Home Health & Hospice Week

Hacking is on the rise, according to latest data.

Recent data indicates Covered Entities such as home health agencies and hospices are more at risk than ever to data breaches. Do you know what to do if you’re a victim?

In June, July, and August alone, 90 breaches impacting 500 or more people rocked healthcare with a substantial loss of protected health information (PHI) and electronic PHI (ePHI), affecting the records of 3.2 million individuals, outlines the HHS Office for Civil Rights breach portal. Across the board, providers suffered the biggest brunt of the data outages, but health plans and business associates (BAs) were hit hard, too, according to the OCR information. Hacking was the principal culprit for loss of patients’ data, says the OCR breach portal guidance.

What happens in the aftermath of a major data breach like the ones highlighted in the OCR breach portal this summer can make or break a CE. The costs to locate and stop the issue can be extreme, and often mean a complete shutdown of day-to-day operations until the problem is fixed.

And for HIPAA violations involving 500 or more individuals, the notification process brings both physical and fiscal challenges as well. Staff must alert the feds, state officials, the media, business associates, and patients as soon as possible.

Even if that all goes smoothly, HHS and others will have questions about the why and how of the data breach. During this part of the investigation, “the OCR will say, ‘shoot us your policies and procedures,” cautions Brand Barney, security analyst with Security Metrics in Orem, Utah. “And they are going to go in with the assumption that you’ve done nothing, especially if you have no documentation.”

That’s when audits of administrative and technical safeguards usually ensue. As the dust settles, repercussions may include Civil Monetary Penalties (CMPs) from the government and required corrective action on the part of the CE. And as the costs related to new health IT products, staff training, risk planning, and outside legal/IT assistance pile up, patients and referral sources may worry that your agency cannot secure health and personal data and they may find other providers.

Cut Data Breach Costs With HIT-Savvy Protocols

That’s why a strong course of action is essential to combat issues before they happen — protecting both your patients and your organization, suggests IBM and the Ponemon Institute in a collaborative study, “The 2018 Cost of a Data Breach:

Global Overview,” published in July. According to the research, organizations can expect a cost of around $148 per lost record, the report shows. For large-scale breaches, where thousands of individuals’ PHI or ePHI is compromised, that could amount to millions of dollars.

Interesting: The IBM/Ponemon research uncovers a rise in hacking in line with the 2018 data breach results on the OCR breach portal. “Forty-eight percent of all breaches in this year’s study were caused by malicious or criminal attacks,” the report notes. However, two factors that greatly reduced costs and the probability of a data breach were the use of device encryption and incident response, explains the IBM/Ponemon Institute study.

“An incident response (IR) team reduced the cost by as much as $14 per compromised record,” the report stresses. “Hence, companies with a strong IR capability could anticipate an adjusted cost of $134, down from $148 per record.”

The study also indicates that “the extensive use of encryption reduced cost by $13 per capita, for an adjusted average cost of $135, down from $148 per record.”

Note: The IBM/Ponemon Institute report is at www.ibm.com/security/data-breach.