Ransomware rising, but where are all the breach reports?
Presence Health set the bar high with its $475,000 settlement with the Department of Health and Human Services' Office of Civil Rights earlier this year. The settlement, announced January 9, 2017, is the first HIPAA monetary enforcement on a healthcare organization for untimely breach reporting, according to HHS.
The breach occurred on October 22, 2013, when paper operating room schedules – containing the protected health information of 836 individuals – went missing from a surgical facility at Joliet, Illinois-based Presence St. Joseph Medical Center.
Presence Health didn't report that fact to OCR until January 31, 2014, more than three months later. But OCR requires all organizations to report a breach within 60 days of the first person who discovers the breach.
It also mandates that HIPAA-covered entities notify affected individuals in written form. And, for breaches affecting 500 or more individuals, that organizations "provide notice to prominent media outlets" in state or jurisdiction where the breach occurred.
Given that Presence Health was only about 40 days late, and had fewer 1,000 patients affected, it would seem OCR is making an example of it, as a way to demonstrate the necessity of timely reporting.
But clearly the agency sees any data compromise as important enough to report – even those that fall well short of the mega breaches (Anthem, Premera, Advocate et al.) that have made such big headlines these past few years.
Ransomware on the rise
Hackers have clearly found their sweet spot in healthcare, with the industry now plagued by cyberattacks of a scope, severity and variety unimaginable even a few years ago. One of the most worrisome recent attack vectors, of course, is ransomware.
More than half of hospitals were hit with ransomware from April 2015 to April 2016, a Healthcare IT News and HIMSS Analytics Quick HIT Survey found - and a large portion of those might not even be aware.
Another 25 percent were either unsure or have no way of knowing whether ransomware attacks were perpetrated against them or not. Together, that translates to about 75 percent of responding healthcare entities potentially targeted a ransomware attack.
As ransomware attacks have increased, one would expect OCR breach reporting to have increased more or less concurrently. But despite more than 4,000 ransomware attacks occurring each day, across all industries, according to the U.S. Justice Department, ransomware breach reporting remains low.
In fact, only nine organizations reported malware or ransomware breaches to OCR in 2016.
More than 27 million healthcare records were stolen in 2016 across 450 reported data breaches. And 26.8 percent of these incidents were caused by ransomware, hacking or malware, according to the 2016 Protenus 2016 healthcare data report. Further, 2016 was the worst year for healthcare breaches since records first began to be kept. And more than one healthcare data breach was reported every day in 2016, on average.
"Because ransomware is so common, hospitals aren't reporting them all," said ICIT Senior Fellow James Scott. "And ransomware is just the start for more specific actors to send in another attack and start mapping the system."
While the breach at Presence Health didn't involve ransomware, HHS is clearly making a point about timely reporting, said Pam Hepp, shareholder, healthcare practice at Buchanan, Ingersoll & Rooney.
Ransomware is a major concern to organizations trying to determine the right way to report, Hepp said.
"There's truly been an influx of ransomware attacks in the healthcare space, we see it in the news and we've heard it from clients," she added. "Medical data is a financial boon on the black market. But that's not why it's happening: It's occurring because organizations rely upon their EHR and IT systems to be able to operate and function. With a ransomware attack it can cause the organization to come to a screeching halt if they're not prepared."
"We've see a spike in the number of attacks, but we haven't seen an increase in reporting. It's interesting," Hepp continued. "I wouldn't be shocked that the number of ransomware attacks are underreported, the analytics undertaken or wasn't sufficient to demonstrate there wasn't a breach."
There are four major reasons hospitals don't report breaches, said ICIT's Scott. To start, there's a fear of the economic impact and liability resulting from having to admit an organization has put thousands or millions of unsuspecting patients at risk for a lifetime of being exploited by criminals.
Further, many employees, from executives to entry-level personnel don't want to admit to administration or to the IT team they fell for a social engineering scam. As a result, these employees don't report their mistake.
