Earlier this month, the Department of Health and Human Services’ Office of Civil Rights (OCR) issued a press release stating Anthem would pay the OCR $16 million, the largest-ever HIPAA settlement, following the largest-ever health data breach in U.S. history. This settlement nearly triples the previous high of $5.5 million that Florida-based Memorial Healthcare System paid the OCR in 2016.
OCR Director Roger Severino stated in the press release that, “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.” Director Severino continued, “We know that large healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
Unfortunately, this is not where Anthem’s issues ended. The release finishes by stating that, “In addition to the impermissible disclosure of electronic protected health information (ePHI), OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as Feb. 18, 2014.”
This begs the question: If this could happen to Anthem, which failed to prospectively and retroactively address its HIPAA compliance issues despite having ample resources to do so, could this happen to a solo or small practice group that does not have the same resources? The answer is, uncontrovertibly, yes.
In the last several months, ransomware and other cyberattacks have targeted solo and small practices causing an overwhelming number of patient medical and personal information breaches. What can solo and small practices do to protect themselves from such attacks? Here are three suggestions:
1. Perform a practice-wide risk analysis and address security gaps.
OCR’s press release states Anthem failed to conduct an enterprise-wide risk analysis. If Anthem had done this, the severity of the hack could have been lessened. Small or solo practices must conduct a risk analysis rather than simply they do not get audited. But, it is not enough to simply conduct a risk analysis—the covered entity must also address identified risk gaps and work to close them. The worst thing a practice can do is conduct a risk analysis and do nothing with the results.
From OCR’s perspective, if the practice conducts a risk analysis, it means they know where the risk gaps are. If the practice knew about the risks, but failed to do anything about them, fines tend to be larger. Therefore, practices must conduct a risk analysis and proactively address the identified risk gaps. Failure to do so could lead to an attack and subsequent penalties.