We have released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. The report confirms the prevalence of healthcare data breaches stemming from the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule. Since healthcare organizations and their business associates are required to notify affected individuals in the event of a breach under HIPAA, we continue to see a high frequency of healthcare breaches in the report. While healthcare incidents are disclosed more frequently due to the presumption of a breach under the HIPAA Omnibus rule, the severity when measured by number of affected individuals is often low, with many incidents affecting fewer than 10 people.
Our experience in healthcare breaches is that the causes run the gamut. They may be paper breaches caused by employee negligence, the loss or theft of unencrypted electronic devices, insider theft of patient information, phishing, or malware. The report confirmed the trend that has continued into 2015 of healthcare organizations being the target of sophisticated phishing email campaigns, some of which resulted in the rerouting of physician paychecks, exfiltration of large volumes of patient data, and others emails that were accessed/viewed but not acquired. This year, we have continued to see phishing as the entry point into healthcare organizations and expect it to continue since it is difficult to prevent. Healthcare organizations are encouraged to continuously educate their staff on phishing emails and their impact, and to put in technical safeguards to protect against such attacks.
The report further verifies that the Department of Health and Human Services Office for Civil Rights (OCR) remains true to its word on investigating healthcare organizations following a reported breach. When a breach involving more than 500 individuals is reported, the OCR investigates the covered entity 100 percent of the time. Even with breaches of fewer than 500 persons, OCR has investigated in a small number of cases. This trend continues into 2015, with state attorneys general also initiating investigations when their state law is triggered in a healthcare breach.
Healthcare organizations continue to be the target of identity thieves, organized crime, and foreign state-sponsored activity. Federal and state statutes are being refined, providing additional protections to affected individuals and more, and more, states are including health information as a trigger for notification. Electronic health records, cloud computing, and offshoring of data present additional challenges in securing protected health information (PHI).
Covered entities should be vigilant and put into place all feasible safeguards to protect against breaches, regulatory violations, and third-party claims. First, the covered entity should ensure it has met the administrative requirements under HIPAA with appropriate policies and procedures in place, staff training and education, designated privacy and security officers, and periodic security risk analyses and risk management plans. In our experience, the most frequent stumbling block for covered entities responding to OCR is the existence of current and historical risk analyses and corresponding risk management plans. It is now common for the OCR to request six years of this documentation, which for the most part is more robust today than it was six years ago. Covered entities should also put into place all reasonable technical and physical safeguards to maximize compliance with the HIPAA Security Rule. Encryption is a must today on all devices, unless specifically prohibited. The organization should also regularly educate staff on security threats through annual required training, regular employee communication, or focused educational sessions, as appropriate.
