Every day, more than 5 million records are lost or stolen. That’s more than 217,000 records per hour, 3,600 records per minute and 60 records every second. Due to increasingly sophisticated hacking tactics and ransomware, it’s anticipated that the number of reported breaches will continue to rise at an accelerated rate.
In August, the list of reported Health Insurance Portability and Accountability Act (HIPAA) breaches broke a new record. More than 2,000 breaches affecting 500 or more individuals have been reported to the Office for Civil Rights (OCR) since 2009. It took nearly five years for the wall of shame to reach 1,000 breaches affecting 500 or more individuals and reporting has since increased due in part to OCR’s ramped up enforcement efforts, which seek to hold covered entities responsible for failure to report a breach within 60 days of discovery. This evokes extreme concern.
In addition to the recent milestone, the wall of shame underwent a significant makeover in July, which now enables users to view breaches currently under investigation that were reported within the previous two years, all breaches reported more than two years ago and all breaches since 2009 for which OCR investigations have concluded. There is also a research report function that provides the total number of breaches reported to the OCR, regardless of whether they are still under investigation or when they were reported.
In light of this, it is critical that you assess your compliance with the HIPAA Privacy and Security rules and continuously educate staff on HIPAA compliance. Analyzing a security incident and determining that a breach occurred can be a complex analysis that significantly cuts into the 60-day notification window. You must understand the notification requirements to ensure that notifications are filed timely in the event of a breach. Understanding your legal obligations under HIPAA can reduce the risk of a security incident. The key is understanding your system’s vulnerabilities and what external threats may affect your security—and then educating your staff on those threats.
One of today’s biggest threats is ransomware. In its June 12, 2016, guidance on ransomware, the U.S. Department of Health and Human Services (HHS) described it as “a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.” After the data is encrypted, a ransom note typically appears, which demands payment (usually in cryptocurrency, such as Bitcoin) so the user can receive a decryption key.