2018 HIPAA violations: What lessons can we learn from them?

2018 HIPAA violations: What lessons can we learn from them?

Cybercriminals often target the healthcare industry, and it’s not surprising why. Patient health information (PHI) contains a lot of valuable data about individuals. That’s why in the black market, PHI fetches more money than credit card data.

No wonder criminals continue to find ways to steal PHI. A recent survey of 1,758 US and Canadian healthcare employees revealed 27% of healthcare organizations have experienced at least one ransomware attack in the past five years, while 33% have experienced multiple ransomware attacks. And data breaches exposed 3.14 million healthcare records in the second quarter of 2018 alone. Sadly, investigators discovered that some of the organizations breached had HIPAA violations.

It’s clear that PHI security will still be a major concern going into the new year. Learning from the lessons of 2018 helps improve data security and HIPAA compliance in the future.

Lesson #1: Protect PHI at all times

PHI records contain crucial personally identifiable information: social security numbers, contact details, claims account information, and financial account information. These kinds of information are difficult and tedious to change, which is why they’re more valuable on the dark web.

The healthcare industry should treat PHI as a most valuable asset, and protect it at all times. Whether at rest or in transit, PHI should always be encrypted, and all systems should be secured with multifactor authentication.

Lesson #2: Be more vigilant against ransomware

When it comes to healthcare data breaches, ransomware attacks surged over the past couple of years. Why was it so popular among cybercriminals? For two reasons:

  1. Healthcare organizations aren’t exactly known for raking in millions of dollars. Many lack funds to afford the latest in software and hardware technology. Criminals find it relatively easy to take advantage of their outdated systems.
  2. Healthcare workers deal with highly important and sensitive data. When criminals withhold such information for ransom, it’s not a mere inconvenience healthcare professionals can just shrug off — it becomes a matter of life or death. Victims are more willing to pay the ransom immediately.

Preventing ransomware should be a priority for healthcare organizations. You need to update your systems regularly and replace any software or hardware that is no longer supported by its original manufacturer.

More importantly, your staff needs regular training to recognize phishing scams, one of the most common strategies criminals use to execute their ransomware plans. Which leads us to the next lesson.

Lesson #3: Be more careful of the threat from within

Your greatest allies to being HIPAA-compliant can also be your greatest threat: your own employees. It doesn’t mean they are out to do mischief (although be careful of those who may have reason to harm the company — disgruntled employees, for example).

Most people are simply ignorant of many of the cyberthreats present and have no idea how to recognize or prevent them. Hackers take advantage of such ignorance by using social engineering scams, wherein they fool their victims into taking certain actions that will allow the criminals to gain access into an organization’s system. These actions may include downloading a file containing malware or revealing sensitive information, like passwords and payment information.

Protection is two-fold. You need to put the technological security measures in place and you and your staff need regular training to always be updated with the latest security threats. That’s why staff training is an important HIPAA requirement.

Lesson #4: Be more transparent with data breaches

If you think a data breach is bad, not disclosing it will make things worse. As per HIPAA law, disclosure is necessary upon confirmation of the breach. Failure to comply will not only lead to stiff fines and potential litigation, but it can also damage your company’s reputation further.

Entities and business associates covered by HIPAA are required to notify affected customers as well as the Department of Health and Human Services within 60 days of breach discovery. If the breach affects more than 500 individuals, mainstream media outlets should be notified as well.

Be HIPAA-compliant as we enter 2019

If you think your organization is not yet HIPAA-ready, and find its requirements complicated and difficult to remember, here’s another lesson to learn: partnering with a managed services provider like Online Computers will give you the peace of mind you want. Our experts will provide the appropriate IT solutions and services you need. We’ve been assisting healthcare organizations in and around Hanover, Morristown, and Madison since 2012. If you’re in our area, contact us now, and leave the technology to us.

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts




Did you like this blog? Here are some similar topics you might be interested in:

Despite efforts, healthcare data breaches among healthcare organizations have constantly been increasing yearly. This article reviews this rising trend. Read more.

Create a solid HIPAA compliance policy by following this simple 6-step guideline. Read more.

Healthcare consistently faces technological challenges. Here are some tips on how to overcome these challenges. Read more.


Keep all types of cyberthreats at bay by adopting our comprehensive cybercrime defense game plan. Download our free eBook today to learn how!Download here