A HIPAA breach is one of a healthcare company’s worst nightmares. If you’re responsible for managing a healthcare company’s network, HIPAA can quickly become your nightmare too if you’re not prepared.
The fines alone for breaking the Health Information Portability and Accountability Act (up to $1.5 million a year) are enough to make any business person sweat bullets.
But there is tremendous reward for IT providers who are willing to manage the risks and help healthcare professionals secure their networks.
A great place to start is to know the top causes of HIPAA violations and steer clear of them.
We analyzed data from the HIPAA breach portal maintained by the U.S. Department of Health and Human Services Secretary to find the most common types of breaches and create the chart below. The data includes a HIPAA breaches since 2009 that affected more than 500 individuals.
The top three types of HIPAA breaches found in the notice are reviewed below.
According to the U.S. Department of Health and Human Services, theft is still the top cause of a HIPAA breach.
The department defines theft as “equipment housing electronic protected health information or paper records stolen, or stolen.”
Unfortunately, due to their perceived value, laptops and mobile devices remain a common target for thieves.
One of the best ways to protect a healthcare facility against the risk of a HIPAA breach due to stolen hardware is to encrypt the data on all devices and require a password.
That way, if a machine is stolen, the data will be encrypted and therefore useless to the thief. This frees the covered entity from having to report a data breach (as long as all the rules of HIPAA data encryption are followed).
Preventing the device from being stolen in the first place is also a wise approach. This falls under “physical security,” which is all too often ignored when creating a data security plan. Read up in this physical security resource from SANS.
If using stationary devices, the same rules apply. Someone can access patient information just as easily on an unguarded desktop computer as they can on a stolen laptop.
Extra measures to take when protecting a stationary device include storing the device in a room where only those authorized to use the computer have access to it, and asking security to make regular rounds checking up on the device.
Standing in as the “catch all” category of the Department’s notice, snooping, accidental third-party disclosure, and human error fall into the group of unauthorized access/disclosure.
Employees who comb through protected records for personal information they are not authorized to access for any reason are a huge HIPAA liability for a healthcare company.
The government does not take snooping lightly either, with some offenders being sentenced hard time.
Some ways to combat snooping in your client’s facility include educating employees on the risks and consequences associated with snooping beginning when he/she is hired.
Implement strict policies that outline the consequences for snooping, be it suspension or termination of employment.
Give the minimal amount of access necessary for employees to do their jobs. Employees won’t snoop if the temptation isn’t there to begin with.
Create fake health records for celebrities, and see who accesses the files. This can give your client an indication on how widespread snooping may be within their company.
HIPAA breaches caused by snooping should not be taken lightly by you, your client, or your client’s staff.
Another subset of unauthorized access is third-party disclosure.
Third-party disclosure can happen when a healthcare facility outsources work to another company, who then may breach HIPAA regulations.
If patient records aren’t properly secured, the healthcare company could be looking at paying a fortune in HIPAA violation fines, even if no one from the company is directly responsible for the breach.
That’s right – if the healthcare facility doesn’t have a (or BAA) in place at the time of service, and the company contracted breaches HIPAA regulations, the healthcare company will be on the hook for the fines.
So if your client contracts a billing company, and one of the contracted company’s employee’s laptop is stolen, the healthcare company is responsible for any and all compromised patient information in the eyes of HIPAA.
The best way to protect your client in a situation like this is to have a BAA in place with the company they are working with.
Whether it’s misplacing a file, forgetting to shred a document, or unknowingly opening a phishing email, human error is to blame for a large portion of HIPAA violations.
Some of the ways a healthcare company can lessen the blow of a breach (and a HIPAA violation fine) is to simply train and remind staff to keep information secure.
Set up signs by trashcans and recycling bins that remind employees to shred/properly dispose of health records.
Hold training sessions that focus on key points of security weaknesses, such as email phishing,
Password best practices, and logging out when ending a computer session.
Social media can also put your client in hot water, even if names and other information are omitted.
Enact policies that prohibit employees from posting any information about patients in your company’s care online.
Hacking and IT incidents can cause big problems for healthcare facilities, including problems with HIPAA.
This category is described as “ePHI impermissibly accessed through technical intrusions (including by malware or directed hacking) to the covered entity’s or business associate’s systems, servers, desktops, laptops, mobile devices, etc.”
Malware, particularly ransomware, has strengthened its grip on the healthcare industry, costing facilities thousands in exchange for captive information.
A recent example of a successful attack was one that targeted Hollywood Presbyterian Medical Center in February of this year.
Hackers demanded a ransom for access to patient files, ultimately costing the center roughly $17,000. The hospital was off-line over a week.
Ransomware attacks can sneak in through spoofed emails and malicious attachments, so emphasizing user caution in employee training sessions is a great way to prevent successful breaches from occurring.
As displayed in the chart above, breaches caused by theft made up a whopping 44% of all breaches mentioned in the notice.
Unauthorized access/disclosure caused 23% of breaches, with hacking/IT incidents causing 12%.
Loss composed 7% of reported breaches and improper disposal came in at 3%.
Other causes that did not fit into the former categories made up 11% of the remaining incidents.
Above all, consistently adhering to the HIPAA regulations and a sound security policy are the best ways to prevent a breach.