A majority of companies, including healthcare organizations, now rank cybersecurity risks as greater than natural disasters, fires and other major business risks, according to a new survey by the Ponemon Institute.
In a previous study, Ponemon put the average cost of a data breach at $188 for each lost or stolen record.
Looking at healthcare in particular, it reported that 94 percent of the 80 participating healthcare organizations experienced at least one data breach that they were aware of in the previous two years, and that such breaches cost organizations a total of $6.78 billion annually.
Among the new survey findings:
- Protecting against the financial impact of cyber security risks ranks as high as or higher than other insurable risks.
- Responsibility for managing that risk is moving outside the IT department, with risk management or compliance officers more likely to manage that.
- Most companies either have cyber security insurance or are considering adoption. Thirty percent of respondents notetheir company has no interest in purchasing a policy at this time.
Healthcare and pharmaceuticals represented the third-largest industry segment polled.
Jared Rhoads, lead author and senior research specialist for a report from CSC’s Global Institute for Emerging Healthcare Practices, previously recommended taking a holistic approach to managing the risk posed by cyber criminals.
Privacy experts speaking at the Healthcare Privacy Summit earlier this summer said healthcare organizations tend to be too reactive in their approach to health data security.
But the industry is waking up to the risk. A new survey of the cyber security workforce by the public-private partnership Semper Secure just found healthcare the fourth-largest employer of cyber professionals after government, manufacturing and defense/aerospace.
To learn more:
– Read the Ponemon survey report (.pdf)
– Here’s the Semper Secure survey (.pdf)
<Reprint of article by Susan D. Hall – FierceHealthIT ©2013>
As Brian Horowitz writes in his article on eWeek:
“Business associates now must meet the privacy and security rules of HIPAA just like doctors, hospitals and health insurance providers, according to the final “omnibus” rule the U.S. Department of Health and Human Services (HHS) announced on Jan. 17.”
While this is not entirely new information, and those who know Kali Systems know that we have been promoting this fact for quite some time now, the news really is that the regulators are focusing on this now – and have a meaningful enforcement arm (the Office of Civil Rights) and a penalty structure which is, frankly, quite intimidating.
The article also states:
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” HHS Office for Civil Rights Director Leon Rodriguez said in a statement. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”
The IT vendors that healthcare practices use will often have access to their EHR, be responsible for data backup and otherwise have broad access to a great many forms of ePHI in the practice. That privilege comes with some serious responsibility and obligation to comply on the part of the vendor. The practice is ultimately responsible for assuring that their vendors meet the standards and have compliant Business Associate Agreements in place prior to providing access to protected data.
The Risk Assessment process, as outlined by HHS guidelines, clearly includes a review of all Business Associates as part of the process. Our Risk Assessment product covers this requirement, along with other requirements necessary for Meaningful Use attestation.
Please see full eWeek article by Brian Horowitz here:
Alert for current virus activity.
Our scanning gateways will identify virus and spam activity occurring in the wild. Over the last few days – the gateways have reported a very high number of hits with a particular virus. Though they differ slightly in Subject and the attachment, all reference a BBB Complaint either in the subject or the body of the email, and all have an attached PDF file which is actually an executable file. All containing the virus Mal/BredoZp-B (as identified by Sophos).
Virus infection is a costly event in any environment, but is significantly more sensitive in a healthcare setting. What is the virus doing? Is it accessing local data and reporting is back to an outside party? What data may have been accessed? At the very least, it is an “incident” to be dealt with, documented and evaluated for any possible data access. At worst – it can become a reportable breach.
All practices should have strict policies about opening attachments in email from unknown sources or with any suspect attributes. What is even more effective is gateway scanning which simply does not allow the delivery of any executable attachments. Our SafeMail services/gateways do exactly that and all practices should consider gateway scanning whether from Kali Systems or any other outside provider.
Kali Systems will continue to post alerts when a particular virus appears to be extremely widespread.
It’s one thing to prepare your organization with a solid defense against a potential privacy breach. Add in an HHS/OCR audit or investigation, and it becomes crucial that organizations take the necessary steps to comply with the HIPAA Privacy, Security, and Breach Notification rules.
Mahmood Sher-Jan, vice president of product management at ID Experts, and Chris Apgar, president and CEO at Apgar and Associates, outline 10 tips for preparing for an OCR audit.
1. Learn your compliance status. This goes for both HIPAA privacy and security rules and the interim final breach notification rule. According to Sher-Jan and Apgar, every covered entity should gain a full understanding of its compliance and gaps with these rules. Conducting an evaluation or gap analysis of HIPAA privacy, security, and breach notification requirements, they said, is the logical starting point. And, don’t forget about your business associates, since they can pose a “significant risk” as well. Remember, they warned, that the HIPPA security and privacy rules have been with us for several years, and the interim final breach notification rule was effective September 2009.
Don’t get caught unprepared!
On November 8th, the Office for Civil Rights (OCR) officially unveiled its long anticipated audit program. These audits, mandated by Section 13411 of the HITECH Act, are intended to “ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.”
If your organization has not been keeping up with recent changes to HIPAA Privacy and Security Rules, you may be unaware of significant new requirements for covered entities and business associates, such as breach notification, and the drastic overhaul of the enforcement process including a tiered penalty plan.
This week’s news highlights the growing need to take proactive steps to protect sensitive data. It’s time to take notice, before your organization has to give notice of a data breach.
The Office of Civil Rights (OCR), responsible for enforcing HIPAA regulation, has announced the hiring of KPMG of McLean, VA to implement an audit program of covered entities and business associate compliance with the HIPAA privacy and security standards. This action marks the first time proactive “periodic audits”, as required by the HITECH Act, will be implemented. Until now, investigations have been in response to complaints. Continue reading
For the second time this week, the Department of Health and Human Services (HHS) has announced stiff penalties for HIPAA violations. This may signal the start of stronger HIPAA enforcement action by the Office for Civil Rights (OCR) and a sign of things to come when HHS rolls out its HIPAA compliance audit program as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
On February 22nd, HHS announced a landmark civil monetary penalty (CMP) against Cignet Health of Prince George’s County, Md., for violations of the Privacy Rule. The $4.3 million penalty was imposed for failing to provide 41 patients with copies of their records in the time frame required by HIPAA, and for failing to cooperate with the OCR investigation. It was the first time a penalty was assessed for Privacy Rule violations, and the first time the increased penalty amounts authorized by Section 13410(d) of the HITECH Act were applied. Continue reading
As I reviewed the provisions of HIPAA Security and Privacy provisions with a lead surgeon who heads a small but bustling medical practice, I could tell he would rather be in a treatment room with a patient than sitting in the lunch room with me discussing one of a legion of requirements and regulations. “Do other doctors really do this?” he asked, his head buried in his hands.
Protecting sensitive data is a hot button. Criminal data theft and fraud have grown alongside the explosion of day-to-day dependence on the internet, wireless and mobile technology. The Identity Theft Resource Center reported 662 data breaches in 2010, affecting 16,167,542 records. 76% of these records included Social Security numbers.