According to HIPAA, all covered entities and their business associates are required provide notification following a breach of unsecured protected health information.
These breaches of unsecured protected health information affecting 500 or more individuals are then posted on HHS.gov.
What is considered a breach? A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.
The top two types of breaches
According to the report that lists all breaches reported within the last 24 months that are currently under investigation by the Office for Civil Rights, the top two types of attacks are hacking at 32.6 percent and unauthorized access at 21.3 percent.
Unauthorized access was added in 2016 when the ITRC noticed that the term Unauthorized Access/Disclosure was being used in a significant number of breaches posted on the HHS.gov website as well as in other notifications.
Hacking: includes phishing and ransomware, is readily recognized as a malicious intrusion to access a company’s data, whether it’s personal or business related.
Unauthorized Access: defined as breaches which involve some kind of access to the data but the publicly available breach notification letters do not explicitly include the term hacking.
According to the January 2018 report from ITRC, the number of data breaches in the medical/healthcare industry dropped slightly from January 2017 from 29.1% to 28.9%.
# of Breaches: 31
# of Records: 232,589
% of Breaches: 26.7
% of Records: 7.4%
Protect your data
The time is now to begin a proactive approach to cyber risk management. Here are the steps we recommend:
1. Find out where your security gaps are.
2. Improve and harden your organization’s security program.
3. Strengthen your human firewall.
4. Monitor your security infrastructure.
5. Make sure data is accessible no matter what.
Phish Your Users
Find out what percentage of your employees are Phish-prone.