Time for HIPAA Compliance to Meet Security Awareness?

On: December 12, 2016
HIPAA fines for PHI data breaches are on the rise and are only expected to increase. Can security awareness training help?

When it comes to HIPAA violations, the federal government does not mess around.

A recent case in point: The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR), which enforces HIPAA rules and tracks health information data breaches, settled a HIPAA violation case with the University of Massachusetts Amherst (UMass) to the tune of $650,000.

According to the OCR, the settlement stems from a malware-infected computer at a university-run workstation. The hack compromised the names, addresses, social security numbers, dates of birth, health insurance information, diagnoses, and procedure codes of 1,670 individuals.

The OCR found that UMass did not have a firewall on the infected machine, nor did the university identify its Center for Language, Speech, and Hearing (where the computer lived) as potentially allowing access to protected health information (PHI). UMass reported the malware infection when it happened in 2013, but did not conduct an “accurate and thorough” HIPAA risk assessment until September 2015 (also a no-no).

One Data Breach of Many

UMass is far from alone in their cyber incident woes. Data Breach Today reports that hackers have proven relentless in their attacks against healthcare firms and other organizations that handle PHI. In 2016, 93 of the 286 PHI breaches reported to the OCR were related to hacking. These 93 breaches, according to Data Breach Today, affected more than 12 million people.

Here’s a table Data Breach Today produced of the top five hack-related breaches for 2016:

Breached Entity Individuals Affected
Banner Health 3.6 million
Newkirk Products 3.5 million
21st Century Oncology 2.2 million
Valley Anesthesiology Consultants 883,000
Peachtree Orthopaedic Clinic 531,000

Beyond those breaches related to cybersecurity, OCR has been having a banner year for collecting HIPAA fines in 2016. Health Data Management reports that the OCR has settled a record 13 HIPAA violation agreements with healthcare organizations so far in 2016. That’s up from a previous annual record of seven.

The OCR also issued its largest ever fine to Advocate Health Care Network in August 2016 after investigating three breaches over three years affecting approximately 4 million individuals. Advocate had to fork over $5.6 million as part of this settlement. Flush with money from fines like this, the OCR is expected to increase its enforcement of HIPAA violations in 2017, according to the Health Data Management article.

The Employee Awareness Connection

Though far from the largest settlement or most individuals affected, the UMass incident does stand out for one important reason. The corrective actions OCR prescribed include employee training on proper HIPAA practices for all who have access to PHI.

This is a great start. After all, an ounce of prevention is worth a pound of cure. But when PHI is at stake, employees with access to this sensitive data need to know more than proper HIPAA practices to keep that data safe.

Focusing on just HIPAA compliance makes healthcare organizations a soft target for cyberattacks. Try to see an average hospital through the eyes off a cybercriminal. All that patient personal information just sitting there, waiting to be swiped and resold on the black market. Or, as recent headlines have shown, hospital officials who are willing to cough up a considerable sum to free their network from the clutches of ransomware. Both these scenarios look like dollar signs to an industrious bad actor.

HIPAA Training Needs Security Awareness

In this way, relying solely on HIPAA compliance as a safety net can do more harm than good. For one, HIPAA courses often do not include information on how to stay cyber-secure in an increasingly interconnected world. Keeping within HIPAA regulations, while vital, has little to do with knowing how to spot a phishing attack, for example.

Additionally, mere compliance does not equate to a fully security-aware culture. In our experience, organizations of all types are best served when their whole employee population knows the importance of sound security principles. Such a state comes from multi-faceted and integrated awareness programs, not just training. Fully-formed awareness programs will allow your organization to figure what sort of education is needed, deploy it in the most efficient way possible, and make available training reinforcement materials, such as posters and games, as needed.

The Human Element

As Data Breach Today reported above, 33% of 2016’s PHI data breaches stemmed from hacking. We can’t go as far to say every breach could have been prevented with a robust security awareness program in place. Bad people will always find a way to do bad things.

But, we don’t think it’s too much of a stretch to say HIPAA training combined with security awareness content can reduce the chances of a costly PHI data breach. Social engineering ranked as the #1 attack vector for hackers in 2015. This means humans can be your first and last line of defense against cybercriminals seeking personal information.

PHI is not just lines of letters and numbers on a spreadsheet. It represents the well-being of real, live people, and the well-being of any organization that is entrusted with it. Members of an organization with a strong security-aware culture will be better positioned to understand these stakes and act appropriately to protect this data.

Want to learn what a comprehensive security awareness program can do for your organization? Contact us today, or request a demo to see how our industry-leading Adaptive Awareness Framework can be put to work for you.

Share this Article

Contact Us

Related Articles

Whether by mistake or malicious intent, PHI data breach do happen. A new Verizon report shows just how often.
Not What the Doctor Ordered: PHI Breaches Are All Too Common
Read our newest eBook on how the NIST Cybersecurity Framework can be used to improve security awareness.
eBook: How the NIST Cybersecurity Framework Improves Security Awareness
A new report shows just how big a role the human factor plays in cybersecurity concerns. (Hint, it's pretty big).
Human Factor Report: Social Engineering Ranks As Top Attack Technique
Learn five awareness training tactics for truly changing risky employee behavior around cybersecurity and data privacy with our free white paper.
White Paper: 5 Training Tactics for Achieving Behavior Change