Another major issue is that an investigation can disrupt business operations. Not only that, but investigators "poke holes in examined networks and publicize the vulnerable network that, in all likelihood, is already pulsating with scores of adversaries, who have been exfiltrating data all along," Scott said.
"Negative publicity harms reputation and diminishes deniability, thereby making the victim organization more liable in future cyber-incidents," Scott explained. "Nowadays, if a health sector organization is only hit with ransomware, they can consider themselves lucky and perhaps those are the breaches that we hear about."
"The reality is often after a ransomware incident, executives find out that criminals have been exploiting their network for years and going public with the information would force their board, executives and staff to answer some serious questions that they are not willing or prepared to answer," he continued.
In recent months, there have been several breaches reported that showed clear issues with timeliness.
• On February 7, it was reported that Singh and Arora Oncology Hematology, a cancer center in Flint, Michigan, waited seven months after an initial breach discovery in August 2016 to notify its 22,000 patients. While the provider did inform OCR of the breach within the 60-day timeframe, it failed to relay this information to patients and the media.
• New York-based CoPilot Provider Support Services discovered a breach on Dec. 23, 2015, but failed to report it until more than a year later, on Jan. 20, 2017.
• One initial breach, at the New Hampshire Department of Health and Human Services, occurred in October 2015. While a staff noticed a patient looking at unauthorized files and reported it to management, DHHS officials weren't notified until Nov. 4, 2016, after the data ended up on a social media site in Aug. 2016. OCR was notified on Dec. 30, 2016, more than a year after the patient accessed the files.
When asked what enforcement fate these and other similarly tardy organizations faced, OCR Public Affair Specialist Lou Burton said that, as a matter of practice, "OCR does not discuss potential or pending cases." He added that, the specifics of each case "help shape what those required corrections are," and differ depending on the circumstances.
"The first HIPAA enforcement action for lack of timely breach notification was with Presence," said Burton. "To date, we're not aware that there is a trend toward organizations not reporting breaches. OCR takes the responsibility of enforcement seriously and will continue to hold entities accountable for failing to report a breach in the proper timeframe."
OCR will be looking at breach reporting as part of Phase 2 of the audit program, Burton explained. A summary report of audit findings can be expected later this year.
And at the end of the stage two process, where the audited organizations will need to show breach reporting methods, Hepp said she believes OCR will determine breaches that haven't been timely reported, or reported at all.
"It's a 60-day timeline, and that's a pretty brief timeframe to complete an analysis. That 60-day timeframe runs whether you've exhausted the analysis or not," Hepp said.
"There will be others fined or with a corrective action plan," she continued. "There have to be situations where they haven't gone through the right processes. Just given the spike in those attacks, there must be underreporting."
Another issue, according to Scott, is the FBI didn't begin to encourage victims to report incidents until October 2016. Additionally, the healthcare industry bases much of the operations on HIPAA compliances. But HIPAA didn't address ransomware until 2016's third quarter.
"As with most regulation, adapting to reach compliance has taken time, and there are always non-compliant organizations who 'risk it until they get caught,' Scott said. "Prior to guidance released by HHS, if a healthcare organization determined that no ePHI or systems was compromised (i.e. there was an incident but not a breach) then no reporting or actions was needed."
"However, many healthcare organizations remain non-compliant out of calculated non-compliance (the fine is cheaper than the reporting costs and impact) or out of lack of resources (they cannot afford the technical controls, contractors and other needs to investigate incidents to HHS satisfaction," he added. "Considering that some hospitals are seeing 20 or more ransomware attacks per day, hesitance to report out of fear or reputation loss or lack of resources, is not surprising."
When to report?
The 60-day timer starts the moment a breach is discovered, which is the first day the covered entity knew about the breach. And it applies to all staff within the organization. For example, when someone at the help desk learns about a breach, the timer starts then – even if it takes a week for the incident to be reported to higher staff, according to Erin Whaley, a partner at Troutman Sanders in Richmond, Virginia.
