By Adrienne Dresevic, Esq. and Clinton Mikel, Esq. of the Health Law Partners, P.C.
Data breaches are on the rise – in its 2017 Annual Breach Year-End Review, the Identity Theft Resource Center (ITRC) found the number of data breaches in the U.S. reached a record high of 1,579 breaches. This figure rose drastically from the 2016 figures ITRC reported, increasing by approximately 45%. In its 2018 Annual Breach Year-End Review, ITRC found the total number of data breaches fell 23% but the amount of exposed personally identifiable information (PII) rose 126% from 2017 figures. ITRC’s March 2019 Breach Summary reported 28 data breaches had occurred in the healthcare industry, exposing more than 960,000 records in March alone.
Department of Health & Human Services (HHS)-Issued Cybersecurity Guidance
To address this rising trend, HHS released guidance regarding cybersecurity practices for the healthcare industry on December 30, 2018. Note that HHS’ guidance is solely intended to be informational, and not required for compliance purposes. That being said, HHS identified major cybersecurity threats to the health care industry as well as steps an entity may take to combat these threats. The guidance includes quick tips and tables with suggested practices to minimize cybersecurity threats. HHS identified the following five cybersecurity threats as being the most prominent to the health care industry:
- E-mail Phishing;
- Loss/theft of equipment/data;
- Insider, accidental/intentional data loss; and
- Attacks on connected medical devices.
Additionally, HHS outlined ten cybersecurity practices they believe each health care organization should adopt and maintain to best protect against these threats. HHS’s guidance provides an overview of each cybersecurity practice and suggestions on how to tailor the practices to the size of the entity (e.g. small, medium, and large organizations). The ten cybersecurity practices identified by HHS are:
- E-Mail protection systems;
- Endpoint protection systems;
- Access management;
- Data protection/loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
While these practices will not guarantee protection against cybersecurity threats, HHS believes they will generally strengthen an entity’s cybersecurity program. Specifically, HHS asserts these practices will enable entities to evaluate and benchmark their cybersecurity capabilities more effectively, improve cybersecurity competencies, and enable entities to prioritize their actions and investments to improve its overall cybersecurity program.
Radiology providers and suppliers should be aware that data breaches implicate the HIPAA Privacy Rule (Privacy Rule). Under the Privacy Rule, a breach is an impermissible use or disclosure compromising the security and/or privacy of protected health information (PHI). A data breach is considered a breach under the Privacy Rule unless the covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised (LoProCo), based on the following factors: 1) the nature and extent of PHI involved (including types of identifiers involved and likelihood of re-identification); 2) the unauthorized person who used the PHI or who it was disclosed to; 3) whether the PHI was actually viewed or acquired; and 4) the extent to which risk to the PHI has been mitigated.
In 2018, the Office of Civil Rights (OCR) reached an all-time high for HIPAA enforcement, obtaining $28.7 million from HIPAA enforcement actions. The 2018 Cost of a Data Breach Study by IBM and Ponemon Institute showed that data breaches in the health care industry are the most costly of any industry, at $408/record. Health care breaches cost nearly twice as much as the next most expensive industry, finance, at $206/record.
In light of the risk and cost of a data breach, radiology providers and suppliers should take proactive steps to ensure they have sufficient policies in place. First, radiology providers and suppliers should be diligent in determining potential HIPAA violations and data breaches. Penalties are not dependent on actual knowledge, but rather on what the entity should have known. Second, take steps to secure PHI. Securing PHI includes both physical and technical safeguards (e.g. encryption of PHI). Third, take immediate action to address potential or actual HIPAA violations. The category of HIPAA violation is determined in part by actions the entity has taken to address the situation. Lastly, ensure that a proper cybersecurity program has been implemented.
Radiology providers and suppliers can and should use HHS’ cybersecurity guidance to evaluate their cybersecurity program and ensure they have taken the necessary precautions to protect against data breaches. Not only does the guidance highlight key areas of risk, it details specific safeguards effective in mitigating those areas of risk. Further, radiology providers and suppliers should ensure their HIPAA policies are sufficient to determine potential HIPAA breaches and immediately address them, as the radiology provider’s actions are considered in assessing penalties.
For more information on issues relating to this article, please contact Adrienne Dresevic, Esq. at (248) 996-8510 or by email at firstname.lastname@example.org.
Adrienne Dresevic, Esq, is a founding shareholder of The Health Law Partners, PC, a nationally recognized healthcare law firm with offices in Michigan and New York. Practicing in all areas of healthcare law, she devotes a substantial portion of her practice to providing clients with counsel and analysis regarding compliance, Stark Law, Anti-Kickback Statute, and compliance related issues. Ms. Dresevic is a member of the American Bar Association Health Law Section’s Council, which serves as the voice of the national health law bar within the ABA. Ms. Dresevic is the Section’s Budget Officer. She also served as the ABA Health Law Section’s Co-Chair of the Physicians Legal Issues Conference Committee, Vice Chair of the Programs Committee (Executive Leadership), and Vice Chair of the Sponsorship Committee. She is licensed to practice law in Michigan and New York, and can be contacted at email@example.com.
Clinton Mikel, Esq, is a partner at the Health Law Partners, PC, a nationally recognized healthcare law firm with offices in Michigan and New York. Mr. Mikel graduated form the University of Michigan Law School. Practicing healthcare law, Mr. Mikel concentrates in Stark, fraud/abuse, telehealth/telemedicine, compliance, and the corporate and financial aspects of healthcare practice.
The authors are members of The Health Law Partners, PC and may be reached at (248) 996-8510 or (212) 734-0128, or at www.thehlp.com.