Making the rounds last week was Verizon’s 2019 Data Breach Investigations Report. Analyzing over 41,000 security incidents and over 2,000 data breaches during 2018, the study examines the state of affairs across industries. One interesting figure to note is that well over half of data breaches in health care are caused by insiders; but in all verticals, this is only cause for 21%. It’s a discrepancy perhaps explained by the ease with which health care employees can accidentally disclose sensitive health information to unauthorized parties. As a matter of fact, “It is the most common error type that leads to data breaches,” says the report. “This could be due to errors in mailing paperwork to the patient’s home address or by issuance of discharge papers or other medical records to the wrong recipient.”
Apparently, then, these kinds of mistakes are more prevalent in health care than in other industries. In comparison, hackers are generally responsible for 51% of security incidents. Phishing scams and malware are still major concerns in health care, however. Cyber criminals will often leverage the numerous vulnerabilities in medical devices to access hospital networks and inject them with ransomware, which accounts for 70% of all malware incidents. Stealing personal health information has never presented hackers with so many options.
One seemingly silver lining health care executives might see is the recent news about HIPAA violation fines. In an alteration to the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which increased fines, the U.S. Department of Health and Human Services (HHS) has reinterpreted the law to lessen the annual penalty for health care organizations in all but the most extreme cases. As TechTarget contributor Mackenzie Holland rightly points out, though, this does not mean these organizations can lower their guards. Cyber threats continue to evolve, and IT teams and defense strategies must also evolve to stay ahead of the hackers. And even with reduced HHS penalties, breached companies will still be subject to lawsuits from the state or private entities.
In any event, the maximum penalty for offenders now ranges from $25,000 to $1.5 million, depending on the “tier” or severity of the infraction. Hopefully, the concern of health care law expert David Harlow will not prove an issue: that HHS might now have less individual discretion in levying fines.
But again: this is no time to take it easy. Hospitals and other health care organizations should still ensure that access, publication, transmission and disposal of medical data is limited, monitored, and overall kept secure.