Every month, we compile the most compelling healthcare privacy and security-related news stories. Below, you’ll learn about the state of healthcare data breaches in 2020, telehealth expansions, the significant ransomware attacks affecting healthcare organizations, and more.
The Centers for Medicare & Medicaid Services (CMS) announced a proposed rule that would extend and make permanent some of the telehealth flexibilities implemented under the COVID-19 Public Health Emergency (PHE). This change parallels the recent Executive Order on Improving Rural and Telehealth Access to expand healthcare in rural areas and for Medicare beneficiaries through broader telehealth access, modernized regulations, and payment reform. A key provision of the proposed telehealth extension would make some telehealth services permanent, including prolonged office visits and mental health services like neurobehavioral exams. While the new policies may not eliminate all telehealth barriers, they do improve healthcare access and security for underserved demographics.
The Department of Health and Human Services’ (HHS) HIPAA Breach Reporting tool revealed data breach trends of the first half of 2020. From January 1 to mid-July, 250 breaches affecting more than five million individuals were added to the database. The single largest breach affected 654,362 individuals (caused by the theft of a laptop), followed by the second largest at 550,000. Of the incidents thus far, 163 stemmed from hacking/IT events that affected a combined 3.8 million individuals and around 100 involved some form of phishing. While most breaches were isolated incidents, at least nine were caused by the same event – a ransomware attack on Magellan, a managed care company.
Beyond hacking/IT incidents, other trends observed were unauthorized access/disclosure and business associate incidents, the latter of which may be related to interconnected breaches like the Magellan ransomware.
“With multiple points of connectivity, it is likely that if one client of a business associate becomes a victim of a breach, others may be next, creating a cascade of breach events,” said Susan Lucci, senior privacy and security consultant at tw-Security. “Because of interconnectivity pursuits, it is extremely difficult to lock down every potential entry point of risk.” This supports the importance of a defense-in-depth security posture to protect against internal threats at every level, particularly for business associates.
“We are likely to see more breaches due to the big shift to remote work this year. That opens up new vulnerabilities, and yet our security resources may not be sufficient to address them and sufficiently mitigate the added risks.”
– Kate Borten, President, The Marblehead Group
During the first half of 2020, at least 41 healthcare providers were attacked by ransomware, according to research from Emsisoft. This number may reflect the strain on healthcare resources during the exponential growth of the COVID-19 pandemic during Q1 and Q2. While hospitals and healthcare providers began 2020 by suffering ten successful ransomware attacks in January and 16 in February, the attacks decreased in March and April to three each but starting trending upwards with four in May and five in June. This could indicate that malware developers kept their word to avoid attacking healthcare providers with ransomware because of their essential nature in battling COVID-19; however, as time has progressed, they may be resuming typical levels of threat activity.
Healthcare providers should bolster cybersecurity before it’s too late, especially because ransomware attacks aren’t just disruptive and expensive; often, they become data breaches.
“2020 need not be a repeat of 2019. Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly.”
— Fabian Wosar, CTO, Emsisoft
The 2020 Cost of a Data Breach Report revealed that the average cost of a healthcare data breach grew 10% in one year, from $6.45 million to $7.13 million. The report, which examined over 500 breaches, identified that healthcare organizations continue to face the highest breach costs across all industries. With an average breach lifecycle of 329 days from identification to containment, the healthcare sector also saw the longest breach mitigation time compared to other industries.
Data breach costs include more than regulatory fines – the study showed that lost business accounted for nearly 40% of the total average cost of a breach. Factoring in customer churn, lost revenue from system downtime, the increased cost of acquiring new business, and damaged reputation, regulatory fines and legal fees are only parts of the multi-faceted cost of a data breach.
Recommendations from the report to minimize the potential cost include investing in automated security technology, adopting a zero-trust model, implementing user monitoring tools to detect threats, and utilizing managed services to close the cybersecurity skills gap.
The U.S. House of Representatives recently voted to lift the ban that preventing federal funding for adopting unique patient identification. The approved Foster-Kelly amendment removed Section 510 of the Labor-HHS bill, which contained language that suppressed funds for endorsing or implementing a unique patient identifier. Patient identification is supported by healthcare organizations such as the American College of Surgeons, the American Health Information Management Association (AHIMA), the College of Healthcare Information Management Executives (CHIME), and the Healthcare Information and Management Systems Society (HIMSS).
For decades, patient misidentification has led to concerns over patient safety, quality of care, and increased burden on health providers – according to the Mayo Clinic, each case of misidentification costs from $1,200 to hundreds of thousands of dollars and months on resolution. However, a National Patient Identifier (NPI) system also generates concerns over individual privacy, PHI security, and inadequate regulation. To learn more about the pros and cons of an NPI system, read this article.
Research from The Ohio State University College of Medicine and the Center for the Advancement of Team Science, Analytics, and Systems Thinking in Health Services and Implementation Science Research (CATALYST) found that patients who are concerned about the privacy or security of their medical records are three times as likely to withhold critical information from their doctors.
The patients in question are worried that their personal health information may be compromised if shared electronically with other health providers. Due to COVID-19, the OCR has eased some HIPAA restrictions for protecting health information, which may also contribute to patients’ concerns. Withholding medical details could negatively impact pandemic recovery efforts as patients may deny experiencing symptoms or encountering a known carrier.
Now is a vital time for healthcare providers to demonstrate patient privacy and security efforts to offer transparency and enable trust.
“Taking a proactive approach and discussing the specific ways health care providers are safeguarding patients’ personal health information could potentially ease patients’ concerns about sharing sensitive information.”
– Matthew DePuccio, Post-Doctoral Researcher and Lead Study Author, CATALYST