Do you know what a few dedicated cybercriminals can do with a combination of phishing, malicious software, employee negligence, and a little patience? Cybercrime is a billion-dollar black market, and the healthcare industry is a particularly rich target. It's been among the most popular for cybercrime for five years, topping the list in 2019.
An essential — and required — step that practices must take that helps reduce the likelihood that they will fall victim to a cyberattack is achieving and maintaining compliance with the HIPAA Privacy Rule and HIPAA Security Rule. Effective HIPAA cybersecurity programs keep healthcare providers on top of changes to these rules and recommended practices for compliance. In addition, strong HIPAA cybersecurity programs help practices identify potential vulnerabilities and opportunities to eliminate compliance gaps that can be exploited by cybercriminals.
In this blog, we identify some of the most significant threats to HIPAA cybersecurity compliance and healthcare systems and the vulnerabilities they often exploit; share practical ways you can guard against these attacks; and conclude with a recommendation for an effective next step you may want to take to help further strengthen your cybersecurity.
Top HIPAA Cybersecurity Threats
As you review the following threats and challenges that can lead a practice to go awry with HIPAA compliance and leave itself more vulnerable to a successful cyberattack, consider creating a HIPAA cybersecurity checklist that you can use to regularly review how your organization is performing in these areas.
HIPAA Cybersecurity Threat #1: Phishing and Malware/Ransomware
Phishing is one of the top causes of data breaches. Phishing is what it sounds like: a cybercriminal puts out some bait via email and see if you can get anyone to bite by sending you information or downloading something from you. Simple in concept, phishing relies on gaining key information to fool unsuspecting employees into doing something that seems routine by email. It is a means to an end: infiltrating an IT system.
Among the goals of phishing is to deliver malware, which can be hidden in a variety of downloads. Malware can include viruses, trojans, adware, spyware, ransomware, and other malicious programs. Malware can remain dormant collecting information or it can lock up an entire system.
Ransomware is a type of malware that encrypts important files and systems so that an organization is unable to access and use them. This can cause essential processes to be slowed significantly or become completely inoperable. Once files are encrypted, cybercriminals will typically demand payment through a cryptocurrency form to release the files from their grasp — although there is no assurance that the files will be released when payment is made.
In 2015, University of Washington Medicine was fined $750,000 after 90,000 patient records were potentially exposed in a phishing incident. One employee opened a likely-forged email to review a document that looked reputable. The result was not only a fine, but public reputation damage and an agreement that the organization would provide training and undergo corrective action.
Professor of IT at Notre Dame Mike Chapelle shares four strategies to increase resilience to phishing and malware. Try adding these to your HIPAA cybersecurity checklist.
- Minimize available information about employees: Public directories and other documents that give details about the relationships between staff members are often used for phishing. The more information available, the more convincing phishing emails can be.
- Train employees for cyber incidents: Employees should regularly be drilled with phishing simulations and provided accounts of successful phishing attacks. Those who were exposed to simulations in a JAMA study had a median click rate 25% lower than those who did not.
- Filter out suspicious content: Make sure all email systems use filtering to block phishing attempts by quarantining suspicious inbound messages and using phishing blacklisting sources.
- Multifactor authentication: Cybercriminals often try to exploit usernames and passwords to access networks. If there is another level of security to confirm the identity of a user, it will greatly reduce vulnerability. It could be a special security question, PIN, or a registered device that interacts with the computer.
HIPAA Cybersecurity Threat #2: Legacy Systems
Another major threat to security that most practices can improve immediately is use of a legacy system. A legacy system simply means an outdated system that is no longer actively patched and maintained. This means that all of its vulnerabilities can become well-known and cybercriminals are more likely to find ways into the larger network through the systems' outdated coding. Many healthcare practices use legacy systems because of the expense and administrative disruption overhauls represent. HIMSS conducted a cybersecurity survey in 2019 that revealed 69% of respondents were using legacy systems, many of them either Windows XP or a legacy Windows server — operating systems which were no longer being supported and patched. Windows 7 was added to the list of obsolete software as of January 2020.
It is critical to determine where legacy systems are still in use and determine next steps to prevent their continued usage.
HIPAA Cybersecurity Threat #3: Poor Employee Training
Sophisticated cybercriminals know how to exploit this frequent weak link in security compliance. Though you may have trained your employees to be aware of common phishing scams, there are other avenues that could lead to a potential breach. Whether it's intentional misconduct or, more commonly, a lack of awareness, employee behaviors should be at the top of your list of concerns — and a significant area of focus for your HIPAA cybersecurity checklist. HIPAA Journal identifies these common ways that poor employee practices may be putting protected health information (PHI) at risk:
- Snooping on medical records — Healthcare employees who have received HIPAA training should understand what is considered a violation of their employer's HIPAA policies and rules. According to Becker's Hospital Review, this is not always the case: From 2012 to 2020, Kaiser Foundation Health Plan of the Mid-Atlantic reported an employee inappropriately accessed members' radiology records. In another instance, Lurie Children's Hospital of Chicago reported an employee inappropriately viewed more than 4,800 patient medical records.
