Last week we reported about the rise in cyberattacks on business associates and specialty providers. A new report from Critical Insight, a cybersecurity services firm, underscores the risk to business associates, but also highlights that health plans have also become more vulnerable. Health plans, like healthcare providers, are covered entities and are required to follow HIPAA.
The largest healthcare data breach in history (since HHS began publishing records in 2009) occurred at Anthem, Inc., a health plan, in 2015. The number of individuals whose protected health information (PHI) was stolen was 78.8 million, a staggering number. Anthem settled several class action lawsuits in 2017, at a cost of $115 million.
The latest report from Critical Insight emphasizes, as others have, that healthcare data breaches have been on the rise since 2018,
“with an 84% increase in the total number of breaches between 2018 and 2021. The total number of individuals affected has tripled over the same period, from 14 million in 2018 to 45 million in 2021.”
Although healthcare providers are still the dominant type of organization where breaches occur, cyberattacks on business associates expose more records per breach than other entities. Today, hacking/IT incidents (against all types of entities) are by far the most common breach type, compared to unauthorized access, theft, loss, and improper disposal.
The report reveals that hacking/IT attacks against health plans, business associates and outpatient/specialty clinics all increased in 2021 over 2020.
- Health plans jumped nearly 35%
- Business associates increased nearly 18%
- Outpatient/specialty clinics increased 41% – see last week’s blog for examples of pharmacies, fertility clinics, eye care, orthopedic and behavioral health, all victims of hacking/IT incidents
The report concludes with a summary of how providers can reduce their risks by doing a better job of managing third party risks. We refer to this as business associate due diligence. It makes good business sense, but it’s also required by HIPAA, as part of a complete HIPAA Risk Analysis – Risk Management program.
HIPAA Risk Management Works
Stay ahead of the trends and out of the headlines by following HIPAA to the letter. The HIPAA Security Rule is a blueprint to defend against cybercrime, including ransomware, and all the costs of a major healthcare data breach.
Key steps:
- regular HIPAA Risk Analysis and ongoing Risk Management, including a security risk assessment,
- patch all software as soon as the patch is available
- keep anti-malware and anti-virus software protection current
- train workforce in basic HIPAA compliance and cybersecurity awareness
- conduct due diligence with business associates (third party vendors that handle PHI) and make sure to have business associate agreements in place
The HIPAA E-Tool® offers three separate and complete programs specifically designed for providers, for health plans and for business associates. Each one is tailored to the unique requirements of each type of entity. Each contains a self-guided Risk Analysis – Risk Management module. And answers to your HIPAA questions are a phone call away.