Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Electronic Criminal HIPAA Attacks on Protected Health Information Rise 100% In Four Years

Criminal HIPAA Attacks On Health Care Providers Rise 100% In Four Years.

(March 14, 2014) A recently released Ponemon Institute study reveals startling insight into new and expanded threats to the security and privacy of patient information in the U.S. health care system.  Alarmingly, electronic criminal HIPAA attacks on health care providers have risen 100% since 2010.  Moreover, many cite the Affordable Care Act (ACA) as one of the biggest factors putting patient health information at risk. Furthermore, increasingly complex federal and state privacy and security regulations have led to ongoing compliance problems for many providers. Nevertheless, while almost every health care organization represented in the study reported some form of data breach, the total number of data breaches has declined.



I.  Health Care Systems Participating in the Study:

Ninety-one health care organizations participated in the Ponenmon research study, all of which are covered entities subject to the Health Insurance Portability and Accountability Act (HIPAA)’s Privacy and Security Rules.  Respondents included hospitals or clinics that are part of a health care network (49%), integrated delivery systems (34%), and standalone hospitals or clinics (17%). Moreover, researchers conducted approximately 388 separate interviews with senior level personnel working in compliance, information technology (IT), or patient services and privacy.

II. Reports of Data Breaches are on the Decline; However, the Economic Impact is Still Significant:

When it comes to the privacy and security of patient health information, data breaches are a significant – and prevalent – concern for providers. The study found that 90% of health care organizations reported experiencing at least one data breach in the previous two years.  In fact, 38% reported experiencing more than five incidents! Remarkably, this figure actually reflects a decrease in data breaches from last year’s report.  In the 2013 report, 45% of organizations reported more than five data breaches.

What might this decline suggest? According to Larry Ponemon, chairman and founder of the Ponemon Institute, health care organizations may be making “modest progress on managing sensitive patient information” and reducing threats to patient data. Yet, Mr. Ponemon emphasized the word “modest.”

Not surprisingly, data breaches represent significant economic burdens for health care organizations. Over a two-year period, breaches costs the responding organizations anywhere from less than $10,000 to more than $1 million, with an average economic impact totaling roughly $2.0 million. For the healthcare industry overall, data breaches could potentially impose annual costs of up to $5.6 BILLION.

III.  New Health Care Law Increases the Risk to Patient Privacy and Information Security:

A large majority of respondents pointed to one factor exacerbating the risks to exposing patient health information.  Almost seven in ten organizations represented in the study (69%) believe that the Affordable Care Act (ACA) either significantly increases (36%) or increases (33%) risk to patient privacy and security.  Their primary concerns include insecure exchange of patient information between healthcare providers and government (75% of organizations), patient data on insecure databases (65%) and patient registration on insecure websites (63% of organizations).

IV.  Electronic Criminal HIPAA Attacks Have Risen 100%:

Insecure websites, databases, and health information exchanges are highly vulnerable to both insider and outsider criminal HIPAA attacks and threats.  Criminals are breaching security systems in order to obtain patient health records and commit medical identity theft. Unfortunately, this problem is getting much worse. For example, the Ponenmon Institute conducted its first study on security and privacy of patient information in the U.S. health care system in 2010.  In that year, 20% of organizations reported criminal attacks.  In the latest study, 40% of organizations reported criminal attacks – a 100% increase.

Nevertheless, external attacks are not the greatest concern to providers.  Health care systems report that a bigger security risk lies within its own internal organization. Seventy-five percent of providers state that employee negligence is their biggest security problem. This risk is followed by the use of public cloud services (41%), mobile device insecurity (40%), and cyber-attacks (39%).

Clearly, employee negligence and the use of insecure mobile devices are a significant concern. Yet, nine in 10 (88%) organizations have a “bring your own device” (BYOD) policy. This allows employees and medical staff to use their own personal mobile devices, such as a smart phone or tablet, to connect to the organization’s internal network or email system.  These BYOD policies present new risks – many of the personal devices are hander to manage, control and secure. In the study, more than 50% of health care providers are not confident that their employees’ personally owned mobile devices are secure.

“Employee negligence, such as a lost laptop, continues to be at the root of most data breaches in this study. However, the latest trend we are seeing is the uptick in criminal attacks on hospitals,” said Mr. Ponemon, in a March 12 press statement. “The combination of insider-outsider threats presents a multi-level challenge, and healthcare organizations are lacking the resources to address this reality.”

V.  The HIPAA Final Omnibus Rule Imposed New Requirements on Covered Entities and Business Associates:

Under the HIPAA Final Omnibus Rule[1], both covered entities and their business associates must conduct an incident risk assessment for every data security incident that involves protected health information (PHI). The purpose behind the Final Rule was to strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Act as well as the privacy and security provisions under HIPAA for health information.

However, only 51% of respondents said they are in full compliance whereas 49% report they are not compliant or are only partially compliant. Moreover, 39% indicate that their incident assessment process is not effective and cite a lack of consistency and inability to scale their process as the primary reasons.

While only half of the providers are themselves fully compliant, most do not trust their business associates with securing private patient health information.  Seventy-three percent of the organizations are either somewhat confident (33%) or not confident (40%) that their business associates would be able to detect, perform an incident risk assessment and notify their organization in the event of a data breach incident as required under the business associate agreement. In contrast, only 30% are either very confident or confident that their business associates are appropriately safeguarding patient data as required under the Final Rule.

What type of business associates are most concerning to providers? Respondents indicated that IT service providers, claims processors and benefits management were the most worrisome.

For those health care organizations that are fully (or somewhat) compliant with the HIPAA Omnibus Rule’s requirements, most are relying on internal policies and procedures to do so. Fifty-five percent of organizations agree they have the policies and procedures that effectively prevent or quickly detect unauthorized patient data access, loss or theft. Yet, organizations cite shortfalls in their budgets, technologies, and resources that prevent them from fully safeguarding PHI. Moreover, only 46% have personnel on hand who are knowledgeable about the HITECH Act and states’ breach notification laws.

So, has the Final Rule had an effect? A majority (44%) of the responding providers indicate that yes, the Final Rule has affected their programs in better protecting patients.  However, 41% indicate that it has not while 15% say it is too early to tell.

VI.  Final Remarks:

As the latest Ponemon Institute study reflects, health care organizations face a series of problematic issues with safeguarding private patient health information. Data breaches may be on the decline, they still remain a pervasive problem for all organizations.  While many respondents indicate that the ACA is putting patient data at risk, the law does not appear to be going anywhere. Providers must respond to the law’s rules and regulations accordingly and stay up-to-date regarding any new changes.  Furthermore, health care organizations must adapt to the rise in external criminal attacks without forgetting about employee negligence, a much greater concern.

Finally, health care systems must ensure that they remain fully compliant with the new HIPAA Omnibus Rule.  There are greater civil monetary penalties that may be imposed for violations, both to covered entities and business associates.  Yet, the study reveals that many of these entities are not taking the Final Rule seriously. One of the best ways to become compliant with the law is to adopt a written compliance plan!

A compliance plan may seem like a burdensome exercise.  However, it is one of the best safeguards for a health care organization to consider given the complex statutory and regulatory issues facing providers today.  While we hope that you are one of the few who already have a compliance plan in place, if you need any assistance implementing one – or making your current plan more effective – do not hesitate to give us a call today!

Healthcare LawyerRobert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by RACs, ZPICs and other CMS-engaged specialty contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call Robert at:  1 (800) 475-1906.

[1] 45 CFR Parts 160 and 164.

  • Advertisement

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.