Another day, another breach. In a relatively unsurprising start to 2017, healthcare breaches are on track to reach new heights (or is it depths?). In what has become a somewhat satirical annual tradition, analysts forecast upcoming breach trends for the notoriously hard hit healthcare industry, and title each year with a fitting name. In 2015, it kicked off with the Year of the Healthcare Breach. In 2016, it was the Rise of Ransomware. So as I was reading about yet another breach in April, a question came to mind, what will “Year of the” be for 2017?
“Of the industry sectors, healthcare was easily the hardest hit with breaches” – Gemalto Breach Level Index: 2016 Year In Review
By any assessment, 2016 was a terrible year for healthcare. The number of healthcare breaches in 2016 increased by 10.8% over 2015, despite a dramatic drop in the number of records compromised (down 75.4%). Small-scale breaches revealed that whether you’re a multi-site healthcare organization or a family health clinic – big or small – you are at risk of non-compliance or worse yet, a breach. Given these facts, if you’re an IT leader in the healthcare sector, the future looks bleak. Not only that, but working toward HIPAA compliance can be a complicated and burdensome process, while the consequences for non-compliance are no longer an acceptable alternative. Preaching to the choir, but let’s remember that severe civil and even criminal penalties can result from HIPAA violations. Not so satirical anymore.
4 THINGS TO PLAN FOR IN 2017 AND BEYOND
With April nearly behind us, already we’ve seen more than 1.8+ million individuals affected by a healthcare breach so far in 2017, and Forrester Research predicts Anthem-scale breaches to be commonplace in the coming months. In light of this, healthcare IT leaders must approach compliance not as a one-time project, but as an ongoing effort to monitor, assess and develop new strategies to reduce risks as new technologies emerge, and new threats with them.
“If you fail to plan, you are planning to fail.” – Benjamin Franklin
Here are a few things to look out for in 2017. Start planning now!
1. PLAN FOR ONGOING AUDITS
If you thought 2016 was the Year of the Audit, think again. The Office of Civil Rights (OCR) recently received a $4 million raise above FY2016 to “support OCR’s audit program,” which will “offer a new tool to help ensure compliance by covered entities and business associates.” The OCR has had a permanent audit program in their sights for years; with budget boost and millions collected in settlements and penalties, the OCR is more than ever equipped to do so. So, how do you prepare? First, it’s important that you understand what a HIPAA Audit entails and develop procedures for the case that you are selected – the HHS Audit Protocol is a solid starting point. According to HHS, the most investigated compliance issues to date are: impermissible uses and disclosures of protected information (PHI), lack of safeguards of PHI, and lack of patient access to their PHI. Recent examples show that auditors have determined certain safeguards, such as encryption, necessary while the covered entity did not. Yesterday’s “good enough” approach is outdated. It is critical that you continuously pursue efforts to reinforce data privacy and security, improve patient access to records, and prepare worst-case scenario response procedures for an audit, investigation or breach.
2. PLAN FOR ADOPTION OF EMERGING TRENDS AND TECHNOLOGIES
The OCR budget increase will “also modernize HIPAA protections, support innovation in healthcare, [and] ensure adequate protections in new programs and technologies.” What does this mean? Look for the OCR to investigate further into new trends like healthcare texting services and cloud technologies. Regulations will evolve with advancements in technology, so ensure that a security-first approach is taken when adopting Cloud and IoT. Fortunately, Allgress and Amazon Web Services have partnered up to develop the Regulatory Product Mapping (RPM) Tool which can help you determine your Cloud requirements under HIPAA – a great place to start planning for cloud adoption today.
3. PLAN FOR INSIDER THREATS
In 2016, 43% of all breaches were a result of either insider error or insider wrong-doing. That will likely continue, as the leading cause of breaches in Q1 was unauthorized access or disclosure, accounting for more than 40% of incidents. IT leaders must work to reduce the use of unauthorized technologies (Shadow IT) and risky workplace habits like shared logins and passwords. Implement policies and safeguards to restrict access to the minimum necessary level as per the role of each employee – least privilege policy, as some call it. More than 76,000+ individuals were affected by just two cases of unauthorized access to a desktop and network server so far this year. Such incidents can easily be prevented with a combination of physical and technical access controls, enabling you to enforce least privilege policies and greatly minimize the risk of insider threats, whether malicious or unintentional.
4. PLAN INSIDE THE PERIMETER
The first seven HIPAA settlements and civil penalties this year underline the importance of thorough risk management and strong safeguards. Since January, nearly 90,000 individuals have been affected by at least 12 breaches to patient data as a result of lost or stolen laptops, desktops, and other portable electronic devices.
Protecting your physical and digital perimeters is critical, but when the perimeter is breached, encryption is your last line of defense. In fact, a recent healthcare breach in February shows that physical measures including badge access and security cameras simply aren’t enough. In this case, the breached entity paid a stiff $3.2 million fine for failing to deploy encryption on all of its laptops, work stations, mobile devices, and removable media.
“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential.” – Robinsue Frohboese, OCR Acting Director
While the rate of hacking is growing exponentially, it does not discount these stark reminders that healthcare organizations must implement encryption to prevent against loss, theft or unauthorized access to devices and the sensitive data residing on them. The HIPAA Security Rule requires reasonable and appropriate application of encryption to safeguard PHI. Furthermore, the consequences of notifying all affected individuals, the HHS secretary, and media outlets is significantly reduced, since breach notification is not required if lost or stolen data is encrypted.
PLAN FOR THE YEAR OF…
Some predict that 2017 will be the Year of Insider Breach Awareness or the Year of the Audit. In truth, these titles are meaningless. Healthcare organizations are threatened by numerous attack vectors each and every day. New threats emerge. Old threats strike back. HIPAA-HITECH compliance is not a one-time project; it is an ongoing effort including regular risk assessments, updating procedures, adopting new technologies, controlling and monitoring access.
Let me repeat, if you fail to plan you are planning to fail. Plan for worst-case scenarios, protect your organization from the inside out, and take a security-first approach when adopting new technologies. It’s not all doom and gloom though. There are qualified partners in consulting, auditing, and IT security that can support you in your plan to attain and maintain compliance.
How are you addressing compliance in your Healthcare organization?