"The Presence Health settlement is the first case where OCR levied a fine for failing to timely report," Whaley said. "OCR came down on them very hard for not notifying anyone. It looks like the organization had some other breaches and didn't notify. But this is our first signal that OCR is serious about timeframe."
With ransomware, breach reporting can become more complicated. Initially, before the major surge in ransomware, the burden of proof when determining whether a breach had occurred fell on OCR. But in August 2016, OCR released guidance stating that all ransomware should be considered a breach. Thus, the burden of proof shifted to the organization, according to Matt Fisher, associate attorney with Mirick O'Connell in Worcester, Massachusetts.
A HIPAA security risk assessment is required by OCR to remain compliant. It provides an overview on how organizations can assess potential risks and vulnerabilities of the way all ePHI is handled, stored, transmitted and maintained. It can also help to determine the type of data breached - and how much.
"The common theme for ransomware is that often the risk assessment reveals organizations can't determine how much data has been breached," Fisher explained. "It's not a loophole, but it's a built in carve-out that allows organizations to say no breach has occurred. The nuance that you need to worry about is that the OCR's position is that if there's a ransomware attack, then the system has been breached."
With that being said, Fisher couldn't say whether there are organizations not reporting because only the system was locked down or the risk assessment didn't reveal data wasn't breached.
Organizations must start with the presumption that ransomware is a breach – even though there may be facts that might contradict that assumption, Whaley said.
Simply put: if an organization can demonstrate PHI wasn't compromised, it doesn't have to report it.
If the data impacted by ransomware was encrypted properly and the organization doesn't have any reason to believe the encryption was compromised, for instance, then the PHI is considered secured.
"But all of those are very fact-specific inquiries," Whaley added. "Organizations have to look at exactly what happened. The presumption should be that the organization has been breached if ransomware has attacked a system, and the burden of proof is on the organization."
Another caveat to consider when it comes to reporting are business associates that are covered under HIPAA, as it comes with separate requirements. Traditionally, when business associate agreements are drawn, the organization will specify the amount of time it will give the vendor a business associate to report that a breach has occurred, Whaley said.
Whaley explained that for the purposes of a covered entity, it's when the organization should have known about the breach.
And it's the covered entity's responsibility to contact the impacted individuals, the media and OCR if more than 500 patients were affected.
"The covered entity will file if the breach covers more than 500 patients," Whaley said. "They will file with OCR, the media and patient. It's that notification that triggers an OCR investigation. OCR is investigating all incidents that affect more than 100 individuals."
"The scope will vary by how long it takes them to finish the investigation, which will vary by caseload," she added. "They're also looking at incidents with less than 500 patients, but are using different criteria."
The true cost of untimely reporting
If Presence Health is any indication, fines for organizations with untimely breach reporting will be hefty.
Organizations that don't report the breach during the 60-day time period, each day over the limit constitutes a separate violation, said Fisher. OCR uses that as a baseline to determine what could be imposed, as it investigates whether the breach was knowingly and intentionally violated. He explained that a $500,000 is the cap for a fine within a year.
Organizations also need to keep in mind that when OCR is investigating these breaches, it may find more widespread, noncompliance, he said.
When it comes to breached financial records, such as credit cards or social security numbers, it may not fall under HIPAA. However, there also may be elements that contain PHI. A risk assessment will make that determination.
But even if there wasn't a HIPAA violation, organizations also need to consider state laws. Whaley said that some of these state laws may even be more onerous than HIPAA and may also have a shorter reporting timeline.
After a breach, organizations face a lack of trust from patients, reputational damage and mitigation costs, on top of the OCR fines, Whaley explained.
"The true costs of these incidents involving PHI is more than simple settlements: Those are just a portion of the cost to an organization," said Andrew Liuzzi, executive vice president of Crisis and Risk Management for Edelman, a public relations company.
