The Health Insurance Portability and Accountability Act (HIPAA) includes provisions to maintain the privacy of protected health information (PHI). The HIPAA rules apply to covered entities, which include medical providers, employer health plans, and insurance companies that deal with patient data.
In spite of the 2020 election, the second half of October 2020 has a major impact on the healthcare industry through alerts and financial penalties that cannot be ignored. It is not new to healthcare in particular hospitals are “target-rich” environments for cyber criminals.
According to Maggie Miller from the Hill, “Hospitals and health care institutions preparing for a fall wave of coronavirus cases are bracing for more cyberattacks after hackers seeking to take advantage of the pandemic launched several successful attacks this year severely disrupted patient services.”
End results of cyberattacks are more concerning, “There are hundreds of cases we have now seen where we can draw a direct line between the cyberattack and deaths,” said Pienaar, whose firm helped form the Cyber Alliance to Defend Our Healthcare, a group of nearly 40 major cybersecurity companies that defend health organizations.
This can happen if the protected health information (PHI) isn’t available or if the integrity of the data has been modified, then there are severe chances of clinical errors, which could impact patient health.
In the last week of October 2020, the Cybersecurity & Infrastructure Security Agency (CISA), released Alert (AA20-302A) – Ransomware Activity Targeting Healthcare and Public Health Sector. This joint advisory was authored by CISA, the FBI, and HHS.
Two findings to highlight are:
- CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
- These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.
By this implementation of the new form of ransomware, it will increase the ease, speed, and profitability of the victims. It means regardless of the size of the protected entity or business associate, the IT person needs to stay well-informed of new forms of attacks, training, and software patches.
And, as a notice, both individual providers and big healthcare organizations should be careful before paying a ransomware demand, as it may cause additional legal woes in the form of an illegal act – running afoul of Office of Foreign Asset Control (OFAC) regulations.
The final part of the “HIPAA Round-Up” concentrates on two HHS OCR settlements. The October 28, 2020 settlement with Aetna has main three reasons:
- The $1 million amount;
- The settlement involved three separate incidents affecting significantly more than 500 individuals; and
- In addition to the impermissible disclosures, Aetna failed to implement the requisite technical, administrative, and physical safeguards.
The October 30, 2020 settlement with the City of New Haven, CT is noteworthy for the following reasons:
- A former employee continued to have access, even after being terminated;
- The employee not only returned after being terminated but returned to the worksite and downloaded PHI onto a USB drive; and
- New Haven recklessly disregarded its technical, physical, and administrative safeguards. Not conducting an enterprise-wide risk analysis annually was a fundamental item, which was overlooked.
The conclusion of HIPAA and Cybersecurity Round-Up is that HIPAA and cybersecurity compliance is not going away.
About Medical Billers and Coders
We are catering to more than 40 specialties, Medical Billers and Coders (MBC) is proficient in handling services that range from revenue cycle management to ICD-10 testing solutions. The main goal of our organization is to assist physicians looking for billers and coders.