From Bradley Arant Boult Cummings LLP, by Alexis Buese, Eric Setterlund
The healthcare sector has seen a significant increase in cyber-threats, especially hacking and ransomware, with a 256% rise in hacking-related breaches and a 264% surge in ransomware incidents in the last five years. In 2023, these breaches affected over 134 million individuals, a 141% increase from the previous year.
The OCR recommends proactive measures to mitigate these threats, including securing partnerships with vendors, conducting regular risk assessments, establishing robust audit controls, and adopting multi-factor authentication.
The OCR’s two Congressional Reports on HIPAA compliance and enforcement highlight the need for healthcare systems to address potential HIPAA compliance issues before breaches occur. The reports reveal common vulnerabilities and suggest areas for improvement tied to specific HIPAA Security Rule standards, including the security management process standard, audit controls standard, and response and reporting requirements.
Despite the sophistication of some cyber-attacks, the majority of incidents could be prevented or significantly lessened if healthcare entities adhered to the HIPAA Security Rule. This includes safeguarding against prevalent attack methods like phishing emails, exploiting existing vulnerabilities, and using weak authentication measures. In case of a successful breach, attackers often encrypt or steal electronic Protected Health Information (ePHI) for ransom or future malicious activities.