Loss of reputation tops the list as the biggest risk from not only investors, but patients, as well, Liuzzi explained. And trying to downplay an incident can only increase the negative impact from regulators, investors and consumers.
Seventy-one percent of consumers would actually switch companies after the breach of a company they rarely use, and 50 percent of people said they'd likely change vendors after a data breach, a recent Edelman report found. Forty percent of consumers told a friend about the experience. Further, 30 percent of those affected by a breach would talk about the experience online.
"This reveals the viral nature of a breach," Liuzzi explained. "Of course it depends on the scale and target of the breach, but, outside of financial risk, it's about trust and brand reputation."
"There's a gap between consumer expectations and what the business is delivering in terms of response."
Patient complaint is another issue, Hepp said. While patients can't sue an organization for direct breach of HIPAA, they can bring a case against an organization in common law for failure to meet a patient's right to privacy.
Often, courts look to HIPAA for the standard of care and use that for finding out whether an organization has violated a patient's right to privacy. Hepp explained early cases of these claims were less likely to be successful, but there have collectively been more of these claims. Some patients in these cases bring up their fear of loss of privacy or fear of further retaliation, but these cases haven't been successful.
"There's an increasing sense that every organization is going to be attacked at some point. But you also can't take an overly long time to report it," Fisher said. "That's where people are getting upset and saying, 'why didn't you tell me about this?'"
"On the other end, if these organizations get in front of it, and let the patient know right away, they may be more likely to forgive," he added.
The way forward after a breach
"No organizations are immune to a cyberattack – no matter how good their cybersecurity is," said Liuzzi. "And no amount of technology can account for human error with deception, when it comes to suspicious emails."
It's not "if" an organization will be breached, it's "when." The problem is that most organizations haven't embraced that mentality.
"Clearly there is a trend where many companies are devoting more money to security after an incident – which is natural," Liuzzi explained. "However, there's a natural benefit to having a plan in place before an incident occurs."
While the IT department usually drives security preparedness, Liuzzi said that bringing a communications team into the process as early as possible can help manage the scrutiny of the organization.
First, organizations must assemble the right team before an incident breaks out. He explained that the right people need to be brought to the table: Legal counsel, forensic IT and communications are primary for the leadership team.
Second, after a breach, organizations need to determine fact patterns within an organization – obviously lead by IT and legal counsel. This step analyzes security requirements within an organization and the regulatory requirements.
Third, once the team and facts are gathered, an organization needs to develop a response team committed to handling the specific incident. This includes communication, media, forensics and the like, which is all guided by regulatory requirements.
It's imperative organizations don't rush the initial statement, as "facts are fluid" in these situations. Liuzzi explained it could compromise data and further damage the company's reputation, which is already fragile.
The response team should also be careful in communicating numbers, as the breach is more than that. He said what's important is being able to lay out the steps taken both internally and externally in response to the issue.
"Patients need to be the North Star," said Luizzi. "It's very simplistic, but we need to make sure we communicate to our key audience effectively and clearly. Not just with a press release, but looking at other avenues for communication. Medical data is a personal topic, and the message needs to match that.
"The key is to balance legal needs with consumer expectations," he added. "You need to have a respect for the voice of the organization, so that when the message is delivered it doesn't come off as legalese. You need an understanding of what your stakeholders expect."
Communication is crucial. And it's more than offering the typical credit monitoring services for a year, Whaley said. Especially with a large-scale breach, the hospital should have a dedicated line to handle calls from patients. And those who answer the phone need to be able to answer key questions in a way patients can understand.
Patients should be informed of the necessary steps to take to further protect themselves from theft. And the hospital's operators should be able to explain the methods the hospital has put into place to ensure it won't ever happen again. This should include the way processes and security have improved, the source of the breach and similar information.
"The cause of the incident will impact some of the messaging," Whaley said.