Recent case shows that cybersecurity fails may lead to major penalties. As data security incidents ratchet up and ransomware warnings abound, you may want to beef up your HIPAA compliance — or pay the price. Context: Last month, the HHS Office for Civil Rights (OCR) announced a massive settlement with Phoenix-based nonprofit Banner Health Affiliated Covered Entities, after the healthcare nonprofit failed to resolve longstanding HIPAA Security Rule issues for a 2016 cyberattack. The hacking incident impacted the electronic protected health information (ePHI) of more than 2.81 million individuals with a cornucopia of patient data usurped from the unauthorized access.
Banner Health racked up a laundry list of potential violations related to the breach that included the following, according to an OCR release: To settle its issues, Banner Health agreed to pay $1.25 million to the feds and implement an extensive corrective action plan (CAP) that includes two years of OCR monitoring, the resolution notes. “Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” warned OCR Director Melanie Fontes Rainer in a release on the case. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks.” Understand These Federal Tools on Risk Analysis As part of its settlement, Banner Health was required to orchestrate a thorough risk analysis of its organization to better protect ePHI. Additionally, the organization had to take the knowledge garnered from assessing those vulnerabilities, implement stronger procedures and protocols, and manage the risks more effectively. But, how do covered entities (CEs) and business associates (BAs) do that? The HIPAA Security Rule offers healthcare providers and their partners guidance on the requirements, but leaves implementation of the risk analysis and management up to the organization. “The idea that there is a lot of gray area in performing a risk analysis is a common misconception,” says Jen Stone, MCIS, CISSP, CISA, QSA, principal security analyst with Security Metrics in Orem, Utah. “While HHS doesn’t provide a compliance-style checklist for organizations to follow, it does offer extensive guidance on the Security Rule in general and risk assessments specifically.” Stone points to OCR’s resources for professionals as a jumping-off point. OCR’s online guidance includes text and advice on the various rules, insight on special topics like COVID-19 or telehealth and the intersection of HIPAA, the quarterly Cybersecurity Newsletter, and more. CEs also have extra help from recent regulatory updates, Stone reminds. “Healthcare organizations trying to make sure they’re in line with HIPAA requirements were given a real boost in 2021, when the HITECH Amendment was signed into law,” she says. “It requires that OCR take into consideration the recognized security practices that a regulated entity has had in place when determining penalties. This gives us much clearer insight into what healthcare organizations are required to do.” Plus: The HHS Office of the National Coordinator for Health Information Technology (ONC) also offers online IT resources and tools for privacy and security. One downloadable highlight includes the Security Risk Assessment (SRA) tool that “help[s] providers from small practices navigate the security risk analysis process,” ONC offers. There are other templates and offerings for CEs and BAs on IT testing, applications, products, and mobile device management. Important: “Although other standards may be considered acceptable, OCR has only named [National Institute of Standards and Technology] NIST CFR as a recognized security practice at this time,” Stone advises. “The CFR is a risk-based framework that provides a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.” Stone adds, the NIST CFR “offers a way for organizations to visualize their risk appetite and the processes in place to address risk. The CFR also helps organizations compare their current cybersecurity posture to a future desired state.” Bottom line: Cybersecurity continues to be a hot button issue in the healthcare realm. According to OCR, 74 percent of HIPAA breaches in the last recorded year, 2021, can be attributed to hacking or IT incidents. “In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information,” OCR says. Providers must step up and invest in policies that cultivate HIPAA security and protect data — and analyzing your risk is a good place to start. Resources: Check out OCR’s tools at www.hhs.gov/hipaa/ for-professionals/security/guidance/index.html and ONC’s offerings at www.healthit.gov/topic/privacy-security-and-hipaa/health-it-privacy-and-security-resources-providers. Review the Banner Health case specifics, including a link to the resolution, at www.hhs.gov/about/news/2023/02/02/ hhs-office-for-civil-rights-settles-hipaa-investigation-with-arizona-hospital-system.html.