Healthcare cyber security under the regulatory microscope
Speculation that the Office for Civil Rights (OCR), the federal Health Insurance Portability and Accountability Act (HIPAA) enforcer, may be less active under the current administration has proven untrue. OCR has kept busy over the last year as analysis of OCR’s 2018 activity by Beazley’s in-house breach response team, Beazley Breach Response (BBR) Services, has revealed.
In the latest Beazley Breach Insights, BBR Services highlights:
- OCR issued the largest resolution agreement payment to date - $16 million against Anthem in its capacity as a HIPAA business associate.
- OCR investigations are taking longer to close compared to previous years. Investigations ranged from three to seven years in length for resolution agreements issued in 2018.
- OCR is actively scrutinizing reports of small breaches for patterns of noncompliant behavior. In issuing its corrective action plans, OCR focused on the lack of policies and procedures for devices and failures to assess the risks involved in device security.
Katherine Keefe, head of BBR Services at Beazley, said: “Post-breach enforcement by OCR makes it imperative for healthcare organizations to ensure their security risk analyses and risk mitigation plans are reviewed regularly and updated. As well as issuing larger fines for major breaches, OCR is investigating smaller scale data breaches than previously. BBR Services strongly recommends that healthcare organizations of all sizes review their cyber security policies, practices and employee training programs and engage their insurer or broker in building a robust HIPAA–compliant risk management program.”
Follow this link to read the full Beazley Breach Insights report including risk management advice for HIPAA covered entities.