Healthcare was the industry most affected by data breaches in 2018. We worked on nearly 200 healthcare matters involving multispecialty academic medical centers, hospital systems, small and large physician practices, small and large health insurers, and biotech and pharmaceutical companies.
In 2018, health information alone was just behind Social Security numbers (which can also be protected health information) as the most at-risk data.
Data security incidents are becoming more sophisticated in nature. We’ve noted an uptick in the number of targeted phishing attacks and network intrusion incidents affecting small and large organizations alike. And we’ve observed, along with this increased activity, intensified enforcement efforts by both federal and state regulatory agencies.
The Cost to Healthcare Entities Goes Beyond Dollars and Cents
The cost associated with a cyberattack can be staggering; as described here, the average expense associated with a healthcare organization’s security incident was the highest data breach cost across all industries. But the cost is not merely financial. Many healthcare organizations that experience a data security incident experience reputational harm, which hits them harder than does the financial cost. That harm can be twofold: Patients may lose confidence in the organization, and the organization fears having a “black eye” in front of its state and federal regulators.
Heightened Activity by the OCR and State Attorneys General
The concern over regulatory penalties is warranted, as we’ve seen the number of state and federal regulatory investigations rise this past year. With mounting cyberattacks on healthcare organizations, it’s not surprising that the industry’s primary federal regulator and HIPAA enforcer, the Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR), has been increasingly active. For example, in 2018, we saw a 54.5 percent increase in the number of formal investigations opened by the OCR in response to data security incidents.
This past year, as in previous years, the OCR consistently launched an investigation in nearly every incident involving more than 500 individuals, regardless of the nature of the incident. Each investigation examines not just the specifics of the particular incident, but the healthcare organization’s overall HIPAA compliance. It’s more important than ever that organizations be prepared to demonstrate through their policies and procedures that they have taken a thoughtful and proactive approach to cybersecurity.
Interest by state regulators in healthcare data breaches also increased in 2018, particularly when both HIPAA and state laws are triggered. In conjunction with the OCR investigations, state attorneys general are also responding to healthcare data breaches in the form of civil investigative demands and by issuing their own separate consent orders. For instance, 2018 saw the first multistate attorneys general lawsuit to enforce HIPAA. Further, health plans must answer to additional regulatory bodies, such as state departments of insurance and the National Association of Insurance Commissioners, following breach notification.
Cybersecurity Is at the Forefront of Regulators’ Agendas
Late 2018 yielded new guidance from HHS. Released in December 2018, the HHS Cybersecurity Best Practices report (the HHS Report) evaluates current threats against both large and small healthcare organizations, identifies the common weaknesses of each, and makes mitigation recommendations. We recently published a multipart blog series on the HHS Report. Available here, each post offers a deeper dive into the recommendations and guidance.
Given the increased enforcement in the healthcare space, we view this HHS Report as a road map for organizations and recommend that healthcare organizations incorporate cybersecurity efforts into their institutional culture. The HHS Report states that cybersecurity hygiene in the organizational setting is no less important than is hand hygiene in the clinical setting, and we couldn’t agree more.
For more information, download BakerHostetler’s 2019 Data Security Incident Response Report, or contact your BakerHostetler lawyer.