According to a report from Accenture, a global management consulting, technology services and outsourcing company, “one in 13 patients – roughly 25 million people – will have personal information, such as social security or financial records, stolen from technology systems over the next five years. Cyberattacks over the next five years will cost U.S. health systems $305 billion in cumulative lifetime revenue.”
Ransomware attacks are the latest “trend” in the criminal community. The WannaCry ransomware attack in May 2017 has been a wakeup call for healthcare organizations around the globe as to what needs to be done to ensure patients and their data are safe.
Ransomware is malicious software that disables systems or encrypts data, critical system files and applications. Organizations have to pay ransomware demands in order to retrieve critical data encrypted or stolen by malware.
WannaCry ransomware exploits a flaw in the Windows operating system. Networks of computers, especially those in hospitals, are at high risk because the ransomware is spread through standard file sharing technology used by PCs.
As if this is not causing enough headache, the 2016 “IBM Cost of Data Breach Study“ found “the average consolidated total cost of a data breach grew from $3.8 million to $4 million and the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158.” The study puts the likelihood of a material data breach involving 10,000 lost or stolen records in the next 24 months at 26 percent.
But if ransomware infects a Health Insurance Portability and Accountability Act (HIPAA) covered entity’s or business associate’s computer system, is it considered a HIPAA breach?
According to the Department of Health and Human Services (HHS), it is a fact-specific determination. The HIPAA breach notification rule defines a breach as an “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI).”
Consequently, if a ransomware attack encrypts electronic protected health information, it falls into the definition of a breach and the entity must comply with applicable HIPAA breach notification requirements.
Though cyber-attacks are a dangerous threat to all healthcare organizations, keeping up with cyber security is sometimes a secondary consideration for hospitals and physicians. But the only defense is to continually invest in strong systems, security monitoring, and infrastructure.
As an immediate step to protect your organization, at least make sure that all employees are aware of the threats and methods of attack and are following cyber security policies. Install all available security updates and patches, and never run an unsupported operating system. Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
Cyber security and data security is a complex issue, and it is directly related to delivering quality patient care. We at Primeau Consulting Group can help covered entities and their business associates to understand the basics of how HIPAA data breaches are determined, and what you can do to keep data secure.