Auditing healthcare organizations, the Department of Health and Human Services found many providers struggling to follow HIPAA rules and manage risk. Yet HIPAA violations are expensive. HIPAA Gap assessments paired with penetration testing can help avert a costly crisis for healthcare providers.
Healthcare Industry Shows Problematic Security Gaps
As recently as September 2017, DHS Office of Civil Rights (OCR) audits found:
- 94% of organizations had inadequate risk management plans
- 89% were rated as inadequate on patients’ right to access their protected health information (PHI)
- 83% had performed inadequate risk analyses.
This is untenable. While the HIPAA Journal suggests, “a few years ago, the risk of discovery of a HIPAA violation was relatively low,” that’s no longer the case. Patients know more, it’s easier to file complaints, and the OCR is actively investigating.
- Penalties for noncompliance, based on the level of negligence, can range from $100 to $50,000 per violation (or per record)
- Maximum penalty is $1.5 million per year for violations of an identical provision.
- Violations can also lead to criminal charges resulting in jail time.
Simultaneously, the risk to PHI is increasing. Cyberattacks are common in healthcare. According to Healthcare IT News and HIMSS Analytics study, some 75% of “responding healthcare entities either were or could potentially have been targeted with a ransomware attack” in 2017.
Healthcare providers, hospitals, physician offices, and more are often targeted. Cyber criminals can’t resist the wealth of information in healthcare records (such as Social Security numbers, insurance information, relationship data, and payment processing details).
A March 2019 review of the past six months of headlines at Healthsecurityit.com makes the point crystal clear:
- 120,000 Health Alliance Patients Impacted by Wolverine Breach
- Ransomware Attack Impacts EHR of Rhode Island Provider
- Weekend Ransomware Attack Interrupts Care at 2 Ohio Hospitals
- Ransomware Attack on May Eye Care Breaches 30K Patient Records
- Health Data Breach Compromised PHI on 566K CNO Customers
- Ransomware Attack at Iowa Eye Clinic Puts PHI of 40K at Risk
In Q3 2018, healthcare was the top target for ransomware attacks, with ransom demands jumping to as much as $2.8 million, according to insurer Beazley.
HIPAA Gap Assessments Facilitate Compliance
Healthcare entities need to have their networks and systems locked down to facilitate HIPAA compliance and protect electronic PHI. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires a documented risk analysis to evaluate both risks and vulnerabilities and the security measures taken to protect ePHI integrity.
One approach is a vulnerability scan, a high-level, semi-automated test typically run quarterly or semi-annually as a cybersecurity checkup. Another is a HIPAA gap analysis, which is used to discover security problems. This high-level, narrow examination checks “whether certain controls or safeguards required by the Security Rule are implemented,” according to OCR.
But a HIPAA risk assessment or HIPAA-Protocol Audit are not enough. That’s why RedTeam Security Consulting has partnered with the Boulay Group in our newest service offering, a combination penetration test and HIPAA gap assessment. Boulay’s certified technical professionals can advise on information security and technological risk. We build on the foundations their work offers.
More thorough HIPAA penetration testing sees cybersecurity experts working to exploit healthcare vulnerabilities and gain network access. After all, maintaining compliance and ensuring healthcare data security depends on:
- Identifying environmental security flaws
- Understanding level of organizational risk
- Addressing any vulnerabilities identified.
Using the same automated and manual approaches motivated hackers might use to compromise personnel, physical premises, and networks and IT assets, penetration testers dig deeper.
To convey the difference in medical terms, getting an annual checkup from your family doctor or general practitioner is smart, but sometimes you need a specialist’s opinion. When you want to get to the bottom of a particular health concern or issue, you go to the expert in that field. Pen testers are your cybersecurity experts, while the gap analysts are the GPs.
Remaining compliant and avoiding the cost of regulatory fines is a main motivator for healthcare providers. Yet by pairing HIPAA gap analysis with penetration testing, your organization can better develop an integrated defense strategy to drive strategic, operational and enterprise value while readying for cybersecurity threats today and in the future.
In partnership with Boulay, RedTeam Security Consulting now pairs HIPAA Gap Assessment with penetration testing. This service assists healthcare organizations in fully meeting regulatory mandates and reducing information security risk. Your penetration testing report will cover all flaws found and their corresponding description, risk rating, impact, likelihood, evidence and remediation steps. Our experts also remain available to you to make sure the path to better protection is clear.
Get a customized pricing quote now in minutes using our self-service pricing tool.