[BreachExchange] Lax Security to Blame For Record Pace of HIPAA Breaches, Feds Say

Audrey McNeil audrey at riskbasedsecurity.com
Fri Sep 29 13:56:41 EDT 2017


http://m.mspmentor.net/security/lax-security-blame-
record-pace-hipaa-breaches-feds-say

A continued lax security posture by too many healthcare organizations is
making them increasingly attractive targets for cyber criminals, who have
executed a record number of successful breaches of HIPAA-protected
information this year, federal health officials told MSPmentor.

The 221 major breaches reported under HIPAA regulations so far this year
mark a 66-percent increase over the 133 breaches reported for all of 2016,
according to our analysis of records from the U.S. Department of Health and
Human Services Office of Civil Rights (OCR).

That spike is driven by a dramatic surge in incidents attributed to
“Hacking/IT Incidents,” which are already up 82 percent from a year ago.

“The increase in breaches of records involving 500 or more individuals is
the key trend that we have observed,” Lou Burton, a media affairs
specialist at OCR, said in an email.

“Additionally, reported breaches of 500 or more due to ‘hacking or IT
incidents’ are on the rise, which is consistent with the increase in
cybersecurity threats aimed at health care organizations,” he added. “Cyber
criminals target organizations who devote too little resources to security,
which consequently makes such organizations vulnerable targets.”

Helping organizations to harden their defenses is part of OCR’s mission.

“OCR continues to empower entities by providing updated guidance and
resources to help these entities mitigate risks that lead to breaches,”
Burton said.

The office directs organizations to its HIPAA Security Rule guidance
website, which offers information on risk analysis, remote use, mobile
devices and ransomware.

Also, Burton said there has been no change in OCR’s approach to settling
HIPAA breach cases, despite a seeming lull in the pace of new resolutions.

Last year, HHS collected a record $23.5 million in settlement payments from
organizations that failed to properly secure or otherwise mishandled
protected health information.

That was up from just $6.2 million in 2015.

The torrid pace of settlements continued into 2017, with $14.7 million
collected by late May.

But there hasn’t been another settlement in more than four months.

“There has been no change in policy,” Burton said.

“When OCR receives a complaint or investigates a breach, there is a period
of review in which OCR conducts a thorough investigation and determines
what further actions are warranted,” he explained. “OCR had a record year
for settlements in 2016 – but this was not the case in prior years, and the
number of settlements entered into each year is dependent on a number of
factors, including the complexity of the case and the degree of cooperation
of the entity being investigated.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170929/72e4c35f/attachment.html>


More information about the BreachExchange mailing list