HIPAA Incident Response Services
In a world where cyber criminals seem to have the upper hand, vigilance pays off. However, even organizations with robust cybersecurity controls in place can still find themselves the victim of a data breach.
A data breach for any company is a disruptive and potentially crippling event, but for businesses, in highly regulated industries like healthcare, the ramifications can be devastating. The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, set forth a set of guidelines that healthcare providers and their business associates must follow to protect sensitive client information. Failure to do so, as is often the case when cybercriminals gain access to critical IT infrastructure, can result in hefty financial penalties and potentially damaging public disclosures if the incident is not responded to properly.
A HIPAA security incident is any situation in which unauthorized access to protected healthcare information (ePHI) is attempted, whether intentionally or unintentionally, whether internally or externally. If the attempt is successful, it is elevated into a HIPAA data breach with potentially severe consequences.
Talk to a Gillware HIPAA Security Incident InvestigatorDon't delay. If you believe that a HIPAA security incident or even a data breach has occurred, contact one of our experts today for a consultation.
If you’re a HIPAA-covered entity or business associate and you suspect that your organization is the victim of a HIPAA security incident or HIPAA data breach, you can turn to Gillware Digital Forensics to investigate the incident. A swift response to a suspected breach is the only prudent course of action to take, and that’s where we excel. Our digital forensics investigators determine the sequence of events that lead to the incident or breach and the PHI that was or was not exposed or acquired. We then present our findings and work with legal counsel to satisfy legal and regulatory obligations under HIPAA.
HIPAA Security Incident vs. Breach
While the terms might sound interchangeable, the difference between a “HIPAA Security Incident” and a “HIPAA Breach” has massive implications as to what the necessary response to the incident looks like.
What Constitutes a HIPAA Security Incident?
A HIPAA security incident is any situation in which unauthorized access to PHI is attempted, whether or not the attempt is successful. For example, a hacker remotely accessing your network using credentials gleaned from a phishing email sent to one of your employees is a HIPAA security incident; even if the hacker fails to pull off their intrusion and doesn’t access any ePHI (say, for example, because the affected employee realized what had happened right away and changed their access credentials before the hacker could make use of them), the unsuccessful attempt still counts as a HIPAA security incident.
What Constitutes a HIPAA Data Breach?
A HIPAA data breach is the actual successful unauthorized access, use, modification, or disclosure of PHI. This is far more severe than a mere security incident, and all HIPAA-covered entities and business associates must provide notification to affected parties unless it can be proven that a breach did not occur. There are fines associated with HIPAA data breaches which vary depending on the severity of the breach. In addition, depending on the size of the breach it may be necessary to notify media outlets, so that they may inform the general public.
A HIPAA security incident is a wake-up call. Any HIPAA security incident might be a HIPAA breach, so in the interest of safety, every security incident should be presumed to be a breach until proven otherwise. Your most pressing concern as soon as you become aware of the incident is to fully confirm that the event is no longer ongoing, then investigate to confirm that no PHI has been accessed. If you find that a security incident has occurred, but no PHI has been disclosed to unauthorized parties, your response is to take measures that will prevent or lessen the probability of such events occurring in the future.
Healthcare Breach Statistics – HIPAA Breaches by the Numbers
A majority of HIPAA security incidents and HIPAA data breaches are caused by insiders, and usually not on purpose. However, malicious network hacking and IT incidents which expose ePHI to cybercriminals make up a sizable number of HIPAA breaches and incidents. While more insider incidents are reported, the total number of healthcare records stolen in hacking incidents dwarfs the number of records exposed in all other causes of healthcare data breaches combined. In other words, as healthcare breach statistics show, hacking-related HIPAA breaches can be particularly devastating from the perspective of the total number of records exposed which in the end is what HIPAA related financial penalties are based on.
Healthcare Breach Statistics 2018
Breach Incidents by the Numbers
- 4 HIPAA data breaches were caused by improper disposal
- 7 HIPAA data breaches were caused by loss of storage device
- 10 HIPAA data breaches were caused by theft of storage device
- 21 HIPAA data breaches were caused by hacking/IT incidents
- 35 HIPAA data breaches were caused by unauthorized access/exposure
Record Exposure by the Numbers
- 13,333 healthcare records were exposed by improper disposal
- 65,471 healthcare records were exposed by loss/theft of a storage device
- 384,123 healthcare records were exposed by unauthorized access/disclosure
- 610,839 healthcare records were exposed by hacking/IT incidents
HIPAA Data Breach Notification
No organization wants the negative PR associated with being the victim of cyber-attack that results in the exposure of PHI. However, regulations regarding data breaches make it a necessity to notify the affected individuals, the authorities (occasionally on both the state and federal level), and in some cases the media when PHI has been accessed by or disclosed to unauthorized entities.
