Healthcare is one of the most targeted industries for cybercrime. That’s nothing new. However, the rate at which it’s being attacked is rapidly increasing.
Ransomware attacks cost the industry $20.8 billion in downtime in 2020, double the amount from 2019. One report showed a 580 percent surge in ransomware attacks on the global healthcare sector in 2020 amid the COVID-19 pandemic. Another such report estimated that the healthcare industry will encounter two to three times more cyberattacks in 2021 than the average numbers for other industries.
Why such high numbers for an industry focused on patient care? Much of it is attributable to outdated IT systems, fewer cybersecurity protocols and IT staff, valuable data and the pressing need for medical practices and hospitals to pay ransoms quickly to regain data.
Cybercrime is an expensive problem for the healthcare industry. The average healthcare data breach costs an estimated $6.5 million and roughly $429 per patient record. Stolen protected health information (PHI) can be a dozen times more valuable on the black market than credit card information. One-third of all data breaches in the U.S. occur in hospitals, with the average incidence affecting 25,575 records.
HIPAA Protected Health Information Responsibilities
Implementing and maintaining high levels of cybersecurity is not only possible for healthcare providers but also necessary, especially because patients who trust their health systems to protect their data likely receive better outcomes. Specifically, healthcare entities tasked with creating, receiving or transmitting PHI are required to comply with the Security Rule of the Health Insurance Portability and Accountability Act and its administrative, physical and technical safeguards.
PHI under HIPAA includes 18 identifiers, such as names, dates, geographic data, social security and account numbers, email addresses, fingerprints and internet protocol (IP) addresses. The following three major rules from the HIPAA Security Rule apply to technology:
- Any technology that stores protected health information must automatically log out after a certain time to prevent access by someone without credentials.
- Anyone with access to protected health information must have a unique login that can be audited based on their use.
- protected health information must be encrypted.
The number of healthcare entities not fully in compliance with HIPAA regulations has resulted in marked problems. More than 29 million healthcare records were breached in 2020, including 642 reported data breaches of 500 or more records.
These breaches occur through a variety of incidents, including stolen devices, hacking and human error and negligence. Only about half of data breaches are the result of criminal or malicious intent. The ten most common HIPAA violations are:
- Snooping on healthcare records
- Failure to perform an organizational risk analysis
- Failure to manage security risks
- Denying patients access to health records
- Failure to enter into a HIPAA-compliant business associate agreement (BAA)
- Insufficient ePHI (electronic protected health information) access controls
- Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
- Exceeding the 60-day deadline for issuing breach notifications
- Impermissible disclosures of protected health information
- Improper disposal of protected health information
Costly Consequences for a Lack of HIPAA Compliance
Without plans, technology and processes to achieve cybersecurity, healthcare entities, including both providers and payers, risk costly civic and/or criminal penalties.
- HIPAA violation: Unknowing
Penalty range: $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations
- HIPAA violation: Reasonable Cause
Penalty range: $1,000 – $50,000 per violation, with an annual maximum of $100,000 for repeat violations
- HIPAA violation: Willful neglect but violation is corrected within the required time period
Penalty range: $10,000 – $50,000 per violation, with an annual maximum of $250,000 for repeat violations
- HIPAA violation: Willful neglect and is not corrected within required time period
Penalty range: $50,000 per violation, with an annual maximum of $1.5 million
- For entities that are covered and specified individuals who obtain or disclose individually identifiable health information willfully and knowingly, the penalty is up to $50,000 and imprisonment up to one year.
- For offenses committed under false pretenses, the penalty is up to $100,000 with imprisonment up to five years.
- For offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm, the penalty is up to $250,000 with imprisonment up to 10 years.
The consequences for the healthcare industry from cybercrime aren’t only financial. The loss of patient data can seriously put lives at risk. Providers have the potential to not only lose revenue and their reputation but also patients, as most consumers lose trust quickly when their personal data is compromised by a third-party organization.
The Advantages of HIPAA-compliant Automated Communication Tools
The use of multiple technologies adds to the vast amount of PHI healthcare providers are required to handle but also enables improved compliance by providing historical data for compliance and liability, securing patient documents at rest and in transit, making document retrieval fast and more accessible, reducing errors by streamlining core functions, increasing visibility of patient progress and enhancing on-premise security.
Specific areas that have benefitted from the introduction of technology to adhere with HIPAA include:
- On-call physicians, first responders and community nurses can share PHI on the go using secure texting.
- Images, documents and videos can be included in secure text messages, which can then be used at distance to determine accurate diagnoses.
- Secure texting can be used to streamline the management process of hospital admissions and discharges – significantly minimizing patient wait times.
- Activity reports simplify risk assessments while, when linked with an EHR, secure texting also helps healthcare groups meet the requirements for patient electronic access under Stage 2 of the Meaningful Use incentive program.
One such technology that has proven advantageous for healthcare providers in securing HIPAA compliance is automated communication tools, including those that enable two-way text messaging. In medical facilities where secure texting solutions have been implemented, providers have reported an acceleration of the communications cycle, leading to workflows being streamlined, productivity being enhanced and patient satisfaction being improved.
Leveraging HIPAA-compliant texting helps providers improve their ability to scale patient outreach through personalized patient communication and engage targeted populations. Customized messaging protocols can be tailored to patients meeting specific criteria such as age, risk factors, location, last visit date and more.
Providertech’s CareX platform offers providers a HIPAA-compliant SMS text messaging solution to proactively keep in touch with their patients before and after encounters—without overextending already constrained staff and budgets. Schedule a demo with us to learn more!