Organizations that handle healthcare data need to understand the risks, requirements, and ramifications in order to make prudent decisions on how best to protect it.  Let’s start with the risks.

HIMSS published their 2018 healthcare survey and found that most healthcare organizations (over 75%) have had a significant security incident in the past 12 months.  Health data is being targeted by hackers for the value it brings on the dark web as it can be used for identity theft to open new credit accounts.  It takes far longer for an individual to determine that their identity has been stolen than it does for them to be alerted to unusual activity on a stolen credit card, so the personal information in health data is more valuable to hackers.

How do the hackers gain access to the data?  Email phishing tops the list, but compromised networks and web applications, misconfigured cloud services, and being able to figure out credentials were other common methods.

Of course HIPAA compliance provides a framework to secure this valuable data, so why is this still such an issue?  In many cases organizations do not understand how to properly use the HIPAA guidelines to establish the appropriate technical controls, policies and procedures, including security solutions, threat monitoring and incident response. If your organization falls into this category, an assessment against the HIPAA guidelines by a qualified assessor can help you identify and close gaps that could leave you vulnerable.

Willful neglect of the HIPAA compliance guidelines is another reason that organizations fail to protect health data.  This has prompted harsher penalties for those found non-compliant, both after a breach or during a proactive audit by HHS.  The chart below shows the steep price paid by organizations that failed to meet compliance, and should serve as a warning to confirm your own adherence to the guidelines.

2017 HIPAA Fines

Date Organization Fine Total Link to OCR Settlement
January 9, 2017 Presence Health $475,000 First HIPAA enforcement action for lack of timely breach notification settles for $475,000
January 18, 2017 MAPFRE $2,200,000 HIPAA settlement demonstrates importance of implementing safeguards for ePHI
February 1, 2017 Children’s Medical Center of Dallas $3,200,000 Lack of timely action risks security and costs money
February 16, 2017 Memorial Healthcare Systems $5,500,000 $5.5 million HIPAA settlement shines light on the importance of audit controls
April 12, 2017 Metro Community Provider Network (MCPN) $400,000 Overlooking risks leads to breach, $400,000 settlement
April 20, 2017 The Center for Children’s Digestive Health (CCDH) $31,000 No Business Associate Agreement?  $31K Mistake
April 24, 2017 CardioNet $2,500,000 $2.5 million settlement shows that not understanding HIPAA requirements creates risk
May 10, 2017 Memorial Hermann Health System (MHHS) $2,400,000 Texas health system settles potential HIPAA violations for disclosing patient information
 May 23, 2017  St. Luke’s Roosevelt Hospital System Inc.  $387,200 Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k
 December 18, 2017  21st Century Oncology  $2,300,000 $2.3 Millon Levied for Multiple HIPAA Violations at NY-Based Provider
 2017 TOTAL: $19,393,200