Last year, the average cost of a single data breach in the healthcare industry averaged over $7,000,000. During that same time frame, fines by the Office of Civil Rights (OCR) “violations of HIPAA regulations” exceeded $13,500,000. Since passing in 2003, the OCR has issued total fines and penalties in excess of $129,000,000. We also know that during 2020, governing bodies continued to modify and introduce new legislation to support accountability for protecting patient data– even and especially in a pandemic. The fact is, data breaches, hacks, ransomware, etc., are nothing new, but regulators are painfully aware that malicious actors are actively exploiting “windows of opportunity” due to COVID, abusing a vulnerable, resource strained, and unprepared industry in the middle of a worldwide health and economic crisis. We aren’t without hope or options in the midst of these struggles, but the solution is not to bury our heads in the sand. Those who are succeeding in 2021 understand that their wins are directly tied to maintaining effective security and compliance programs this year. Before exploring those solutions, though, let’s dive deeper into the drivers behind this need.
Accountability is Unlikely to Lessen
The OCR settled over a dozen investigations in the year 2020 that were specific to an individual’s right to “timely access to their health records at a reasonable cost” under the HIPAA Privacy Rule. These settlements included fines and “corrective actions.” Recipients of these penalties included university medical centers, non-profit healthcare providers, private practitioners, specialized healthcare providers, and third-party providers (Business Associates) to healthcare institutions. In late December 2020, the Centers for Medicare & Medicaid Services (CMS) proposed a rule that would “improve the electronic exchange of health care data among payers, providers, and patients, and streamline processes related to prior authorization, to reduce burden on providers and patients.” The U.S. Department of Health and Human Services (HHS) publicly stated similar intentions in the latter part of 2020. It’s safe to say that healthcare regulations are here to stay.
Audits and Penalties Aren’t Just for Enterprise Organizations
Not only are governing bodies modifying or adding new requirements, they are actively enforcing existing legislation. Large organizations may be tempting targets for enforcement action, but it’s clear from 2020 that everyone in the healthcare industry will be held accountable for non-compliance. Some experts have observed in recent years that payment from one year’s total fines is allocated towards hiring more auditors in the following year. With more auditors, they have noted, come wider nets of accountability– growing to include more types and sizes of healthcare organizations. In other words, it would be increasingly unwise to take an “I’m too small to matter to OCR” approach to compliance.
Other Factors We Can Expect to Impact Legislation
The change in leadership at the federal level will likely have a significant influence on the direction of healthcare legislation. Non-political factors such as the COVID-19 pandemic, continued migrations to cloud providers, and unforeseen changes in technology are also likely to have a heavy impact on evolving legislation. For example, we may see an increase in track-and-trace application use by "Public Health Authorities” as a means to battle the virus at a local level. While many people assume all patient data is protected under HIPAA laws, the way HIPAA is currently worded, only particular kinds of organizations are under compliance. Publlic Health Entities are exempt from compliance. Further, while many of those applications may be using anonymized patient data as a starting place, they also include enough metadata that patients could easily be identified through their cell phone type, user account (i.e. an Apple ID), and location data generated by Bluetooth LE, not only risking exposure of their personal information in a successful attack, but their private diagnoses. It will be interesting to see if privacy professionals use this as an opportunity to support patient rights and increase calls for updated HIPAA legislation that more closely aligns with how modern technology is being used in healthcare in 2021.
In addition to new technologies entering the market, we also have mature technologies with which people are more familiar, but which they may or may not understand how to fully secure– such as cloud environments. Most cloud providers have evolved their offerings to include advanced security options, settings, and configurations, but new cloud users may not have the security, compliance, and technical skillsets necessary to leverage them effectively. With more and more organizations migrating to the cloud due to widespread remote workforce scenarios, attack surfaces are broader than ever before. So, when you consider this in light of the growing shortage of cybersecurity experts, you can see where an uptick in successful attacks on organizations storing patient data is certainly a strong possibility this year. If that does happen, it could then could put pressure on lawmakers to broaden the wording and application of HIPAA laws going forward.
The Changing Face of Patient Care
According to the Centers for Disease Control (CDC), the first quarter of 2020 saw an increase of 50% in telehealth services over a similar period in 2019. We can attribute this sudden adoption to the challenges of providing healthcare in the middle of a pandemic. Much like the trend to allow workers to work from home (WFH), we anticipate that this trend is unlikely to completely reverse, and we should anticipate a greater reliance on remote technologies for patients and workers in years to come. The benefits of remote health care are many, from both patient and provider perspectives. Regardless of the implementation, these solutions have introduced new risks into what may have previously been a stable environment. These are risks to the organization’s security posture, as well as the compliance program. From a security standpoint, we have already looked at the “opportunistic” nature of malicious actors. Those principles apply here. From a compliance perspective, HHS acknowledged the impact of the pandemic and the need to rapidly adapt these new telehealth products and services in its promise to exercise “enforcement discretion” for violations to healthcare legislation. It isn’t a stretch to assume that while HHS recognizes the value of this technology, they also fully intend to audit, investigate and correct where appropriate.
Third-Party Technology Provider Risks
As we migrate to 3rd party-provider cloud services, including the adoption of containers for deploying our applications, and seek Software As A Service (SAAS) from other providers, it’s critical that we consider placing a higher priority on managing our 3rd party risk. In 2014 a well-known U.S. retailer lost a significant amount of credit card information as the result of a security breach. While this alone is significant, what makes it particularly relevant to this discussion is the nature of the attack: it was done through a compromised 3rd party vendor. That 3rd party vendor had a point-to-point connection back into the retailer’s cardholder data environment. While this isn’t an unusual situation, governing bodies, cybersecurity insurance firms, and courts have taken heed and begun to place increasing importance on the risk incurred in vendor relationships. Organizations have long been held accountable for the security of their vendors. It’s important to note that current trends suggest that the vendors too are now being targeted for investigation and subsequent punitive actions due to breaches of systems under their direct control. Regardless, the question for healthcare leadership is to what extent you can rely upon due diligence and Business Associate Agreements (BAAs) to protect your organization from significant losses due to a breach outside of your direct control.
What You Can Do
The solution for all of these challenges is a holistic security and compliance program aligned with your strategic goals. For healthcare providers, healthcare service providers, etc., consider the following when determining your compliance and security goals; a) HIPAA, b) Payment Card Industry Data Security Standard (PCI DSS), c) National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), d) NIST Privacy Framework, Statement on Standards for Attestation Engagements (SSAE) 18/Service Organization Control (SOC) 2, e) International Organization for Standardization (ISO) 27001, f) General Data Protection Regulation (GDPR) etc. In years past, we could accomplish this in a single spreadsheet. Today, you’ll find yourself with multiple spreadsheets, or worse, attempting to build your own application or relational database. The best solution today is a Governance, Risk and Compliance (GRC) program supported by a GRC-specific application. In short, capture the goals of your program, as well as build out your control catalog, identify risks that would keep you from reaching your goals and finally, adopt a sound security strategy for mitigating or at least addressing the identified risks. If you don’t have the internal resources to execute this program yourself, then consider TRUE.
You can find more information on the Managed Cyber Compliance page.