Why not all healthcare breaches are reported, and what OCR is doing about it.

The numbers just don’t add up.

Ransomware is on the rise, with the U.S. Justice Department estimating 4,000 attacks occurring each day.  Healthcare is a known target because of the value of patient data on the black market, yet only nine organizations reported malware breaches to OCR in all of 2016.

“We’ve see a spike in the number of attacks, but we haven’t seen an increase in reporting. It’s interesting,”said Pam Hepp, shareholder, healthcare practice at Buchanan, Ingersoll & Rooney “I wouldn’t be shocked that the number of ransomware attacks are underreported, the analytics undertaken or wasn’t sufficient to demonstrate there wasn’t a breach.”

Why is this such a concern?

“Because ransomware is so common, hospitals aren’t reporting them all,” said ICIT Senior Fellow James Scott. “And ransomware is just the start for more specific actors to send in another attack and start mapping the system.” The reality is that once an incident is detected and investigated, the criminals have often been exploiting these healthcare networks for months, or even years, and tough questions will be asked of the staff and Board if this information is made public.

When should you report?

The 60-day timer starts the moment a breach is discovered, which is the first day the covered entity knew about the breach. And it applies to all staff within the organization. For example, when someone at the help desk learns about a breach, the timer starts then – even if it takes a week for the incident to be reported to higher staff.

What’s next?

The Office of Civil Rights (OCR) is the agency that enforces the HIPAA Privacy and Security Rules, and they have the power to leverage civil money penalties (CMPs) on the covered entities. OCR Public Affair Specialist Lou Burton said “OCR takes the responsibility of enforcement seriously and will continue to hold entities accountable for failing to report a breach in the proper timeframe.” OCR will be looking at breach reporting as part of Phase 2 of the audit program.  A summary report of audit findings can be expected later this year and OCR will follow up with fines or with a corrective action plan.

Don’t leave your organization exposed to punitive action.  A compromise assessment can give you insight into threats that may already be lurking in your network.


Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.