HIPAA compliance standards are constantly changing – as is technology itself. Trying to keep up can be quite the challenge for organizations that operate in this field. There are numerous factors at play, and to no surprise, activity on the cybersecurity front has played a big part in shaping some of the most recent developments.
The FTC vs. LabMD
After investigating two security breaches – one that occurred in 2008 and another in 2012 – the Federal Trade Commission rocked the healthcare industry. It determined that medical testing firm LabMD violated its established act on unfair trade practices. According to the FTC, the Atlanta-based company did not have basic security measures in place. The agency also claims that LabMD breached its own in-house compliance standards. This happened by not regularly updating its IT systems, using a lax password policy, and failing to safeguard the network against known threats.
LabMD challenged the FTC’s claim with a motion to dismiss. Despite an initial favorable ruling by an administrative law judge, the motion was rejected in federal court on appeal. While no patients were harmed in the breach, the Commission took the stance of better safe than sorry. It expressed that the company need not wait until consumers are harmed to take action.
In the appeal, the FTC noted that LabMD exposed personal information belonging to more than 9,000 people. Moreover, it failed to even notify patients of the breach. The court ruled that the company had to protect the data in its possession. They would also obtain third-party evaluations to validate the program’s implementation.
LabMD went out of business in 2014 and ultimately blames the Commission for its demise. There may be another round to go in this fierce legal battle, but as it stands, the outcome is already a huge deal for HIPAA compliance.
More than anything, the fallout stresses the importance prevention plays in data security. Timely backups may allow you to recover your data and keep from paying out in a ransomware scenario. The main takeaway is: in the eyes of the FTC, even allowing an infection to compromise your systems could harm your customers. This may leave you liable for compliance-related damages.
The Ransomware Effect
It was only a matter of time before ransomware directly influenced compliance regulations in one industry or another. Healthcare gives us our first example. The U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) has deemed that an organization may be in violation of HIPAA’s privacy rule if a ransomware infection encrypts healthcare-related data on their systems. This is, even if the information was not stolen or used. The HHS recently released documentation that covers the issue. The agency provides guidance on how the healthcare industry should approach ransomware.
According to the HHS OCR, ransomware victims have to notify patients as well as the HHS with details of the breach. The only exception would be a case where you can prove a “low probability” that there was a data breach. Showing that you have taken action to mitigate risks and the attacker actually has not seen the data may help. However, even encrypted systems may require thorough evaluation to ensure that the affected data is unreadable and unusable to the attackers.
UK Hospital Dodges Ransomware Attack
One healthcare organization just barely eluded the wrath of ransomware in a recent attack. Papworth Hospital, a global leader in cardiothoracic services, was able to avoid a zero-day exploit and has a timely backup strategy to thank for it.
A nurse at the Cambridgeshire, UK-based facility unknowingly triggered the infection by clicking on a suspicious email. Luckily for her, the ransomware did not encrypt the targeted system until midnight. This was shortly after the last daily backup was performed. As a result, Papworth was able to restore a full backup. They dodged a disastrous situation that would have compromised sensitive data and critical medical procedures.
When it comes to penetration in the healthcare field, the numbers on ransomware suggest a bigger issue than many would’ve ever imagined. A whopping 88 percent of ransomware found in the second quarter of 2016 affected the healthcare industry, shows security vendor Solutionary. The Cryptowall strain accounted for 94 percent of all attacks detected. “Healthcare has been a target for ransomware campaigns because the industry has often paid ransom to retrieve vital customer data quickly,” said Rob Kraus of the Solutionary security staff.
All this is unfolding at a time when ransomware is on the rise and the healthcare industry is a prime target of the attacks. The HHS OCR cited a government report highlighting that in 2016, around 4,000 ransomware attacks happen every day. That’s an alarming 300 percent spike from the average of 1,000 daily attacks recorded in 2015.
Data Protection and HIPAA Compliance
One thing to remember is that HIPAA violations are expensive. Fines can range from $100 to $50,000 per violation (or per record). The maximum penalty can reach $1.5 million per year for violations of an identical provision. Healthcare providers and their IT services providers are always looking for the best solution to safeguard against cybercriminals. Ultimately, the best protection is employee education and a solid backup and recovery solution.