Criminal hackers are having a field day in healthcare. When cyber thieves get their hands on protected health information (PHI), they can demand a ransom or sell the data on the dark web. Sometimes they do both. It’s a profitable business.
In five recent weeks, breach reports show almost 2.4 million people have recently had their PHI compromised. Thirty-nine reports from 21 states have been filed at the U.S. Department of Health and Human Services (HHS) between March 1 and April 6, 2022.
The organizations attacked are not obscure, they’re not the smallest or the largest, the best or the worst-managed. They represent a widely varied cross-section of modern health care today. Your eye care provider, dentist, health plan, regional health care system, or you, might be on the list.
The numbers do not have to be this high because so much more can be done to prevent cybersecurity incidents. Prevention and risk reduction are do-able with strong HIPAA compliance. Too many organizations are caught short because they didn’t do the basics. Follow the HIPAA Security Rule to fight back.
Five Weeks of Breach Reports
Nearly all of the breaches were the result of a hacking/IT incident, so over 99% of the individuals’ PHI was stolen by criminal hackers.
The types of entities and the numbers of people:
- 4 business associates affecting 97,610
- 6 health plans affecting 174,254
- 29 health care providers affecting 2,124,481
All thirty-nine organizations are now under investigation for HIPAA violations by the Office for Civil Rights (OCR). The first question each will need to answer is “Have you completed a HIPAA Risk Analysis?” The second is “Show me the documentation”.
There is a long list of questions to follow, digging in to details about policies, procedures and training. How will they do under investigation? If it happens to you, how will your investigation turn out?
Prevention with HIPAA Risk Analysis – Risk Management
An OCR investigation is only one piece of the headache that follows a healthcare data breach. An organization needs to do its own internal security investigation, notify patients, manage public relations response and damage to their reputation. It can be expensive and time-consuming.
The best way to defend against cybersecurity threats is through strong HIPAA compliance before the criminal hackers reach you and before you get the dreaded call from OCR.
Compliance is affordable – and by adopting a culture of compliance among the entire workforce year round, cybersecurity defense does not need to take a lot of time. Complete a full HIPAA Risk Analysis at least once a year to identify threats and risks, and manage them. Help your workforce understand cybersecurity risks, and how to recognize and avoid phishing.
If you need help to improve your HIPAA compliance, let The HIPAA E-Tool® show you how.