By Christine Kern, contributing writer
Healthcare needs to respond to growing cybersecurity threats or suffer the consequences.
Security continues to dominate the healthcare landscape with the continued increase in incidents. According to the Department of Health and Human Services’ Office for Civil Rights (OCR), “The healthcare industry has accounted for over 40 percent of data breaches over the last three years, and 91 percent of healthcare organizations [including both covered entities and business associates] have reported a breach over the last two years.”
While 2015 was the year of the healthcare breach and 2016 saw the rise of ransomware, 2017 is poised to be the year of the healthcare audit driven by cybersecurity incidents combined with the fact many organizations are not in compliance (and could face penalties results as a result). These audits could significantly impact healthcare providers who are now faced with increased compliance scrutiny at a time when attackers are specifically targeting them.
Currently, the Office of Civil Rights (OCR) is in Phase II of its HIPAA audit program which OCR identified covered entities and business associates for audit. In 2017, the audits will be stepped up. While OCR says the audits are “primarily a compliance improvement activity,” it also noted serious issues identified during the audit process could lead to further compliance reviews.
According to a post on Security, Privacy, and the Law, “OCR particularly intends to implement the Cybersecurity Information Sharing Act (CISA) of 2016 by issuing guidance for cybersecurity management by covered entities and business associates. This guidance will incorporate the National Institute of Standards and Technology (NIST) Framework. OCR will also expand its investigation of cyber-attacks and breaches.”
Former President Barack Obama’s proposed budget for fiscal year 2017 included $1.15 trillion for HHS, a 3 percent increase over the budget authorized for the fiscal year 2016. It also included a 10 percent increase for the OCR to $43 million up from $39 million that was approved for the office in both fiscal year 2016 and 2015.
In April of 2016, the OCR published an audit protocol to help organizations prepare for audits, regardless of whether the audits had been triggered by Phase 2 of the HIPAA Audit Program or other factors such as consumer complaint or breach report. The audits include approximately 180 areas of scrutiny and allow only a limited response time of ten days after the notification.
A failed audit can result in fines, required remediation, high costs, loss of reputation, and loss of business revenue.