Breach Report Reveals 61% Increase in Breaches Affecting 500+
The Office for Civil Rights (OCR) recently submitted a report to Congress setting forth the HIPAA breaches and complaints reported in 2020 as well as the enforcement actions taken by OCR.1
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires OCR to issue annual reports to Congress detailing HIPAA breaches and complaints. For 2020, OCR reported 656 notifications of breaches affecting 500 or more individuals, 66,509 notifications of breaches affecting fewer than 500 individuals, and 27,182 complaints alleging violations of HIPAA and the HITECH Act.
Overall, breach reports decreased 4%, but the number of breaches involving more than 500 affected individuals increased by nearly 61% over 2019. Those 656 breaches affected more than 37 million individuals.
The increase in reported breaches affecting 500 or more patients is concerning but not surprising, says Richard Sheinis, JD, partner with Hall Booth Smith in Charlotte, NC.
“Most of those affecting more than 500 people involve compromised servers related to hacking incidents, which supports what we all know experientially — that the hacking groups are driving up these numbers in the large data breaches,” Sheinis says. “The big takeaway here is confirmation that these bad actors are going after your servers. That is the real threat, not the inadvertent breach of a file here and there.”
Sheinis advises focusing on the vulnerabilities that most frequently lead to these data breaches and the preventive measures that can be taken, such as multifactor authentication for remote access.
“Surprisingly, I’m still seeing a fair number of practices and medical providers that do not have multifactor authentication, and it’s so easy to put in place. We’re still seeing so much phishing in which the threat actor gets login credentials to use from their remote location, but if multifactor authentication is in place, that would cut off that threat actor,” Sheinis explains. “I haven’t seen a case yet in which the threat actor stole the mobile phone of the person whose credentials they stole through phishing, so they would not get the multifactor code.”
The report also underscores the need for IT professionals who focus specifically on security. Many healthcare entities employ IT professionals whose priority is to keep the computer system running smoothly so employees can access it when needed, and they work on the security component as an additional task. The time when that was feasible is quickly passing.
“When you need to work on the security of your network, get the expertise of a security specialist, not an IT generalist,” Sheinis advises. “I think that is lacking a lot in the medical community.”
Training also is becoming specialized, Sheinis says. People in any healthcare organization come from varied backgrounds and comfort levels with technical issues, and older employees are more likely to be compliant with security requirements than younger employees. That diversity means the training for one group of employees might not be the best for another group.
Patient Access Request vs. Disclosure Request
OCR’s recent reports to Congress are a reminder for healthcare providers to respond to patient access requests in a timely manner, says Scott Bennett, JD, an attorney with Coppersmith Brockelman in Phoenix. Part of that involves providing education to the personnel who handle medical records requests so they understand the difference between an access request and a disclosure request under HIPAA.
“It is quite common for healthcare personnel to confuse the two types of requests. Healthcare providers need to educate their personnel on the two types of requests and the different requirements for each type,” Bennett says. “It is also helpful to provide personnel with concrete, actionable guidance documents, like checklists or flowcharts, that they can use to determine whether a request is an access request or a disclosure request.”
It is critical for healthcare providers to put in place to ensure every access request receives a response within 30 days as required by HIPAA, Bennett says. OCR has brought enforcement actions against many providers for failing to respond to access requests in a timely manner.
Every access request needs to be logged, and processes must be in place to ensure a response is sent within 30 days. When an access request does not receive a timely response, the healthcare provider should perform a root-cause analysis to discover the reason or reasons for the failure and take steps to prevent it.
“Another striking point from the OCR’s reports to Congress is the importance of covered entities and business associates performing a security risk assessment that is enterprisewide. The OCR’s resolution agreements underscore the importance of making sure that risk assessment extends to all electronic PHI that the organization creates, processes, stores, or transmits,” Bennett says. “That includes every piece of hardware and software that touches electronic PHI.”
Decrease in Overall Reports Misleading
The OCR report is misleading when it focuses on a 4% overall decrease in reports received over 2019, says Mac McMillan, CEO of CynergisTek, a healthcare information security company based in Austin. There was a 61% increase in the number of reports involving more than 500 records.
