In May, an organization with 45 offices, the Women’s Health Care Group of Pennsylvania, informed 300,000 patients who had been treated in its facilities that a ransomware attack had compromised their healthcare data. The healthcare firm found the intrusive software both on a workstation and a server on May 16. Both of the machines were taken off the network, and the forensics team started rooting out the issue. Like many of these incidents, the attackers had remained undetected for months. They had been in the system since as far back as January, making their way into the system via a security loophole. The security issue gave the hackers the ability to access patient files prior to the encryption of the data. The information that was taken included details such as names, dates of birth, Social Security numbers, medical record numbers, diagnoses, lab test results, blood type data, pregnancy records, and insurance information. The above story is, unfortunately, very common. The true cost of non-compliance is complex, including the fine and many other possible expenses. Let’s look at the average real total cost of a breach; the ways in which the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) changed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules; the range of possible HIPAA fines; additional non-compliance costs; and how to take action so that you can consistently stay within the confines of the regulations.
How much do healthcare data breaches cost?
A study from patient privacy monitoring firm Protenus, released in early 2017, found that 200 exploits of patient data had been revealed so far this year through the Office for Civil Rights (the subagency of the Department of Health and Human Services that is responsible for the enforcement of HIPAA). This list, often referred to as the HIPAA Hall of Shame, notifies the public of any exposures of protected health information that extended to a population of at least 500 patients. The company noted that 450 breach incidents occurred throughout 2016. By the date of publication of the Protenus analysis, 233 had taken place so far this year. Of course, every incident is different, partially because a greater amount of compromised data will mean a higher extent of expenses. The Ponemon Institute’s research on this topic, as seen in the 2016 “Benchmark Study on Privacy & Security of Healthcare Data,” has found that most healthcare companies are impacted by numerous hacking efforts. What’s more disconcerting, the analyst organization has determined that many healthcare companies lack the funds and resources to properly manage these events. The 2016 study looked at 91 covered entities (healthcare providers, plans, and data clearinghouses) and 84 business associates (contracted partners that handle health data for covered entities). The total impact of healthcare data breaches is astounding. According to Ponemon, it is $6.2 billion annually. In the analysis, about 9 out of every 10 covered entities had experienced a data breach within the last two years. Almost half of them had suffered greater than five of them within that windows. What is the cost to you, though, if you get hit by an attack? The average total expenses related to a single breach event are over $2.2 million, Ponemon noted (although that could be an underestimate, as revealed by the below data). The average expense incurred by business associates was not quite as high but was also substantial at over $1 million per incident. In 2016 as in 2015, cybercrime was the top reason that breaches occurred within healthcare, according to Ponemon. “In fact,” noted the research team, “50 percent of healthcare organizations say the nature of the breach was a criminal attack and 13 percent say it was due to a malicious insider.” With business associates, the number is a bit lower: respondents said that it was a criminal event in 41% of cases, whereas a malicious insider was responsible 9% of the time.
How HITECH changed HIPAA
Our primary focus will be HIPAA since the security and privacy concerns of that law are the primary need of compliance in healthcare settings. However, HITECH also must be addressed. HITECH was a part of the American Recovery and Reinvestment Act of 2009. It was a bill with the principle intent of increasing the adoption of health information technology (expediting the transition to digitization of records). When people talk about compliance with HITECH, they are primarily pointing to the ways in which it changed the requirements of HIPAA. The most significant example of this is the stronger rules related to breach notification. Today, when a breach occurs, the fine is larger and there need to be more notifications if data is lost or stolen. Plus, the security and privacy needs of HIPAA also must be met directly by business associates – as opposed to the covered entity bearing the only responsibility for protection. Other updates to HIPAA compliance that were effectuated by HITECH include authorization parameters for communications and marketing.
Minimum and maximum levels for HIPAA fines
The HHS’s Office for Civil Rights goes about enforcement of the HIPAA Security and Privacy Rules through investigations of complaints, random compliance audits, and outreach to increase the industry’s understanding of the law. When the OCR investigates a particular company for compliance, they check the information they are able to collect and may decide that no violation occurred. If a violation did occur by the agency’s assessment, the OCR will seek voluntary compliance, corrective action, and/or a resolution agreement. Civil penalties can result. Actually, if the criminal portions of the healthcare law are violated, the case may be referred to the Department of Justice for further investigation. In terms of the most common issue of civil fines, those occur through a tier of possible amounts. The HHS Secretary can decide what is appropriate within the range described by that tiered system. Also note that the secretary cannot impose a civil fine if corrections are made within 30 days, except in the case of willful neglect. Let’s look at the minimum and maximum dollar amounts for HIPAA infractions. In the event of an unknowing violation, the minimum fine for one of these instances is $100 for each violation, up to a limit of $25,000 if there are numerous violations. The most that someone can be fined for this situation is $50,000 for each violation, up to a limit of $1.5 million. If it is a reasonable cause incident, the lowest that you can be penalized is $1000 for each violation, up to a total yearly fine of $100,000. The most you can be fined is $50,000 for a single violation, also up to a limit of $1.5 million. If it is a corrected incident of willful neglect, the least that a fine can be in this case is $10,000 each, up to a yearly limit of $250,000. If it is an uncorrected event of willful neglect, the lowest that a penalty can be in this category is $50,000 each, up to $1.5 million per year. The most it can be is $50,000 for one violation, again up to a yearly total of $1.5 million. Criminal investigations are managed by the Department of Justice. Someone who knowingly disregards the Administrative Simplification Rule can personally be fined as much as $50,000 and be sentenced to up to a year in prison. If the violation involves false pretenses, the person may have to pay as much as $100,000 and be sentenced to up to 5 years in prison. If there is established intent to use electronic protected health information (ePHI) for commercial or personal gain, the fine can be as high as $250,000, with jail time of up to 10 years.
Additional costs of HIPAA non-compliance
To be clear, the reason that healthcare data breaches are so expensive goes far beyond the fines. The reason for their high costs is because of other expenses. A study by TransUnion found that patient and health plan clients may switch to a difference provider following a hack. 65% of people who took part in their poll said that they would “consider making the change after a data breach exposed their confidential records,” noted HIPAA Journal. The total cost of an event, on average, is $5.9 million, according to this analysis (a higher total than that indicated in the Ponemon research above). Incidentally, the average number of records exposed within this same data is 29,087. The elements of that $5.8 million total include breach notifications ($1.6 million); detection and escalation ($417,000); lost business ($3.2 million); and additional costs and losses ($415,000). Note that those above figures do not reflect the additional 15% customer turnover that will typically occur as a result of these events.
Taking action to avoid HIPAA non-compliance
Whether the Ponemon analysis or the one by TransUnion is closer to the correct total average, the average cost of a healthcare violation is certainly in the millions. To accomplish consistent compliance, you need a provider that understands and implements the proper safeguards – as seen through the experience of individual clients.