January 2023 Healthcare Breaches and Hacking
Hacking continued its streak at the top of the list of causes of healthcare breaches in January 2023. The 22 hacking incidents reported in January affected the PHI of 697,256 patients. These 22 incidents represented 65.6% of all documented records breached during the month.
Entities affected by hacking:
- 18 healthcare providers, 683,220 patients, 98% of patients affected by hacking
- 2 business associates, 6,965 patients, 1% of patients affected by hacking
- 2 health plans, 7,071 patients, 1% of patients affected by hacking
Types of hacking incidents:
- 14 hacks of network servers 389,465 patients, 55.9% of patients affected by hacking
- 6 email hacks, 208,912 patients, 30% of patients affected by hacking
- 1 other cause, 48,879 patients, 7 % of patients affected by hacking
- 1 desktop, 50,000 patients, 7.1% of patients affected by hacking
How to Prevent Hacking Incidents
As hacking incidents have become the leading cause behind healthcare breaches for several years, minimizing your risk of being targeted is crucial.
Security Risk Assessments and Remediation
Security risk assessments (SRAs) are vital for security and compliance. An SRA aims to identify weaknesses and vulnerabilities in your security practices to prepare yourself against potential threats. Once SRAs have been conducted, it is essential to create remediation plans to address any identified deficiencies.
Employee Cybersecurity Training
A significant portion of hacking incidents results from phishing emails. Employee cybersecurity training is essential to your organization’s overall security posture. Employees should be trained on recognizing phishing attempts and what to do if they suspect an incident has occurred.
January 2023 Healthcare Breaches and Unauthorized Access or Disclosure
Incidents of unauthorized access or disclosures of PHI can occur in two ways – an authorized employee accesses PHI inappropriately, or an unauthorized party gains access to PHI. January 2023 recorded 15 incidents of unauthorized access or disclosure of PHI. These incidents affected 362,629 patients, representing 34.1% of the breached records reported in January.
Entities affected by unauthorized access or disclosure:
- 11 healthcare providers, 275,507 patients, 76% of patients affected by unauthorized access or disclosure
- 2 business associates, 67,609 patients, 18.6% of patients affected by unauthorized access or disclosure
- 1 health plan, 19,513 patients, 5.4% of patients affected by unauthorized access or disclosure
Types of unauthorized access or disclosure:
- 4 electronic medical records incidents, 144,828 patients, 39.9% of patients affected by unauthorized access or disclosure
- 4 network server and other incidents, 190,609 patients, 52.6% of patients affected by unauthorized access or disclosure
- 1 email incident, 4,307 patients, 1.2% of patients affected by unauthorized access or disclosure
- 2 paper/film, 3,067 patients, 0.8% of patients affected by unauthorized access or disclosure
- 3 other causes, 17,288 patients, 4.8% of patients affected by unauthorized access or disclosure
- 1 desktop computer, 2,530 patients, 0.7% of patients affected by unauthorized access or disclosure
How to Prevent Unauthorized Access or Disclosure
As we mentioned, there are two ways in which unauthorized access or disclosures occur – inappropriate employee access or unauthorized access by another entity.
Policies and Procedures and Employee Training
HIPAA policies and procedures are essential to HIPAA compliance as they guide employees on what is appropriate. HIPAA requires employee use and disclosure of PHI to be limited to the minimum necessary to perform their job functions. Your policies and procedures should dictate this, and employees should be trained on the policies and procedures to be aware of their obligations.
User Authentication, Access Controls, and Audit Controls
To ensure adherence to the minimum necessary standard, you must implement user authentication, access controls, and audit controls. User authentication provides unique login credentials for each employee, while access controls enable administrators to designate different PHI access levels using those unique login credentials. Also, based on the implementation of unique login credentials, audit controls track access to data to ensure that PHI is accessed appropriately by each employee.
January 2023 Healthcare Breaches and Other Causes
In January 2023, one covered entity reported the theft of a portable electronic device to OCR that affected 2,674 individuals, representing 0.2% of the breached records reported in January.