“While there may have been fewer reports, slightly, the year was certainly worse in terms of total records potentially exposed,” McMillan says. “Secondly, they don’t emphasize enough that the biggest contributor to the number of breaches reported, as well as the increase in size of the breaches, was hacking. Healthcare is no longer defined by insider threat. Clearly, the threat is external, which everyone seems to get except OCR.” Seventy-three percent of those hacks involved email or a network server, he says.
OCR recommends better compliance with the HIPAA Security Rule, but McMillan says that is another problem.
“Again, this demonstrates that they do not get it. First, the HIPAA Security Rule is not adequate to secure the modern healthcare IT environment. Second, a focus on compliance as it relates to cybersecurity demonstrates a lack of understanding,” McMillan explains. “Third, the report fails to address the fact that the rule needs to be updated, that elements of security are not even addressed by the rule that are critical today.”
Of the violations involving fewer than 500 records, the report references 93% involved unauthorized access or disclosure, meaning predominantly an insider threat.
“OCR knows full well that you cannot effectively monitor for insider abuse with some form of automated monitoring, yet it does not measure this or discuss it,” McMillan says. “The bottom line is these reports emphasize as an industry we are still focused on compliance at the expense of good security. We have modern technology, an interoperability initiative, a 21st Century Cures Act, and antiquated standard for cybersecurity.”
Driving Compliance Reviews
The reports indicated data breach reporting is the biggest driver of OCR compliance reviews, which serves as a warning to HIPAA-subject entities to stay off the HIPAA “wall of shame,” says Alaap B. Shah, JD, an attorney with Epstein Becker Green in Washington, DC. Overall, about 86% of compliance reviews resulted in some sort of corrective action plan and/or monetary penalty.
The report also showed OCR shifted focus toward HIPAA Right of Access enforcement in 2020, which has continued into 2022.
“Nevertheless, despite this shift in enforcement priorities, the largest penalties levied by OCR in 2020 remained tied to breaches arising from hacking incidents and where the OCR review evidenced lack of conducting adequate risk analysis and risk management activities,” Shah says. “Hacking was a dominant driver for breaches in terms of volume of events, percentage and location of ePHI systems impacted, and number of affected individuals per breach and across all breaches in 2020. This trend is continuing into 2022.”
The reports also sent a clear signal providers as a covered entity class were at greatest data breach risk associated with hacking in 2020, and concomitantly at greatest risk for findings of noncompliance by OCR, Shah says. This is not a new trend, either, as providers have historically lagged in terms of HIPAA Security Rule compliance for many reasons.
The reports also indicated all types of covered entities and their business associates struggle with Security Rule compliance and, in particular, conducting security risk analysis and management activities.
To reduce risk related to data breaches and findings of noncompliance, Shah recommends entities continue to focus efforts on these key activities:
- Improving authentication controls, including implementing multifactor authentication;
- Improving risk analysis and management processes, leveraging OCR’s Security Risk Assessment tool and the National Institutes of Standards and Technology guidance;
- Increasing audit logging and monitoring, and improving security awareness and training to reduce risks related to phishing and other social engineering attacks.
The increase in some breaches could be a sign that covered entities are taking HIPAA more seriously and better recognizing when a breach must be reported, says William P. Dillon, JD, shareholder with Gunster in Tallahassee, FL.
“They are becoming aware of things and reporting incidents that they may not have reported in the past,” Dillon says. “It’s my sneaking suspicion that we’ve had those high breach numbers for a while but now everyone knows they have to report these incidents. I don’t know that even five years ago that was the case.”
REFERENCE
- Office for Civil Rights. Annual report to Congress on HIPAA Privacy, Security, and Breach Notification Rule compliance for calendar year 2020. 2022.
SOURCES
- Scott Bennett, JD, Attorney, Coppersmith Brockelman, Phoenix. Phone: (602) 381-5476. Email: [email protected].
- William P. Dillon, JD, Shareholder, Gunster, Tallahassee, FL. Phone: (850) 521-1708. Email: [email protected].
- Mac McMillan, CEO, CynergisTek, Austin. Phone: (512) 402-8550.
- Alaap B. Shah, JD, Epstein Becker Green, Washington, DC. Phone: (202) 861-5320. Email: [email protected].
- Richard Sheinis, JD, Partner, Hall Booth Smith, Charlotte, NC. Phone: (980) 859-0381. Email: [email protected].
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.