HIPAA risks change constantly – and so must our response to them. The latest HIPAA statistics reveal how HIPAA risk is shifting (and increasing):
- Hackers spend MORE time targeting small businesses: “An average employee of a small business with less than 100 employees will receive 350% more social engineering attacks than an employee of a larger enterprise.”
- The healthcare industry receives the largest amount of cyberattacks (23%).
- The average healthcare ransom paid is $875,784.
- The average cost of a forensic investigation in a healthcare ransomware case is $62,724.
- The largest ransom paid in 2021 was $5.5 million.
- In 82% of ransomware cases, hackers claim to have exfiltrated data.
BakerHostetler’s 2022 Data Security Incident Response Report (Reporting 2020 data)
- In 2020, OCR received 656 breach notifications affecting 500 or more individuals (a number that increased by 61% over the prior year).
- In 2022, OCR received 66,509 breach notifications affecting fewer than 500 individuals.
It is always eye-opening to review the latest HIPAA stats – because they get colder and harder every year. Especially in healthcare.
Do you know your HIPAA stats?
One way to find out how your organization compares is to conduct an internal survey about employees’ knowledge of data breaches and appropriate/inappropriate computer practices. Surveys can be a great starting point to build an effective, tailored training program to improve employee performance and reduce human error. Our compliance programs are only as strong as our weakest employees - and it's up to us to train them to get it right.
The human factor of a ransomware attack makes it extremely difficult to prevent. If a covered entity or business associate suffers a ransomware attack, it is presumed that a HIPAA breach has occurred. Are you prepared? The prevalence of ransomware attacks in healthcare makes it crucial to PLAN for a ransomware attack (rather than hoping one does not occur).
Steps you can take:
- Obtain cyber insurance if you have not already done so.
- Conduct (and update!) your HIPAA Security Risk Analysis to identify and reduce your cyber risks.
- Backup, Backup, Backup. Because it is impossible to eliminate the risk of a successful ransomware attack, a strong data backup process is needed. Hackers frequently encrypt backup files. Backup systems that are immutable or air-gapped is a must. Immutable backup files cannot be deleted or changed by anyone including hackers. These files can only be downloaded, restored or viewed. Air-gapped backup files are physically separated from a network.
- Test your backup. How long would it take you to get back online if ransomware disrupted your system?
- Verify you have a strong real-time network monitoring plan. Phishing emails are examples of cybersecurity threats that easily bypass typical firewall and endpoint protection (anti-virus applications). Managed detection and response (MDR) applications use artificial intelligence to learn a network’s normal activity and behavior. MDR identifies atypical network activity that may arise from a successful phishing attack and provides 24/7 outsourced security monitoring.
- Maintain a network audit log. Audit logs are a HIPAA requirement. An audit log provides a detailed record of all network activity. It is virtually impossible for a threat actor to bypass audit logs. They may attempt to delete or edit audit logs to cover their tracks. An audit log does not stop a threat actor, but will record their activity. A log management system will collect information from various network sources such as firewalls, antivirus applications, remote desktop applications, VPN connections, routers, workstations, mail servers, web servers, data servers and more. If a cybersecurity incident is suspected, the forensic investigation team (including legal) will ask for an audit log. The audit log will confirm an attack and provide detailed information on the depth of network intrusion, which is necessary to conduct a HIPAA breach investigation.
- Establish a Business Continuity Plan. With a good backup system, critical data files can be restored. A ransomware attack stops all electronic activity – for example: internet access, clinical applications, cloud-based applications and data, patient information, billing, accounts receivable, ordering supplies, paying bills, payroll, email, access to documents or spreadsheets. Getting a network up and running can take weeks or months before everything is back to normal. A business continuity plan identifies functions necessary to continue operations and business activities. The plan includes procedures to restore hardware, software and data access that are needed to re-establish critical clinical and business activities.
- Provide HIPAA stats to everyone at the Compliance Committee and Board levels. These individuals need to know how the organization guards against ransomware attacks. Knowledge of the risks and organizational response provides valuable information for your leaders to make informed organizational strategic decisions.
Sign up for MPA's Virtual HIPAA Training Course