– Throughout the year, healthcare privacy, security and cybersecurity have a remained a crucial part of boardroom discussions, determining how best to proceed in an ever-evolving threat landscape.
Those conversations will continue to dominate in 2019, with leading security professionals predicting that health organizations will continue to invest in AI, IoT and medical device security, along with better employee education.
But to get a sense of the topics that matter most to executive and clinical leadership, HealthITSecurity.com compiled the top stories from 2018. Here are the most read stories of 2019, leading down to the most popular article.
10. Why Blockchain Technology Matters for Healthcare Security
The verdict is still out on just how much blockchain can live up to the hype, but this resource outlines how the tech can help healthcare organizations validate patient records to bolster patient privacy.
Blockchain organizes data to verify and record transactions. And for healthcare, it means validating all healthcare data entered into an electronic health record or computer system. There are a wide range of applicable healthcare uses from health records to financial transactions, with each new action verified against an authoritative ledger of previous events.
READ MORE: Reduce Employee Email Risk by Taking Decisions Away from Users
Healthcare organizations need to be aware of regulations surrounding the tech, as well as how it could impact security, to determine if it’s the right fit.
9. Did EMS Worker Commit HIPAA Violation with a Facebook Post?
In one of the more peculiar news stories of the year, a Roane County EMS worker posted the location of an emergency response on her Facebook page. The responder was part of a team that responded to a call for a patient who had a heart attack in his chicken coop.
The EMS worker posted on her Facebook account, “Well, we had a first…We worked a code in a chicken coop! Knee deep in chicken droppings.”
The victim’s wife complained to Roane County EMS about the post, and the employee was warned, as a result. But the event prompted a discussion on HIPAA compliance. This article breaks down some of those issues.
8. How Much Do Healthcare Data Breaches Cost Organizations?
Healthcare data breaches are commonplace given the increased sophistication of hackers throughout the year, along with healthcare organizations struggling to keep pace with resource and staffing shortages. But no matter the size of the organization, breaches are costly – from downtime to bringing systems back online.
READ MORE: Biggest Challenges, Lessons Learned from Health Cybersecurity in 2018
In February, Ponemon broke down the true cost of a breach: $380 per stolen healthcare record.
This resource outlines why the costs are so high, as well as ways to reduce the damage, including incident response plans, data encryption, employee training, and other elements.
7. Benefits, Challenges of Secure Healthcare Data Sharing
As the industry continues to await the Office of the National Coordinator’s ruling on information blocking and a HIPAA update to support care coordination, data sharing remains a crucial concern for healthcare organizations.
The use of secure data sharing has a host of benefits, from avoiding medication errors to reducing duplicative testing. However, providers need to keep in mind that while HIPAA allows data sharing, there are some barriers to overcome.
In recent months, industry stakeholders have made a push for better data sharing to support value-based care. And the Department of Health and Human Services is on board, releasing a request for information to see how HIPAA can be modernized to better support data sharing.
6. Oklahoma Hospital Sued for Alleged HIPAA Violation Over Drowning
READ MORE: How to Build a Balanced Healthcare Cybersecurity Budget
There are some HIPAA violations that spark industry debate about the HIPAA rule, and the August 23 case of an Oklahoma patient did just that.
Oklahoma-based McAlester Regional Health Center was sued for an alleged HIPAA violation, after the hospital shared information about a boy’s drowning with his biological mother. The lawsuit was filed by his adopted parents, who said the violation led to emotional distress as the biological mother “consented to the termination of her rights.” The jury trial date is set for January.
The resource outlines a similar case dismissed by a federal court in June, which ruled there is no private right of action under HIPAA.
5. New York Suspends Nurse for HIPAA Violation Affecting 3K Patients
The state of New York suspended Martha Smith-Lightfoot, a former University of Rochester Medical Center nurse, for violating HIPAA when she took a list of more than 3,000 patients to her new employer.
The list contained patient demographic information and diagnoses. Smith-Lightfoot said she took the list to ensure continuity of care for patients, but she never received permission from the patients or URMC to do so.
The story outlined several privacy incidents with URMC, which has resulted in officials strengthening the health system’s security protocols and training.
4. The Role of Risk Assessments in Healthcare
Under HIPAA, risk assessments are a requirement. However, organizations that go beyond the requirements, a risk assessment can reveal vulnerabilities and help organizations strengthen their security program.
Given the continued onslaught of attacks, risk assessments are a crucial tool in any organization’s toolbelt. The analysis reviews physical, technical, and administrative safeguards. While an assessment may not need to be done frequently, it should occur whenever a new tool is implemented.
This resource provides an overview common mistakes and going beyond HIPAA requirements to bolster security.
3. Hospital Data Breaches Most Common, Affect the Most Patients
In the current threat landscape, healthcare breaches are nearly inevitable. But a study from the American Journal of Managed Care revealed hospitals are much more susceptible to breaches and the impact is greater on patients when it occurs.
More than 200 hospital breaches occurred during the research time period, with 185 occurring at acute care hospitals. In fact, 30 of these hospitals had more than one breach during that time period. And one hospital had four breaches.
Computers are the greatest breach source given the accessibility from lax passwords and generic usernames. The story outlined where hospitals are lacking in security – and just what can be done about it.
2. LabCorp’s Network Security Breach May Have Exposed PHI of Millions
In one of the biggest stories of the summer, LabCorp experienced a cyberattack the weekend of July 14 on its IT network. The systems had to be taken offline during that time period, which impacted test processing and customer access to test results.
The outage lasted for several days, with many wondering whether patient data would be impacted by the security event. Officials later determined no patient data was breached. The Department of Justice later confirmed LabCorp was a victim of the notorious SamSam virus that targeted healthcare throughout 2017 and 2018.
1. What is a HIPAA Business Associate Agreement (BAA)?
This year saw a long list of breaches caused by business associates and third-party vendors. In fact, the biggest breach of 2018 was caused by a cyberattack on AccuDoc Solutions. The data of over 2.65 million Atrium Health patients were breached for more than a week due to the security event.
Given the increased risk, many healthcare organizations are attempting to get a better sense on how to manage their vendors – starting with business associate agreements. While required by HIPAA, organizations can draft these contracts to ensure they’re protected in case of a security event.
This resource provides a thorough assessment on how to build a BAA, understanding the relationship with business associates, and just what happens when the vendor violates HIPAA.
Vendor management conversations and HIPAA debates will continue in the coming year, as the Office for Civil Rights continues to crack down on business associate violations and ONC considers a HIPAA modernization.