PRIVACY:  HIPAA & Cyberattacks

Throughout the most challenging moments of COVID-19, we saw firsthand what happens when our healthcare systems are overwhelmed and stretched to the brink. This breaking point is tested even further when these systems are forced to defend against cyberattacks at their weakest moments. At the highpoint of COVID, multiple healthcare systems were hit with cyberattacks, and the impact was sizable.

Cyberattacks are not only devastating to healthcare systems, they can also have an adverse effect on patient outcomes. In a recent survey by the Ponemon Institute, more than 20% of the healthcare organizations surveyed reported that patient mortality rates increased after cyberattacks. Additionally, ransomware attacks had an outsized impact on patient care: over 60% of the organizations surveyed said that these attacks resulted in testing delays and roughly the same number reported longer patient stays. Taken all together, this means that in the health care sector, the greatest threat to the privacy and security of protected health information is cyberattacks.

Recently, one of the largest non-profit healthcare systems in the country, Banner Health, reached a settlement of $1.25 million for a cybersecurity breach that affected nearly 3 million patients. This makes Banner Health the latest healthcare provider to settle or suffer from a cybersecurity attack. The U.S. Department of Health & Human Services Office for Civil Rights had been investigating Banner, even before the start of COVID, due to evidence of Banner Health’s long-term, pervasive noncompliance with the HIPAA Security Rule. Luckily, the HHS is looking out for individual patients and protecting their information by forcing healthcare organizations into privacy compliance.

According to the HHS, there are specific checklists that healthcare systems must follow in the event of a cyber-related security breach. Here are a few of the key details:

  1. Organizations must execute the HHS’ response and mitigation procedures as well as their contingency plans. This means that organizations must take steps to fix the resolve of the attack, then mitigate any impermissible disclosure of protected information.

  2. Next, they must report any attacks to law enforcement agencies (such as the FBI or local/state departments). These reports should not contain your protected health information.

  3. They must also report all cyber threat indicators to federal and information-sharing and analysis organizations (including the Department of Homeland Security). Similarly, these reports should also not contain your protected health information.

  4. Finally, any attack affecting more than 500 people must be reported to the HHS Office of Civil Rights, and all impacted individuals must be notified as soon as possible. If less than 500 individuals have been affected, they must be notified without unreasonable delay.