Change Healthcare, owned by UnitedHealth Group has a Massive Security Breach
HIPAA (the Health Information Protection and Privacy Act) a federal mandate is an overriding regulation protecting patient personal information for all health care transactions. It provides penalties to organizations or persons who expose patient information. Its jurisdiction is over hospitals, clinics, insurance companies or whoever has access to patient data.
It amounts to a classified system, not unlike that of the U.S. government, and the Department of Defense.
When a breach occurs the entity whose data was breached must notify patients and/or hospitals about the breach and when it occurred. Steep penalties and fines can be assessed.
Matthew Phelan Senior Science Reporter For Dailymail.Com elaborates:
It's being called the largest-ever breach of protected patient health information by a government-regulated medical company in America's history.
Change Healthcare, owned by UnitedHealth Group, fell victim to a cyberattack eight months ago, but revealed on Thursday that 100 million people had been impacted.
That surpassed the previous record-holder for the worst breach of US patient data: a 2015 episode at Anthem Inc. that compromised 78.8 million individuals.
The first official report by Change Healthcare, which manages revenue and payments for medical providers, estimated in July that only 500 people had been compromised. Now, the scope of the February 21 ransomware attack has spurred Congress to call for lifting the cap on how much a negligent healthcare firm can be fined. Ransomware attacks create a very dangerous method for stealing patient data. It totally blocks users from accessing their own data, stopping all systems in the entity such as patient notes, pharmacy orders, scheduling, and more. The victim's systems are locked and cannot be used unless the entity p says a ransom to unlock the system.
'The healthcare industry has some of the worst cybersecurity practices in the nation,' Senator Mark Warner said, 'despite its critical importance to Americans' well-being and privacy.'
Today, existing legislation provides a ceiling of $2 million per violation for offenders of the Health Insurance Portability and Accountability Act (HIPPA). If passed, these 'commonsense reforms' would also include 'include jail time for CEOs that lie to the government about their cybersecurity,' Wyden added.
These leaders have not implemented strong cybersecurity systems despite the ongoing penalties. If the Department of Defense has such strong security it should also be available to ensure patient privacy
Change Healthcare's parent company attributed the hack to a 'foreign nation' this past winter.
Anthem was fined $16 million, the largest penalty imposed for a HIPAA violation, but experts worry such a fine would barely deter today's healthcare giants.
Change Healthcare alerted the Department of Health and Human Services' Office for Civil Rights (OCR) on July 19, noting their internal investigation was ongoing.
Industry observers at the HIPAA Journal noted that the big round number of 100 million, issued in Change's update this month, suggests that 'that figure may change.' 'Neither Change Healthcare nor its parent company, UnitedHealth Group (UHG), has confirmed that the file review has been completed,' the journal noted.
But these eye-popping numbers mask the myriad of intimate tragedies created by Change Healthcare's and UHG's allegedly lax cybersecurity, which led to millions of Americans losing their healthcare privacy. Linda Barbour, a career medical director for several large health insurance firms, told reporters that she had assumed the firm would have contacted her the moment it knew her data was exposed. Change did not get around to informing Barbour until this month.
HIPAA Compliance
HIPAA is a federal law that applies to healthcare providers, health plans, and healthcare clearinghouses. These are covered entities. It sets standards for protecting sensitive patient health information, also known as protected health information (PHI). It can also be identified as electronic PHI or ePHI. HIPAA compliance requires that covered entities implement administrative, physical, and technical safeguards to protect PHI. This includes measures like access controls, encryption, secure messaging, and training employees on proper data handling procedures.
HIPAA also requires covered entities to notify patients and regulatory authorities in case of a data breach involving PHI. Failure to comply with HIPAA regulations can result in significant fines and legal action.
Cybersecurity
Cybersecurity refers to the practices and measures organizations use to protect their networks, systems, and data from unauthorized access, theft, and damage. This involves a range of measures like access controls, firewalls, and encryption. It also requires ongoing monitoring and testing to identify and remediate vulnerabilities.
Cybersecurity standards are not limited to the healthcare industry. They are applicable to all industries that handle sensitive data. There are several cybersecurity standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, that organizations can adopt to secure their data.
Differences Between HIPAA Compliance and Cybersecurity
While HIPAA compliance and cybersecurity both address data security, they have significant differences. HIPAA compliance focuses specifically on the protection of PHI in the healthcare industry. In contrast, cybersecurity standards are broader and apply to all industries that handle sensitive data.
HIPAA requires that covered entities implement specific administrative, physical, and technical safeguards to protect PHI. Cybersecurity standards provide guidelines for protecting data but do not prescribe specific measures. Organizations are free to choose the measures that best suit their needs and comply with the standards.
Another significant difference between HIPAA compliance and cybersecurity is the consequences of non-compliance. HIPAA violations can result in significant fines and legal action. In contrast, the consequences of cybersecurity breaches can vary depending on the industry and the severity of the breach.
HIPAA compliance and cybersecurity are both critical components of data security, but they address different aspects of it. HIPAA compliance focuses on the protection of PHI in the healthcare industry, while cybersecurity standards provide guidelines for protecting sensitive data in all industries. Understanding the differences between HIPAA compliance and cybersecurity is crucial for organizations that handle sensitive data to ensure that they implement the appropriate security measures and comply with the relevant regulations. At HIPAA Secure Now, we can help you decipher the difference and ensure that your business is properly protected and compliant.
It becomes apparent that interoperability and electronic health record systems are porous to hackers, foreign or domestic.
No comments:
Post a Comment