California Attorney General Rob Bonta recently sent a bulletin to healthcare providers and facilities after several unreported healthcare data breaches. The guidance serves as a reminder to healthcare organizations: they must comply with state and federal breach reporting laws. Unfortunately, cyberattacks continue to heavily target the healthcare industry, and government agencies are increasingly vocal about cybersecurity and breach reporting.
RELATED: CISA: Protecting sensitive and personal information from ransomware-caused data breaches
Covered entities and their business associates must do their due diligence when it comes to safeguarding protected health information (PHI). Noncompliant healthcare providers could face serious state and/or federal repercussions (e.g., HIPAA violation), investigations, and fines.
The U.S. Department of Health and Human Services ( HHS) defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of [PHI].” The most common data breach comes through phishing emails since email is the most accessible entry point into any computer/network. A simple click on a malware link can give a hacker access to data.
RELATED: To pay or to not pay for stolen data
Any type of breach is frustrating because the costs (and challenges) can be detrimental. In fact, a ransomware attack last year led to one patient’s death in Germany.
Given the need for good, uninterrupted patient care, federal and state government agencies emphasize the importance of protecting personally identifiable information (PII), including PHI. HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients. And the HIPAA Breach Notification Rule (2009) makes it mandatory for healthcare providers to report all breaches of unsecured PHI.
RELATED: Understanding and implementing HIPAA rules
Breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation). Fewer than 500 mean logging the incident within 60 days of year’s end.
HHS’ Office for Civil Rights also displays breaches affecting 500 or more on its Breach Notification Portal, also known as HHS’ Wall of Shame.
Similarly, every state has its laws about reporting a breach. Under California law, healthcare entities have five business days to report unsecured breaches to the California Department of Health and all affected individuals. Only law enforcement may request a delay. Organizations must also report breaches that impact more than 500 Californians to the state attorney general.
As reiterated by the bulletin, “Across the nation, cyberattacks on the healthcare sector has interrupted service delivery and patient care, and eroded patient trust.” And the resulting exposure of PHI “threaten[s] the privacy, security, and economic wellbeing of consumers.” Essentially, there are three main reasons why timely reporting is necessary.
First, complying with breach notification laws provides an adequate warning to affected individuals.
Second, reporting breaches supports agencies and IT specialists who collect information about threat actors and cyberattacks to stop future breaches.
Finally, compliance helps healthcare organizations avoid federal or state law violations that include hefty fines as well as possible shutdowns.
RELATED: What to do after you violate HIPAA
If anything, the bulletin should serve as a strong reminder to report all breaches and take cybersecurity seriously.
In a press release, Attorney General Bonta implored “all entities that house confidential health-related information to be vigilant and take steps now to protect patient data, before a potential cyberattack.” The bulletin ultimately highlights five points:
But most important of all, healthcare providers must use strong email security (i.e., HIPAA compliant email) to effectively combat email breaches.
Our HITRUST CSF certified solution, Paubox Email Suite Plus, protects email from inbound and outbound threats. All outbound emails are encrypted directly from an existing email platform (e.g., Microsoft 365 and Google Workspace), requiring no change in email behavior.
And a new feature of our solution, Zero Trust Email, reviews incoming emails for potential threats, quarantining anything that raises a red flag. While a data breach is all but certain, proactive organizations mitigate risks, violations, and fines by understanding guidelines and utilizing solid cybersecurity programs. Proactive healthcare organizations are prepared in case an unsecured breach occurs.
Learn and follow all federal and state regulations today and ensure your patients’ PHI remain inaccessible.