When it comes to HIPAA violations, the federal government does not mess around.
A recent case in point: The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR), which enforces HIPAA rules and tracks health information data breaches, settled a HIPAA violation case with the University of Massachusetts Amherst (UMass) to the tune of $650,000.
According to the OCR, the settlement stems from a malware-infected computer at a university-run workstation. The hack compromised the names, addresses, social security numbers, dates of birth, health insurance information, diagnoses, and procedure codes of 1,670 individuals.
The OCR found that UMass did not have a firewall on the infected machine, nor did the university identify its Center for Language, Speech, and Hearing (where the computer lived) as potentially allowing access to protected health information (PHI). UMass reported the malware infection when it happened in 2013, but did not conduct an “accurate and thorough” HIPAA risk assessment until September 2015 (also a no-no).
One Data Breach of Many
UMass is far from alone in their cyber incident woes. Data Breach Today reports that hackers have proven relentless in their attacks against healthcare firms and other organizations that handle PHI. In 2016, 93 of the 286 PHI breaches reported to the OCR were related to hacking. These 93 breaches, according to Data Breach Today, affected more than 12 million people.
Here’s a table Data Breach Today produced of the top five hack-related breaches for 2016:
|Breached Entity||Individuals Affected|
|Banner Health||3.6 million|
|Newkirk Products||3.5 million|
|21st Century Oncology||2.2 million|
|Valley Anesthesiology Consultants||883,000|
|Peachtree Orthopaedic Clinic||531,000|
Beyond those breaches related to cybersecurity, OCR has been having a banner year for collecting HIPAA fines in 2016. Health Data Management reports that the OCR has settled a record 13 HIPAA violation agreements with healthcare organizations so far in 2016. That’s up from a previous annual record of seven.
The OCR also issued its largest ever fine to Advocate Health Care Network in August 2016 after investigating three breaches over three years affecting approximately 4 million individuals. Advocate had to fork over $5.6 million as part of this settlement. Flush with money from fines like this, the OCR is expected to increase its enforcement of HIPAA violations in 2017, according to the Health Data Management article.
The Employee Awareness Connection
Though far from the largest settlement or most individuals affected, the UMass incident does stand out for one important reason. The corrective actions OCR prescribed include employee training on proper HIPAA practices for all who have access to PHI.
This is a great start. After all, an ounce of prevention is worth a pound of cure. But when PHI is at stake, employees with access to this sensitive data need to know more than proper HIPAA practices to keep that data safe.
Focusing on just HIPAA compliance makes healthcare organizations a soft target for cyberattacks. Try to see an average hospital through the eyes off a cybercriminal. All that patient personal information just sitting there, waiting to be swiped and resold on the black market. Or, as recent headlines have shown, hospital officials who are willing to cough up a considerable sum to free their network from the clutches of ransomware. Both these scenarios look like dollar signs to an industrious bad actor.
HIPAA Training Needs Security Awareness
In this way, relying solely on HIPAA compliance as a safety net can do more harm than good. For one, HIPAA courses often do not include information on how to stay cyber-secure in an increasingly interconnected world. Keeping within HIPAA regulations, while vital, has little to do with knowing how to spot a phishing attack, for example.
Additionally, mere compliance does not equate to a fully security-aware culture. In our experience, organizations of all types are best served when their whole employee population knows the importance of sound security principles. Such a state comes from multi-faceted and integrated awareness programs, not just training. Fully-formed awareness programs will allow your organization to figure what sort of education is needed, deploy it in the most efficient way possible, and make available training reinforcement materials, such as posters and games, as needed.
The Human Element
As Data Breach Today reported above, 33% of 2016’s PHI data breaches stemmed from hacking. We can’t go as far to say every breach could have been prevented with a robust security awareness program in place. Bad people will always find a way to do bad things.
But, we don’t think it’s too much of a stretch to say HIPAA training combined with security awareness content can reduce the chances of a costly PHI data breach. Social engineering ranked as the #1 attack vector for hackers in 2015. This means humans can be your first and last line of defense against cybercriminals seeking personal information.
PHI is not just lines of letters and numbers on a spreadsheet. It represents the well-being of real, live people, and the well-being of any organization that is entrusted with it. Members of an organization with a strong security-aware culture will be better positioned to understand these stakes and act appropriately to protect this data.
Want to learn what a comprehensive security awareness program can do for your organization? Contact us today, or request a demo to see how our industry-leading Adaptive Awareness Framework can be put to work for you.