Nearly Half of Healthcare Orgs Have No HIPAA Incident Response Plan for Cyberattacks
Despite the growing threat of cyberattacks such as phishing, hacking, and ransomware, 42 percent of surveyed healthcare organizations haven’t implemented a HIPAA incident response plan to address these vulnerabilities. Failure to implement an incident response plan is a clear violation based upon HIPAA’s security rule.
According to a report prepared by Shred-IT, a security service provided under Stericycle, the healthcare sector is far better prepared for cyberattacks than every other industry surveyed, including finance, insurance, and real estate.
However, there are two unique challenges related to data breaches and cyberattacks facing the healthcare sector. Data breaches and cyberattacks can put patient safety at risk when organizations are not prepared, and, the industry faces a disproportionate number of these kinds of incidents.
In fact, the report revealed that in 2020, confirmed healthcare data breaches rose a staggering 73 percent, resulting in the exposure of 12 billion pieces of protected health information. At least 56 percent of surveyed respondents said they had experienced a data breach, and 26 percent reported a breach within the last 12 months.
The report concluded that healthcare organizations better understand the need to prepare for cyberattacks and breaches, with safeguards like a HIPAA Incident Response Plan. Almost two-thirds believe a data breach would be costly, and over half feel a data breach would significantly impact their reputation.
Preventing Breaches with HIPAA Compliance
HIPAA compliant businesses are inherently more secure. This is because HIPAA dictates minimum security practices that businesses must have to protect PHI. Healthcare businesses are also required to track access to PHI to ensure that it is accessed appropriately and only by authorized parties.
To ensure that you are adequately protecting PHI, it is essential to conduct an annual HIPAA security risk assessment (SRA). SRAs assess a business’ current security practices against HIPAA standards, uncovering deficiencies that present risks to PHI. HIPAA compliant businesses use the information from conducting their SRA to address security vulnerabilities and better protect PHI.