The healthcare sector is increasingly facing cyber-threats with ransomware and hacking at the forefront. In the last five years, there has been a staggering 256% rise in significant hacking-related breaches and a 264% surge in ransomware incidents reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Hacking alone was responsible for 79% of the major breaches reported to OCR in 2023. These breaches have had a profound impact, affecting over 134 million individuals in 2023 alone, marking a 141% increase from the previous year.  In response to rise in cyber-threats within the healthcare industry covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) should be proactive in aiming to mitigate or prevent the growing menace of cyber-attacks. This article will delve into OCR’s guidance, exploring the practical steps and measures that organizations can implement to bolster their cybersecurity defenses.

Cybersecurity Readiness

Cyberattacks dominated the news in 2023, with hacking and IT breaches impacting government bodies, leading corporations, and critical supply chains, including those for vital resources like gasoline. The healthcare sector faced an especially challenging year, as cybercriminals targeted hospitals and healthcare systems. On February 14, 2024, OCR released two Congressional Reports concerning compliance and enforcement under HIPAA.  These documents offer crucial insights for entities regulated by HIPAA aiming to bolster their compliance strategies.

OCR Director Melanie Fontes Rainer stated: “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.” Notably, as in previous years, hacking/IT incidents remain the largest category of breaches and affected the most individuals. Network servers continued as the largest category by location for breaches involving 500 or more individuals.

The breach reports that OCR received revealed common vulnerabilities and deficiencies. OCR was able to identify several areas of improvement for the sector tied to specific HIPAA Security Rule standards. OCR suggested that covered entities and business associates focus on improving compliance with the security management process standard, the audit controls standard, and response and reporting requirements.

Of note, while certain cyber-attacks leverage sophisticated techniques to exploit undiscovered vulnerabilities (known as zero-day attacks), the majority of cyber incidents according to OCR could be either prevented or significantly lessened if covered entities and business associates adhered to the HIPAA Security Rule. This includes safeguarding against prevalent attack methods such as phishing emails, the exploitation of existing vulnerabilities, and the use of weak authentication measures. In the event of a successful breach, attackers frequently encrypt electronic Protected Health Information (ePHI) for ransom purposes or steal the data for future malicious activities, including identity theft or extortion.

OCR recommends covered entities and business associates take the following best practices to mitigate or prevent cyber-threats:

• Ensuring all partnerships with vendors and contractors are secured by appropriate business associate agreements that clearly outline responsibilities in case of a breach or security incident.
• Embedding risk analysis and management into the core business practices, with regular assessments, particularly when adopting new technologies or altering business operations.
• Establishing robust audit controls to document and scrutinize activity within information systems.
• Conducting periodic reviews of information system activities to identify and mitigate potential risks.
• Adopting multi-factor authentication measures to verify that only authorized individuals access protected health information.
• Securing protected health information through encryption to prevent unauthorized access.
• Learning from past security incidents to improve the overall security management strategy.
• Offering targeted training that aligns with organizational and specific job requirements, emphasizing the essential role of all staff in upholding privacy and security standards, and ensuring such training is refreshed regularly.

Cybersecurity in 2024 And Beyond

Also, this month, U.S. Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, released a report outlining ways to improve privacy protections for Americans’ crucial health data.  This follows Senator Cassidy’s call last year for input from stakeholders on ways to strengthen the privacy protections of health data within the HIPAA framework, as well as to explore privacy measures for emerging health data sources. In the report, Senator Cassidy presents various recommendations to update the HIPAA framework, protect health data not currently covered by HIPAA, and address data that blurs the lines between health and non-health categories.  The report details that while for more than two decades, HIPAA has played a crucial role in safeguarding patient information, it has struggled to stay up-to-date with the rapid advancements in technology and the introduction of innovative tools that have become integral to modern healthcare. Stakeholders highlighted a pressing need for HIPAA to evolve. They argue that updates are essential for ensuring that patient information remains secure in an increasingly digitized healthcare ecosystem. This call for modernization reflects a broader recognition of the challenges and opportunities that lie ahead in protecting patient privacy in the digital age. 

In his report, Senator Cassidy notes that the United States does not have a comprehensive data privacy law and calls on Congress to fill the gap.  Unlike 2022, which saw the American Data Privacy and Protection Act (ADPPA) make notable progress in the House of Representatives, 2023 witnessed a lull in the push for a sweeping federal privacy statute. Nevertheless, 2024 holds the potential for renewed momentum in advancing the ADPPA (or a comparable proposal). President Joe Biden has notably urged Congress to enact bipartisan data privacy laws, reinforcing this call through a recent executive order on sensitive personal data.  Meanwhile, in the absence of any action on a federal privacy law, we anticipate additional states passing comprehensive privacy laws of their own in 2024.

Indeed, comprehensive privacy bills have been passed or nearly passed by legislatures in New Jersey and New Hampshire, thus far in 2024.  Additionally, as of March 31, 2024, Washington’s My Health My Data Act (MHMDA) will go into effect.  MHMDA is a pivotal health privacy legislation that establishes substantial compliance requirements for businesses handling health data not covered by HIPAA or federal part 2 rules. The significance of this legislation is heightened by its provision for a private right of action, where uncertainties within the law are more likely to be leveraged by plaintiffs’ attorneys.

CONCLUSION

The OCR reports are a clear reminder of the need for healthcare organizations to enhance cybersecurity preparedness. As healthcare organizations navigate the complexities of the digital age, the importance of cybersecurity cannot be overstated. By prioritizing preparedness, resilience, and a culture of cybersecurity awareness, healthcare organizations can not only protect themselves against the financial and reputational damage of cyber attacks but also, and most importantly, safeguard the well-being and privacy of the patients they serve. The journey towards comprehensive cybersecurity preparedness is ongoing, requiring vigilance, adaptability, and a unified effort to ensure the health and trust of the global community. Bradley has extensive expertise in guiding clients through mass arbitration claims and stands in a unique position to help businesses tailor dispute resolution clauses that best fit their specific requirements.