Tips from this month’s issue
Small breaches could become a big problem (p. 1)
1.Regional offices were advised to increase investigations of breaches affecting fewer than 500 individuals. Investigators will look for evidence of systemic noncompliance, such as multiple small breaches and common root causes.
2.Implementing OCR’s directive may be a tall order for resource-strapped regional offices, and it’s difficult to predict what the outcome will be.
3.Because small breaches weren’t investigated on the same scale as large breaches, OCR has much less data on them. Stepping up small breach investigations will mitigate that and may lead to improved guidance on key HIPAA pain points.
4.Although large breaches grab attention, they’re statistically less likely than small breaches.
5.But even a breach involving a single patient’s records can have serious consequences for the individual and even impact his or her safety if the medical record becomes compromised as a result.
6.Large health systems may lose sight of the details and brush off small breaches, but it’s the duty of privacy and security officers to take every breach, no matter how large or small, seriously and ensure the organization does so as well.
The cost of a data breach (p. 4)
7.Data breach costs vary between industries but healthcare, a highly regulated industry, sees especially high data breach costs.
8.Direct costs include remediation efforts and possible fines, but indirect costs are sometimes more difficult to identify and quantify.
9.Breach notification costs are the highest in the U.S.?first class postage adds up fast.
10.The more quickly a breach is identified and contained, the lower the cost. A well-prepared security incident response team is a smart investment that will pay off.
11.Participating in threat sharing may also be linked to lower data breach costs, but executive leaders may be concerned that sharing information on cybersecurity threats will put confidential information at risk. But no sensitive business information needs to be disclosed to participate.
12.Direct breach costs may be significant on their own but may not stack up against other risks an organization faces. Remember that one of the indirect costs of a data breach can be bad debt via medical identity theft. Bad debt is a top financial risk, and any measures that can bring that risk down are worth investing in.
Is HIPAA enough? (p. 8)
13.The rise of ransomware and other threats has led some stakeholders and lawmakers to question whether HIPAA is robust enough to provide even a reasonable bare minimum of security.
14.OCR has pointed fingers at executives for failing to support strong security programs, but the agency has no power to hold those executives accountable.
15.OCR recommends that CEs and BAs follow NIST’s cybersecurity framework, but that standard is only optional?not required?and many organizations may choose to not spend more resources on security than required.
16.Failure to complete an organizationwide risk analysis will land a CE or BA in hot water if a breach happens, but other federal agencies are critical of OCR’s risk analysis guidance, calling it inadequate.
17.HIPAA is designed to work with state laws. CEs and BAs must follow all applicable state privacy and security laws. In some cases, state laws may be stricter than HIPAA and provide stronger security requirements or clearer guidance.