Alexander Thompson
Symposium Editor
Loyola University Chicago School of Law, JD 2018
According to data from HHS’ Office of Civil Rights (OCR), healthcare data breaches in 2017 are set to outpace those from 2016. Security experts have determined this increase is due to two factors: getting entry into a system has become easier, and organizations are now more inclined to report breaches. Yet despite the increase in data breaches and the costs of settling with HHS OCR, a majority of healthcare organizations are still only spending 1-6% of their budgets on cybersecurity measures.
The cybersecurity problem
In the past, data breaches caused by insiders—employees of a healthcare organization or business associate contracted to handle Protected Health Information—were the highest percentage of data breaches in the United States. However, OCR data predicts that in 2017, data breaches caused by hacking and other IT incidents will outpace data breaches caused by insiders for the first time ever. In the United States, there were 36 data breaches in July of 2017. Ten of those breaches, or approximately 28%, were caused by ransomware alone. In just one month, hacking compromised the integrity of more than 516,000 records. This is more than twenty times more than were compromised by insider data breaches.
Part of the problem is that gaining initial entrance to a system has become easier for hackers, especially through emails. This way of gaining access to a system is called phishing. In order to get access to an organization’s email system, a hacker will send an email to all or some employees of organization. That email will usually include an attachment or link, and some message encouraging the employee to do so. If the employee clicks on the link or opens the attachment, nefarious software (such as malware) is then downloaded to their computer. This software will generally give the hacker access to the healthcare organization’s system. The hacker can then search the system for Protected Health Information (PHI) or other sensitive information such as bank account numbers or Social Security Numbers. The hacker then then uses this stolen information and/or sell it on the darknet.
Hacking has been around for decades—so why is this just becoming an issue for healthcare organizations now? First of all, healthcare organizations did not have to report these types of incidents until the breach requirements were included in the HIPAA Privacy and Security Rules, which were finalized in 1996. Additionally, even though hacking has been around for decades, use of electronic health records was not widespread in healthcare organizations until recently. Therefore, the ability to hack into healthcare organization’s computer systems and gain access to PHI is relatively new.
Second, according to Jeff Krull, a partner with Baker Tilly, “a lot of organizations are becoming more aware of their responsibility to report data breaches” and “people are reporting things in the past they may not have known to report.”
The solution to the cybersecurity problem
Despite this glaring problem, healthcare organizations are only spending 1-6% of their budgets on cybersecurity. HHS OCR recently levied a $400,000 dollar fine against a healthcare organization it deemed to have overlooked the risks of outdated privacy protections. With fines like that, one would think that healthcare organizations would spend more of their budgets towards cybersecurity.
Lee Kim, the Director of Privacy and Security at the Healthcare Information and Management Systems Society (HIMSS) stated that “the key to preventing hacking and other IT incidents is a good response to attacks. You need to be able to detect attacks as fast as possible and then respond.” HIMSS also conducted a study revolving around the need for Chief Information Security Officers (CISO) in healthcare organizations. The study found that organizations with CISOs tended to have better security practices compared with those who did not. Per the same study, 95% of organizations with CISOs reported using the NIST cybersecurity framework compared to less than a third of organizations that did not have a CISO. In response to this growing problem, the Healthcare Industry Cybersecurity Taskforce was created in 2016. This taskforce was designed to help create best practices for healthcare organizations to prevent cyber-attacks.
Only time will tell if healthcare organizations will begin directing more resources towards their cybersecurity programs. However, recent OCR fines prove that developing real cybersecurity protections is a smart investment.