August 21, 2017

It’s every anesthesia practice’s nightmare, but it happened last year to a large anesthesiology and pain management group in Arizona.  A health data breach from unauthorized access by a third party affected nearly 883,000 patients.  The information included patient names, providers’ names, dates of service, places of treatment, names of health insurers, insurance identification numbers, diagnosis and treatment codes, and, in some cases, Social Security numbers, bank account information, tax information, and more.

The incident ranked as one of the largest healthcare data breaches of 2016.  Though there was no evidence that any patient information had been accessed or used inappropriately, the group took several steps to resolve the problem, including reviewing security processes and strengthening network firewalls, providing free credit monitoring and identity protection services to patients whose Social Security or Medicare numbers were affected, and setting up a dedicated call center to respond to queries.

In keeping with the HITECH Act of 2009, the data breach also appeared on the Department of Health and Human Services’ (HHS’s) website.  Among other things, the HITECH Act requires HHS to publish information about breaches of protected health information (PHI) involving 500 or more patients. 

Following recent changes to the agency’s website, that information still appears, but it now appears in an archive rather than on the main page.  The website now includes a front page featuring a list of more recent incidents that are still under investigation by the Office of Civil Rights (OCR) as well as a separate archive listing of older, resolved breaches.  Before the recent changes, the Arizona anesthesia group’s data breach would have remained indefinitely on what some have dubbed “the wall of shame,” even after OCR had finished its investigation. 

The changes are bound to please many other healthcare organizations and some members of Congress as well, who have complained that the prominent front-page listing of data breaches for indefinite periods of time after problems had been resolved unfairly and needlessly exposed affected organizations to potentially damaging public scrutiny.

“HHS heard from the public that we needed to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches,” said HHS Secretary Tom Price, MD, in a statement.  “To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned consumers.”

As of August 17, 2017, OCR lists 351 major health data breaches reported within the past 24 months that are still under investigation.  The archive contains an additional 1,671 breaches for which investigations have been completed and/or for which reports were filed.  Approximately 175 million individuals have been affected by data breaches since 2009, according to an August 9 article in Data Breach Today.

HHS OCR has also launched a revised Health Breach Reporting Tool (HBRT) to help individuals searching for information and healthcare organizations reporting an incident.  The HBRT provides ready public access to the information reported by HIPAA-covered entities and includes the name and state of the entity; the date and number of individuals affected by the breach; the type of breach (such as hacking, theft, loss, unauthorized access); and source of the breached information (including laptop, paper records or desktop computer).  According to OCR Director Roger Severino, the revised HBRT enhances navigability and transparency for organizations and consumers.

In addition to highlighting breaches currently under investigation and reported within the past 24 months, while archiving older breaches, the HBRT allows individuals to search cases under investigation by date of breach, type of breach and type of covered entity (e.g., healthcare provider, healthcare clearinghouse, health plan).

The tool links to a Health Information Privacy site with information for individuals, including a portal that assists patients in filing a complaint if they believe a HIPAA-covered entity or one of its business associates has violated their health information privacy rights (or someone else’s) or committed some other type of violation of HIPAA Privacy, Security or Breach Notification Rules.  The site also includes extensive information for healthcare professionals on breach notification processes, the OCR enforcement process, requirements for business associates of covered entities, training and resources, and frequently asked questions.

A search of the 351 cases currently under investigation on the OCR breach portal reveals hacking/IT incidents (147 cases) to be the most frequent source of a PHI breach.

One of the fastest growing and most pernicious forms of hacking involves the use of ransomware, malicious software that encrypts the user’s data and denies access to it until the user pays a ransom, usually in the form of a cryptocurrency such as bitcoin.  Unfortunately, ransomware attacks are mushrooming in all industries, and healthcare is particularly vulnerable.  An average of 4,000 ransomware attacks have been reported daily in the United States since early 2016, marking a 300 percent increase from the 1,000 daily attacks reported in 2015, according to a U.S. government interagency document, How to Protect Your Networks from Ransomware.

Responding to a Cyberattack

HIPAA requires covered entities to develop detailed procedures for responding to a cyberattack that must include ways to detect ransomware, conduct a risk analysis and stop malware from spreading. If an attack occurs, activities should include determining what, if any, notification is required by law, how the attack happened and whether improvements are needed to prevent future attacks.  Entities should also review and consider their own state-specific data-security laws, which may be more stringent than HIPAA or may have different requirements.

Employees should be educated on prudent computer and internet use.  This should include training in ways to detect and respond to ransomware, including knowing how to tell if an attack is occurring and what to do after clicking on something later deemed suspicious.

HHS recommends the following steps if an organization is the victim of a ransomware attack:

• Contact the FBI National Cyber Investigative Task Force www.fbi.gov/investigate/cyber/national-cyber-investigative-joint-task-force immediately to report the event and request assistance.  The task force will work with state and local law enforcement and other partners to pursue cybercriminals globally and assist the victims.
• Report cyber incidents to the US-CERT (United States Computer Emergency Readiness Team, www.us-cert.gov) and the FBI’s Internet Crime Complaint Center, www.ic3.gov/default.aspx.

OCR has recently released a useful “quick-response checklist” for covered entities that have experienced a cyberattack.

Anesthesia practices should also immediately contact their attorneys.  Under HIPAA, and in certain circumstances in some states, notifications to individuals and/or HHS or OCR may be required.  Anesthesia groups that have experienced a cyberattack that results in access to PHI should immediately seek the assistance of counsel in order to resolve the access issues (and others) consistent with applicable laws and regulations.

In some cases, the question of whether a ransomware attack (one that doesn’t result in the actual access to PHI) amounts to a HIPAA breach is one of industry debate. Iliana Peters, a HIPAA compliance and enforcement official at OCR, announced at a Georgetown University Law Center cybersecurity conference that OCR will “presume a breach has occurred” when a HIPAA-covered entity or business associate is the victim of a ransomware attack.  However, industry experts argue that this theoretical position does not marry with how a ransomware attack works in actuality.  Nevertheless, an overarching conclusion cannot be drawn without considering the facts and circumstances of a particular attack or event.  However, victims of ransomware attacks must be aware of this possibility and should consider this with their attorneys.

For more information, see the ABC eAlert, “Cybersecurity News and Best Practices for Healthcare Providers.”  Also see the Health IT Security article “HIPAA Data Breaches:  What Covered Entities Must Know.”

The volume of PHI that leaks due to hacking, notably during some ransomware attacks, is great and growing, as is the risk that a healthcare organization will be targeted.  A recent KPMG survey reported in Healthcare IT News reports a disturbing trend.  Despite rising threats, cybersecurity as a board agenda item has declined in the past two years (79 percent in 2017 versus 87 percent in 2015).  The survey also found that a smaller majority of healthcare companies had made investments in information protection in the prior 12 months (66 percent versus 88 percent in the 2015 survey). 

These findings point to the need for anesthesia practices to closely examine their priorities in the interests of protecting their data and the safety of the patients they serve.  Clearly, cybersecurity is an issue that must remain front and center for every anesthesia group, including clinicians, practice managers and all staff.

With best wishes,

Tony Mira
President and CEO