Healthcare Roundup: The First Cyberattack Death, The Future of Health Data Privacy, and More
Every month, we compile the most compelling healthcare privacy and security-related news stories. Below, you’ll learn about the world’s first cyberattack fatality, the top causes of data breaches in 2020, the future of health data privacy, relationships with cyber resilient vendors, and more.
So far this year, 171 major health data breaches affecting a combined total of nearly 3.6 million individuals have been added to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website. Phishing remains a major culprit, but other security challenges like insider incidents and departing staff have become more prevalent.
The theft of unencrypted laptops led to the biggest breach reported in 2020, affecting more than 654,000 individuals. Additionally, an insider breach involving a physician exposed data on thousands of patients and affected more than 74,000 individuals. Looking ahead, even as the COVID-19 crisis continues, new circumstances for breaches could emerge, making it more important than ever to protect patient data.
“It is possible that the COVID-19 situation could create new vulnerabilities as a result of accommodations and [HIPAA] waivers that have been granted by HHS,” predicts privacy and security attorney Helen Oscislawski, principal and managing director of law firm Attorneys at Oscislawski LLC.
A woman in Germany recently became the first fatality directly attributed to a cyberattack. The patient died on her way to a second hospital after being turned away from Dusseldorf’s University Clinic because its systems were down. Hackers had deactivated the hospital’s IT network, including computer and phone systems, as part of a ransomware attack. If the investigation leads to prosecution, this would be the first confirmed case of someone dying as a result of a cyberattack.
On top of the tragic loss, the perpetrators of the attack also reported having stolen patient data during the attack, compromising patient privacy.
According to the August 2020 Healthcare Data Breach Report posted by the HIPAA Journal in September, U.S. healthcare facilities suffered 37 healthcare data breaches of 500 or more records in August 2020. The month’s breaches, reported to the HHS’ Office for Civil Rights, were dominated by hacking/IT incidents – ransomware, phishing, and more. Healthcare providers were the worst affected covered entity and Pennsylvania saw the most breaches of any state at six breaches of 500 or more records.
According to a report published in The Wall Street Journal, a shift in healthcare data privacy is expected as a result of the COVID-19 pandemic, which has led to new digital health technologies and increased awareness about public health. Uncertainty around HIPAA as it relates to companies that offer health-related services via apps and sensors, could change the way data is used.
The report offers six key takeaways:
- Synthetic medical data may be used more for research
- Health researchers predict a future with smart homes, which feature bodily monitoring technologies
- Big data mining by tech giants including Google, Microsoft, and Amazon will continue
- “Emergent medical data” to predict health outcomes may also expand from data mining
- The COVID-19 pandemic may spur an increase in “solidarity-based healthcare”
- Consumers may also gain more control over how their data is used
As the 2020 Blackbaud incident proved, threats targeting healthcare continue to increase, and a third-party vendor breach can be devastating. Having a relationship with a cyber resilient vendor who has done their due diligence when it comes to security is crucial for reducing risk and minimizing the far-reaching impacts of a potential attack.
A vendor should be able to prepare, respond, and recover when cyberattacks happen. It should have the ability to defend against attacks, limit the effects of a security incident, and guarantee the continuity of its operation during and after an attack. To ensure a vendor is cyber resilient, experts recommend fully outlining requirements like SLA metrics and data privacy considerations during the contracting process.
“Organizations cannot afford to take their eye off the ball when it comes to maintenance and assurance of their cyber environment, as well as third-party assurance with vendors and services to keep the infrastructure secure.”
– Lee Barrett, Executive Director, Electronic Healthcare Network Accreditation Commission