- Mishandling of PHI — This broad category can include everything from insufficient PHI access controls to emailing PHI to personal email accounts to downloading PHI onto unauthorized devices. Cited as one of the 10 most common reasons for HIPAA violations in a Becker's Hospital Review article, using unauthorized devices is often a shortcut for time-crunched staff. But the HIPAA security rules are clear, as the article states: "Clinicians and team members working virtually may access PHI only on authorized devices and must avoid downloading them to unsecure locations." Proper training must emphasize this rule as well as the rule requiring covered entities and their business associates to limit access to PHI (whether recorded on paper or electronically) to authorized individuals. The failure to implement appropriate electronic PHI (ePHI) access controls is also one of the most common HIPAA violations and one that has garnered a lot of attention. For instance, the HIPAA Journal cites the example of Anthem, which paid $16 million in penalty fines for access control failures and other serious HIPAA violations.
- Improper disposal of PHI — Training your employees on the HIPAA rules that require PHI to be securely and permanently destroyed is essential. As the HIPAA Journal states, "For paper records, this could involve shredding or pulping and for ePHI, degaussing, securely wiping, or destroying the electronic devices on which the ePHI is stored to prevent impermissible disclosures." It might seem simple, but as recently as 2019, Becker's Hospital Review reports that seven healthcare providers disclosed that some patient and employee records were dumped in unsecure locations.
HIPAA Cybersecurity Threat #4: Non-Compliant Third-Party Business Agreements
Another potential way that practices can go awry of HIPAA compliance is in their engaging with third-party vendors and business associates whose work involves handling sensitive data but are noncompliant with HIPAA rules. Even when business associate agreements are in place for your partners, they may not be HIPAA compliant or continually assessing their own risks. Healthcare providers must strive to verify to the best of their ability that any partners that will have responsibilities concerning management of patient and other sensitive data have and follow HIPAA policies and procedures. Regularly reviewing and updating business associate agreements should be an item on your HIPAA cybersecurity checklist.
HIPAA Cybersecurity Threat #5: Loss or Theft of Technology
As you might expect, loose security standards put your practice at risk of theft. In fact, in just the first half of 2020, there were close to 40 incidents of medical theft on record, according to Becker's Hospital Review. Its report cites the following example: "The largest theft this year has been from Health Share of Oregon; the health plan reported a laptop containing information about 654,362 individuals was stolen."
Even if theft cannot be proven, the inability to account for records represents an equal risk. The aforementioned article notes that 11 security incidents in 2019 were the result of lost records, including one at Walmart in which more than 3,600 individuals were affected by a breach in February 2020.
HIPAA Cybersecurity Threat #6: Failure to Use Encryption on Portable Devices
Although encryption is not a requirement, it's a HIPAA cybersecurity best practice to defend against threats. And there are other practical reasons to consider encryption as a line of defense. According to HIPAA Journal, "breaches of encrypted PHI are not reportable security incidents unless the key to decrypt data is also stolen."
When weighing whether or not to implement this safeguard, consider the cost implications. In 2017, the Children's Medical Center of Dallas received a $3.2 million civil monetary penalty for "failing to take action to address known risks, including the failure to use encryption on portable devices."
HIPAA Cybersecurity Threat #7: Impermissible Disclosures of PHI
Any disclosure of protected health information that is not permitted under the HIPAA Privacy Rule can attract a financial penalty. Since the compliance date of the Privacy Rule in April 2003, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) received over 250,000 HIPAA complaints and has initiated over 1,000 compliance reviews.
According to a November 2020 report, OCR "has investigated and resolved over 28,481 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA-covered entities and their business associates."
The investigation yielded some important insights. For example, the report states that among the compliance issues most often alleged in complaints, "impermissible uses and disclosures of protected health information" tops the list in terms of frequency.
The impact of overlooking this issue could have staggering consequences. Just consider that as of November 2020, the OCR reports that it has settled or imposed a civil money penalty in 92 cases resulting in a total dollar amount over $1 million.
The Bigger Picture: HIPAA Cybersecurity Analysis
A key to staying compliant is to identify and address your organization's vulnerabilities. A particularly effective way to identify security gaps and risks is by undergoing a HIPAA cybersecurity risk assessment. Such an assessment — that should be performed by a third party — is intended to help ensure compliance with HIPAA's administrative, physical, and technical safeguards by identifying infrastructure vulnerabilities that can put PHI at risk. In fact, HIPAA requires all covered entities to conduct regular risk assessments of their organizations.
If your organization has not undergone an assessment in the past 12 months or since you experienced a significant IT change or development, such as the introduction of new technology and/or implementation of new work practices, it is strongly advisable that you look into scheduling an assessment. But first, we suggest downloading our HIPAA Cybersecurity Risk Assessment Checklist. This will give you a better understanding of the significant value of a risk assessment and what to expect from it as well as guidance for selecting the right healthcare IT firm to perform the assessment.