Healthcare cybersecurity is under the regulatory microscope, according to a new analysis by Beazley Breach Response Services (BBR), Beazley’s in-house cyber breach response team.
Some industry watchers speculated that the Office for Civil Rights (OCR), the federal agency that enforces the Health Insurance Portability and Accountability Act (HIPAA) would be less active under the administration of President Donald Trump. Those speculations have proven ill-founded, according to BBR Services. In its latest Beazley Breach Insights report, BBR Services highlighted the following:
- OCR issues the largest resolution agreement payment to date: a $16 million penalty against Anthe, in its capacity as a HIPAA business associate.
- OCR investigations are taking longer to close than in previous years. Investigations ranged from three to seven years for resolution agreements issued in 2018.
- OCR is actively scrutinizing reports of small breaches for patterns of non-compliant behavior. When issuing corrective action plans, the agency has focused on the lack of policies and procedures for devices and failure to assess the risks involved in device security.
“Post-breach enforcement by OCR makes it imperative for healthcare organizations to ensure their security risk analyses and risk mitigation plans are reviewed regularly and updated,” said Katherine Keefe, head of BBR Services. “As well as issuing larger fines for major breaches, OCR is investigating smaller-scale data breaches than previously. BBR Services strongly recommends that healthcare organizations of all sizes review their cybersecurity policies, practices and employee training programs and engage their insurer or broker in building a robust, HIPAA-compliant risk management program.”