Health data breaches vs. security incidents: a primer
Under the HIPAA Notification Rule, all HIPAA-covered entities and business associates are required to provide notification after a breach of unsecured protected health information. The Federal Trade Commission has similar breach provisions that apply to vendors of personal health records and third-party service providers.
So what’s the difference between a breach and a security incident?
OCR describes a breach as “impermissible use or disclosure that compromises the security or privacy of protected health information.” But providers must presume that impermissible use or disclosure was a breach unless it can prove undeniably there’s a low probability PHI was compromised.
[Special Report: Ransomware rising but where are the breach reports?]
A risk assessment will make this determination through these factors:
- The nature and extent of involved PHI, such as identifiers and the likelihood the data can be used for re-identification;
- Who used the information or to whom the disclosure was made;
- Whether the PHI was acquired or viewed
- Whether the risk to PHI was mitigated
A security or privacy incident, on the other hand, is “any observable occurrence in the system or network” that violates an organization’s security or privacy policies when it comes to sensitive information like Social Security numbers or confidential medical information, according to the National Institute of Standards and Technology.
Enter ransomware. This new breed of attack makes it tricky to determine if the violation is a breach or an incident, as many providers assume the hacker is just shutting down the system and not viewing the data.
But with new ransomware strains able to wipe clean an entire site, that presumption may be unfounded.
Emory Brain Health Center, for instance, was part of a misconfigured MongoDB Database hacked in January that wiped the data of more than 200,000 patients. These types of files are often used for medical fraud and forgery of medical bills. Emory began notifying patients of the breach in March.
Other providers may also be viewing ransomware as security incidents instead, as organizations like Hollywood Presbyterian Medical Center, Kansas Heart Hospital and other major health systems were hit with ransomware attacks that shut down systems in 2016 — those attacks took place before OCR issued guidance on ransomware.