT 2016

http://www.lexology.com/library/detail.aspx?g=13c51e88-4d64-472a-a058-ccb5bc1a9993

For the second year in a row, the BakerHostetler Data Security Incident
Response Report demonstrates that healthcare breaches continue to be the
highest percentage of incidents that we handled in 2015. This year’s Report
provides insights generated from the review of more than 300 incidents that
our attorneys advised on in 2015. The report confirms the prevalence of
public healthcare data breaches as a result of the implementation of the
Health Information Technology for Economic and Clinical Health (HITECH) Act
and the Health Insurance Portability and Accountability Act (HIPAA) Omnibus
Rule.

Click here to view image.

Why are healthcare breaches occurring more frequently?

Does the frequency of healthcare breaches mean that there are more
healthcare breaches occurring or that more are reported? The answer is
“Yes.” We are seeing more healthcare breaches occur. Further, since the
implementation of HITECH in 2009, covered entities under HIPAA to report
breaches to patients and the Office for Civil Rights (OCR), and for any
breaches that involve 500 or more individuals in a single state or
jurisdiction, they to issue a press release. Additionally, more and more
states are including health information in the definition of “personal
information” under the state statutes triggering a state obligation to
notify affected residents. The Centers for Medicare & Medicaid Services
(CMS) and the Joint Commission have opened investigations following certain
provider breach reports. As a result, more healthcare breaches are also
being reported, and our experience shows that the causes and severity of
these breaches are changing, as well.

How are healthcare breaches happening?

In 2015, we saw a change in how healthcare breaches happen. Prior to 2014,
hacking and phishing in healthcare breaches were rare in our experience. We
began seeing a shift beginning in 2014 that continued throughout 2016.
Although employee action or mistake continues to be a leading cause of
healthcare breaches, healthcare is being affected by
phishing/hacking/malware attacks just like any other industry. Training and
other technical safeguards (such as multifactor authentication for remote
access) must be considered by covered entities and their business
associates. The shift in the type of attacks has also driven an increase in
the severity of healthcare breaches because, in these types of breaches,
there is often a lack of log evidence to demonstrate that no breach
occurred.

What happens after a healthcare breach is announced?

While many of the breaches we handled in 2015 for healthcare organizations
involved fewer than 500 individuals, 2015 did see a rise in very large
healthcare breaches. The average number of individuals notified in
healthcare breaches worked on by our team was 340,000. Severity in terms of
regulatory scrutiny was also present. Any healthcare breach involving over
500 individuals will be investigated by the OCR, which is borne out in our
experience as well as in messaging from the OCR. 2015 also saw an increased
interest by state regulators in healthcare breaches, particularly when both
HIPAA and state laws are triggered. In conjunction with the OCR
investigations, state attorneys general are also responding to healthcare
breaches in the form of civil investigative demands and by issuing their
own separate consent orders. Further, health plans also have to answer to
additional regulatory bodies, such as state departments of insurance and
the National Association of Insurance Commissioners, following breach
notification.

OCR and state attorneys typically look to safeguards they consider
low-hanging fruit in their investigations:

- privacy and security awareness training of employees;
- policies and procedures;
- security risk analyses and risk management plans;
- intrusion detection and firewalls; and
- business associate agreements and vendor management.

Having these basic things in place not only helps during an OCR or state
regulatory investigation, but also provides basic protections to help
prevent breaches from happening in the first place.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160408/c0933379/attachment-0001.html>