Several major security vendors just released their latest analysis of threat activity and their findings portend a busy time for IT and security teams in healthcare. Almost all indicators of threat activity from malware to targeted hacking are up.
In the last month we witnessed another health system, Eerie County Medical Center (ECMC), in Buffalo, NY, fall victim to a serious cyber attack that disrupted critical systems and communications. While they haven’t communicated it yet, the expectation is that this yet another massive ransomware malware or zero day virus attack that has proven so effective in healthcare over the last 24 months. ECMC has been praised for their quick response, and they reportedly have received assistance from other healthcare organizations near them, a testament to the industry, that has help to mitigate the impact of the attack. But their situation has lasted for two weeks and is not yet over with; a distraction that no hospital system would want.
Many healthcare organizations have taken steps to improve their cyber defenses and increased the budgets for security technology and services. And healthcare as a whole is not any more or less prepared for these types of attacks. The problem is that healthcare is unfortunately in the sweet spot for these attacks. As an industry, healthcare has considerable amounts of valuable information making it a lucrative target. It also relies heavily on that information for what it does, and taking that information away or the systems that deliver it can create serious outcomes to patient safety and care, not just disruption of operations, or loss of revenue. As a result healthcare is the perfect target for the cyber criminal.
Interestingly, at the same time we see this cyber offensive continuing to escalate, we also are seeing a very serious and active response by the Office for Civil Rights (OCR) with respect to its compliance review and breach investigation activity, and as a result, a higher number of resolutions thus far in 2017. If they maintain their current level of activity we could see four times the number of resolutions as we saw last year, which was touted as a record year. As of this last week there have been seven resolution agreements totaling $14.3 million.
According to OCR Director Roger Severino and members of his staff who have spoken publicly at various events, or have been interviewed, enforcement of the HIPAA security and privacy rules is a priority for the division. Common themes in those resolution agreements included lack of or inadequate risk assessment, inadequate access controls, missing or dated policies, lack of documentation of risk measures or remediations, inadequate privacy monitoring activities, lack of training and missing or dated business associate agreements. You are probably thinking nothing you, and you’re right. The question is why are we continuing to commit these mistakes or lapses of judgement? OCR might be wondering this same thing, which might explain what amounts to the next evolution in their compliance review activity.
For months now we have been telling healthcare organizations we work with and who attend our educational seminars that they need to pay attention to all their breach activity, not just the big ones, and that they need to build their own breach database and analyze that data for trends. We have been doing this because OCR has been on a path to improve its own ability to do just that, building the infrastructure and databases needed for its regulators to analyze an entity’s whole breach activity, not just the current one.
We have also advised organizations to report breaches, no matter their size, right away as opposed to waiting till the end of the year and aggregating the small ones. It seems we have arrived. OCR has recently issued compliance reviews based on the aggregated reporting of small breaches across a calendar year. It should be noted that this review is not trivial in that OCR has requested numerous documents and questions be answered for each individual breach reported for that year. Also this review, consistent with current practice, is fairly broad in its request for information and seeks to answer whether the organization had sufficient compliance.
What’s notable here is that this is the first time we seen OCR take this approach to a compliance review. It demonstrates that they now have the resources and organization of information to support this type of review. It also demonstrates a more systemic review of compliance. Enforcement is evolving and stepping up to meet what OCR clearly believes is a serious fight—to protect and keep confidential patient information.