
Data Under Siege: Strategies for Preparing for, Reacting to Health Care Data Breaches
With 390 investigations by the HHS Office for Civil Rights (OCR), Shawn Tuma JD, CIPP/US, partner at Spencer Fane LLP, offers advice for health systems and insurers on handling data breaches.
Over 31 million Americans have been
There are 390 health care data breaches under investigation by the HHS Office for Civil Rights as of August 1, in which millions were affected. The HHS Office of Civil Rights (OCR) requires organizations to report any health data breach that involves more than 500 individuals, which it then records in its database.
The largest reported data breach impacted
In a
The information potentially involved included their names, IP addresses, indicators they were signed into a Kaiser Permanente account, and how they navigated different websites or applications. Conversely, account credentials, Social Security numbers, credit card numbers, and financial account information were not compromised.
While Kaiser Permanente has since removed these technologies and implemented extra cybersecurity measures, the information of 13.4 million members and patients was compromised.1 Although the company is unaware of any information misuse, it advised those affected to remain vigilant against identity theft or fraud attempts.3
The impact of other breaches is less clear, including high-profile cyberattacks on Change Healthcare, a UnitedHealthcare Group subsidiary, and the Ascension health system.
In a
Despite this finding, Change Healthcare’s breach report to OCR
The information compromised included health insurance details and medical records4; it also included Social Security numbers, along with billing, claims, and payment information. However, Change Healthcare said the breached information will not be the same for all those impacted.
The cyberattack resulted in a Change Healthcare outage, causing
Similarly, Ascension, a faith-based health care organization that operates over 2600 health care sites, including 140 hospitals,
Consequently, some hospitals diverted ambulances, and some non-emergency surgeries were postponed. Currently, Ascension does not know what data or which individuals were affected as they need to review the potentially impacted files.
As exemplified by these cases, threat actors carry out health care data breaches using various methods, including ransomware attacks.
In an interview with The American Journal of Managed Care® (AJMC®) Shawn Tuma, JD, CIPP/US, partner and head of the cybersecurity and data privacy practice at law firm Spencer Fane LLP, explained that ransomware attacks involve threat actors finding a way into the network and stealing patient and employee data. After extracting the data, they encrypt the network, shutting down operations and later using it for extortion.
Another method he highlighted was email account breaches, which threat actors conduct by using phishing techniques or stolen credentials. After successfully logging into an employee's email, they search for patient data, extract the information, and use it for leverage or threats.
However, Tuma noted that attacks on individual providers and business associates are not “terribly sophisticated” as the threat actors often capitalize on organizations overlooking fundamentals, like a lack of multifactor authentication or other factors that affect security settings and configuration.
“It’s just a failure of basic fundamentals most days,” Tuma said. “While that sounds discouraging at first, it’s really a cause for a lot of hope because there are things that can be and could have been remedied if only the proper risk management processes would have been followed.”
To react efficiently to data breaches, Tuma said health systems and insurance providers must understand the difference between incident response and critical incident response. He described an incident response as a binder with tabs you must flip through to figure out the correct response, while a clinical incident response is like "you're in a building that just caught on fire, and you have to make decisions on the fly as you're running for the stairwells."
Although it is beneficial to have an incident response, he advised that organizations also have a simplified critical incident response plan that allows them to take action immediately. Therefore, Tuma suggested having a quick reaction sheet that contains key team members to rely on in critical instances. It should also detail what to do in various worst-case scenarios, like if the computer networks go down, so organizations know how to react in a stressful, chaotic environment.
To create an effective plan, he noted that every health care organization and insurance provider should first understand their unique set of risks, which differs based on the type of work they do, the data they possess, and the jurisdictions they are under. Therefore, organizations must conduct thorough risk assessments to understand their operational risks and the data they must protect.
Once they perform these risk assessments, Tuma said organizations should build their strategic plan to protect against their largest vulnerabilities. After creating this plan, it must be executed by deploying security tools and involving service providers that assist with different cybersecurity aspects, like their cyber counsel, cyber forensics firm, and insurance provider. Then, organizations should train employees on the plan and thoroughly test it; the plan should be revised as necessary.
Lastly, Tuma said that organizations must check on their fundamentals, ensuring that backups, passwords, and multifactor authentication are part of their plan. He also suggested that organizations segment their network as much as possible.
“…there is no tool out there that solves this problem completely,” Tuma said. “It’s warfare, which means we have to be engaged in the battle, the warfare against the active adversary. Every time we do something to protect ourselves, they find a new way to attack us. So, we must be engaged and use the cyber risk management process to keep defending and protecting against their attacks.”
References
- Breach portal: Notice to the secretary of HHS breach of unsecured protected health information. HHS. Accessed August 1, 2024.
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf - Fast facts. Kaiser Permanente. Accessed August 1, 2024.
https://about.kaiserpermanente.org/who-we-are/fast-facts - Information notice about a privacy matter. Kaiser Permanente. Accessed August 1, 2024.
https://healthy.kaiserpermanente.org/washington/alerts/p3/privacy-matter - HIPAA website substitute notice. Change Healthcare. June 20, 2024. Accessed August 1, 2024.
https://www.changehealthcare.com/hipaa-substitute-notice - Change Healthcare cybersecurity incident frequently asked questions. HHS. July 30, 2024. Accessed August 1, 2024.
https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html - Alder S. Change Healthcare reports ransomware data breach to HHS. HIPAA journal. July 31, 2024. Accessed August 1, 2024.
https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/#:~:text=The%20initial%20analysis%20revealed%20that,at%20more%20than%20110%20million - Change Healthcare cyberattack. American Medical Association. May 20, 2024. Accessed August 1, 2024.
https://www.ama-assn.org/practice-management/sustainability/change-healthcare-cyberattack - Cybersecurity event update. Ascension. June 14, 2024. Accessed August 1, 2024.
https://about.ascension.org/cybersecurity-event
Newsletter
Stay ahead of policy, cost, and value—subscribe to AJMC for expert insights at the intersection of clinical care and health economics.