The US Department of Health and Human Services has strict and well-defined rules regarding HIPAA breach notifications. Notices to individuals whose PHI has been compromised by the breach must be sent “without unreasonable delay and in no case later than 60 days following the discovery of a breach.” If the breach affects more than 500 residents of a State or jurisdiction, notice must be provided to “prominent media outlets serving the State or jurisdiction,” as well as the HHS Secretary, within 60 days as well. Due to the complexity of the HIPAA guidelines, it is important to engage legal counsel immediately upon learning of a HIPPA security incident. Your legal team will help guide you through the process and ensure that you respond properly and in accordance with the guidelines dictated by HIPAA.
Is Ransomware a HIPAA Breach?
The relationship between HIPAA and ransomware is a complex one, and there isn’t an easy, black-and-white answer to the question of whether or not ransomware attacks always qualify as HIPAA breaches. The confusion stems from the fact that ransomware attacks aren’t always like normal intrusions by cybercriminals. There can be much more than meets the eye in a HIPAA ransomware incident, which makes a speedy response to the incident even more critical. Sometimes the actual ransomware virus itself, like other forms of malware such as spyware and cryptojacking software, is only the tip of the iceberg.
HIPAA Data Breach Checklist
Having an incident response (IR) plan ready to go at a moment’s notice when a HIPAA security incident comes to your attention is far too important to understate. Incident response plans can come in many different shapes and sizes. Some organizations chose to build out an extremely robust plan comprising hundreds of pages of extremely detailed policies and procedures. While other organizations choose to go with a very simple 1-2 page document that is easily understood by every member of your team or organization. Regardless of the form, every organization should have an incident response plan that clearly spells out the steps to be taken, and the key stakeholder inside and outside your organization that should be contacted, in the immediate aftermath of a cybersecurity incident.
HIPAA Data Breach Fines
HIPAA privacy and security rules are enforced by the US Department of Health and Services Office for Civil Rights. It is their job to levy punishment for HIPAA violations depending on the scope of the incident and the circumstances of the breach itself. In other words, the government assesses the situation and asks, “Was the affected entity doing everything they could to protect and secure PHI when the breach occurred, or were they negligent from a cybersecurity defense perspective?” and “Did the affected entity respond correctly after becoming aware of the incident?” When violations have been allowed to persist for several years or when multiple violations have been allowed to occur, the penalties can climb to millions of dollars in fines.
In cases of HIPAA noncompliance where OCR cannot obtain voluntary compliance and corrective action from you, they will impose civil money penalties. Generally speaking, you can divide civil HIPAA breach penalties into four major categories by severity, depending on the nature of the incident:
Category 1: You were unaware of the HIPAA violation and could not have realistically avoided or prevented it. The minimum penalty for this category is $100 per violation.
Category 2: You should have been aware of the violation, but still could not have reasonably prevented or avoided the incident. The minimum penalty for this category is $1,000 per violation.
Category 3: There was willful neglect of HIPAA rules within your organization, but you attempted to rectify the violation.
Category 4: There was willful neglect of HIPAA rules, and you did not make an attempt to respond properly to the violation.
HIPAA Data Breach Response ServicesGillware Digital Forensics offers HIPAA data breach and cyber incident response services for HIPAA-covered entities and business associates of all shapes and sizes, including:
- Free phone consultation with Gillware forensics experts to discuss your situation
- Remote response capabilities to assist nationwide from our headquarters in Madison, WI
- Certified forensics examiners with decades of experience in the fields of digital forensics and incident response
- Mitigation of the breach/incident
- Collection and preservation of electronic evidence related to the breach
- Identification of systems and applications impacted and the data that was accessed or exposed
- Evaluation of how the security incident or HIPAA breach occurred
- Thorough reporting on findings to assist in satisfying HIPAA cyber incident response requirements
- Future security recommendations and audits to avoid later incidents