Breaches Sometimes Kept Secret, but Decision Is Highly Dangerous
Cybersecurity professionals often are told to keep breaches confidential, according to a recent survey that suggests healthcare organizations may be risking serious consequences for not reporting the improper loss of protected health information (PHI) controlled by HIPAA.1
The survey was conducted by Bitdefender, a cybersecurity company based in Santa Clara, CA. The company surveyed 400 IT and security professionals, finding 42% said they had been told to keep a breach confidential when they knew it should be reported. Thirty percent said they did keep a breach confidential. IT professionals in the United States were most likely to say they have been told to keep quiet (71%), followed by the United Kingdom (44%). The survey respondents worked in various fields, including healthcare.
Fifty-two percent of those surveyed said they have experienced a data breach in the past year, and 55% said they worry about facing legal action due to an incorrectly handled breach.
The survey findings were surprising and concerning to Patricia Boujoukos, JD, senior vice president for legal and compliance with 11:11 Systems, an IT service management company in Fairfield, NJ.
“It’s contrary to what we convey to our employees to make sure that they proactively report security incidents that might give rise to a data breach, and then it’s up to the other folks in the organization to evaluate whether there were disclosure obligations,” Boujoukos says. “I was somewhat surprised and concerned about the findings that there might be some apathy in terms of reporting data breaches.”
Boujoukos says the findings should be a wake-up call for HIPAA compliance officers and risk managers. “The fact that companies may be reluctant to report and are pressuring employees not to report is problematic because you’re basically advising the company not to comply with the law. That will put you in hot water not only with regulators, but also with your own customers,” she says. “It’s sort of kicking the can down the road because you could have another event a year later that is more serious, and regulators will want to know about your controls and any incidents you’ve had in the past. You could never conceal this.”
Failing to report one breach could expose the organization to even greater liability with regulators if they become aware of a second breach. They will see the organization as concealing and not fulfilling its obligation to comply with the law and deliver notice of the breach effectively.
Senior leadership must set the tone at the top to encourage reporting. “There is a lot of risk associated with concealing a data breach,” Boujoukos says. “In my experience, I’ve found that you have to be transparent with delivering bad news. Early is better than delivering bad news late.”
Can Be Tempting to Conceal
As disturbing as the survey findings are, they were not a real surprise to Margaux Weinraub, CPCU, ARM, cyber practice leader at Graham Company in Philadelphia. Weinraub has worried there is a tendency to keep HIPAA breaches quiet if it can be accomplished.
“No one is proud to admit that they had a cyberincident, whether it was due to their true negligence or their own failure, or whether it really was a threat actor targeting them and no one’s defenses are strong enough,” Weinraub says. “When this happens, oftentimes organizations feel a little bit of shame admitting that they were the victim of a cyberincident. However, no one’s alone. In this situation, I think there is actually so much good in reporting and sharing when you go through an incident because it makes us all stronger.”
Organizations may be reluctant to publicize a data breach because they are public companies and the news could affect their stock prices, Weinraub notes. Or perhaps it is a private company about to go through a merger and it does not want to jeopardize that deal. The potential effect on their reputation in the community also could dissuade some organizations from reporting a breach.
However, all those motivations could work against the organization. Keeping the breach quiet could undermine efforts to understand its effect and recover.
“The biggest thing is truly understanding and making sure that you adequately estimate the damage that the cyberincident inflicted on you. Often, you don’t know how deep the incident is and how far a threat actor could have gotten into your systems unless you go through the true incident response process of notifying your organization, notifying your carrier, notifying your broker, all the others,” Weinraub says. “You may think it was just one laptop and that has been quarantined and no longer in use, but how do we know that the threat actor isn’t just staying dormant in the system, waiting to attack two months later in a more sophisticated large-scale attack?”
In addition to the potential penalties from the Office for Civil Rights for not reporting a HIPAA breach, Weinraub says staying quiet also makes companies a target for another attack. “Once you have one cyberincident, you’re a likely target for another. If you pay ransom, they’re going to come back after you,” she says. “They know that you had a cyberincident and you’re not telling anyone, so the smart ones are going to definitely go for you again to make it larger and more profitable for them.”
Any healthcare organization that would even think of keeping a HIPAA breach secret has a serious culture problem, says Kurt Osburn, a director with the risk management and governance team at NCC Group.
“The fines would be staggering. There would also be a lack of confidence in a company found to have not reported, as well as legal costs and the publicity related to non-reporting,” Osburn says. “But the other side of this is how many companies go out of business. In my experience, these companies just pay the fines, keep the same people running the organization, don’t fix the problem, and move on like nothing happened. This becomes the larger issue — how do you make the consequences of hiding a breach significant enough to keep companies from trying to find a way around instead of fixing the problem?”
Most healthcare risk managers and HIPAA compliance officers are aware of their organizations’ strengths and weaknesses, Osburn says. They may be aware some senior leaders want to avoid disclosing a breach, but they may not want to be the whistleblower and openly resist their bosses. The solution to such a quandary is to address it before it ever becomes an issue. Hospital leadership should be apprised beforehand of the obligations to report and the serious consequences of not reporting.
“Are they the problem because they are afraid of losing their job, even if the breach is not something they caused? Is there a breach notification plan and protocol? Does the healthcare institution practice breach protocol or even know how to respond?” Osburn asks. “The answer isn’t only should they report but how do they report, who is responsible, and what the organization is doing to prepare for the breach if and when it comes.”
Some organizations might not intentionally avoid reporting a breach under HIPAA but instead fail to realize they need to, says Trent Sanders, vice president for U.S. healthcare and life sciences at Kyndryl, a cybersecurity company headquartered in New York City. Not every cyberbreach involves PHI, but it is important to put systems in place to understand when it does.
“In many cases, reporting falls through the cracks because healthcare organizations lack the tools and capabilities to understand what has been impacted and if there was really an issue to report,” Sanders says. “Not all data breaches have the same impact, and they should all be handled on a case-by-case basis. For example, if the breach occurs in a specific system or internal tool, depending on the type of data that’s been breached it may not require patient notifications. But as a rule of thumb, it’s crucial to follow HIPPA guidelines and standards, along with local laws, when it comes to exposed PHI. Patient health and safety should always be top priority, and healthcare organizations have an obligation to notify and protect the individuals who have been impacted.”
REFERENCE
- Bitdefender. Bitdefender 2023 Cybersecurity Assessment. 2023. https://businessresources.bitd...
Cybersecurity professionals often are told to keep breaches confidential, according to a recent survey that suggests healthcare organizations may be risking serious consequences for not reporting the improper loss of protected health information controlled by HIPAA.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.