The biggest cause of healthcare data breaches during the first nine months of 2017 came from unintended disclosures, according to a special report released by global cyber specialists Beazley. While hacking and malware are common causes of breaches, accounting for 19% of incidents, 41% of incidents were as a result of unintended disclosures.
These figures indicate the continued struggle health care organizations, including home health care providers, face in preventing human error from exposing health data. Health data includes Medicare and Medicaid ID numbers, health insurance information patients’ medical histories as we well as personal identifiable information such as names, addresses, dates of births, Social Security numbers and financial information.
The report emphasizes that while breaches come from numerous sources, it is easier for organizations to control and mitigate internal breaches than those from cyber criminals. The key is in recognizing the risk and investing the time and resources in employee training.
One trend on the rise, as highlighted in the report, involves employees improperly accessing patient records. Failure to detect such incidents and take immediate action increases the risk of regulatory action for health care organizations. In fact, HIPAA requires covered providers and their business associates to regularly monitor PHI (Personal Healthcare Information) access logs for unauthorized access. While “regularly” may be open to interpretation, it’s a good best practice for providers to conduct ongoing audits of access logs to help identify unauthorized activity. All staff should be instructed that the accessing of medical records without a legitimate reason is strictly prohibited.
The report also indicates that phishing and social engineering attacks rose significantly in 2017. There was nine-fold increase in social engineering scams in 2017, with two types of social engineering attacks in particular on the rise: fraudulent instruction incidents and W-2 Form phishing scams. These types of scams continue to plague the health care industry as well as other sectors in 2018.
Fraudulent instruction involves a scam in which a cyber criminal pretends to be a company executive and sends a request for a bank transfer. W-2 Form phishing scams similarly involve the spoofing of a company email address. In this case a request is made to send the W-2 forms of all employees who have worked in the previous fiscal year. The information is then used to submit fraudulent tax returns. Because these attacks focus on tax information, they occur primarily between January, when W-2s are created, and April 15th. Employees of health care providers should be trained on how to recognize these types of email scams.
In addition to an increase in data breaches, 2017 saw the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general continue their aggressive pursuit of financial settlements for serious violations of HIPAA rules. There were nine HIPAA settlements and one civil monetary penalty in 2017. In total, according to the HIPAA Journal, OCR received $19,393,000 in financial settlements and civil monetary penalties from covered entities and business associates to resolve HIPAA violations discovered during the investigations of data breaches and complaints.
It’s critical that insurance brokers underscore the need for health care providers to button up privacy practices and processes in order to mitigate the burden associated with the continued anticipated increase in data breaches, including the monetary, regulatory, and reputational risks to the organization. Also important is stressing the availability of Cyber liability insurance to help address the risks and respond in the event of a data breach.
Manchester Specialty Programs offers a Cyber liability insurance solution designed for home health care providers. Our solution includes comprehensive coverage as well as valuable proactive cyber management and loss prevention assistance through our carriers and third-party consultants. For more information about our Cyber liability insurance solutions and how you can assist your clients, please contact us at 855.972.9399