Several issues were raised in the past about the Office for Civil Rights’ (OCR) website commonly referred to as the “Wall of Shame.” In response, OCR announced the updated version of their rebranded HIPAA Breach Reporting Tool (HBRT).
The old Wall of Shame and new HIPAA Breach Reporting Tool both publish information received from OCR on reported breaches affecting 500+ individuals. However, the Wall of Shame carried an undeserving negative connotation when organizations were publicly and indefinitely listed on the website.
HIPAA Breach Reporting Tool
OCR noted in their announcement, “The HBRT provides transparency to the public and organizations covered by HIPAA and helps highlight the importance of safeguards to protect the privacy and security of sensitive health care information.”
Information posted on the site includes:
- Name of the reporting entity
- Number of individuals affected by the data breach
- Type of data breach (e.g. hacking/IT incident, unauthorized access, etc.)
- Location of the breached information (e.g. laptop, paper records, etc.)
Features of the updated HBRT include:
- Enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months
- New breach archive that includes information about how breaches were resolved
- Improved navigation to additional breach information
- Tips for consumers
OCR plans to continue expanding and improving the website’s features and functionality based on industry feedback.
Healthcare Breach Trends
The HIPAA Breach Reporting Tool recently recorded a new milestone: The OCR has surpassed 2,000 breaches reported affecting 500+ individuals since the HBRT’s inception in September 2009.
There has also been a recent shift in the types of breaches reported. We are seeing a departure from the issue of lost or stolen unencrypted devices containing protected health information. According to the HBRT, the last 24 months have seen a rapid increase in hacking/IT incidents.
The big takeaway: Phishing is a tried and true way to gain access to healthcare facilities.
OCR Calls for More Phishing Awareness
To address phishing, OCR placed emphasis on the importance of phishing awareness in its latest cybersecurity newsletter update.
The OCR newsletter article points to a KPMG study that documents an increase in HIPAA violations and cybersecurity attacks impacting PHI over the past two years. The call to action is training the workforce to detect and properly respond to cyber-attacks and phishing scams.
OCR states, “Training on data security for workforce members is not only essential for protecting an organization against cyber-attacks, it is also required by the HIPAA Security Rule.”
There are several key factors healthcare organizations should consider regarding their approach to data security training:
Frequency of training and updates:
- How often to train workforce members on security issues
- How often to send security updates to their workforce members
Relevant and emerging threats:
- Communicate new and emerging cybersecurity threats to workforce members, such as new social engineering tricks and malware or ransomware variants
- What type of training to provide to workforce members on security issues
- i.e. computer-based, classroom, monthly newsletters, posters, email alerts, etc.
- How to document training to workforce members, including dates and types of training, training materials, and evidence of participation
Data Security Training Courses
Your organization likely has access to our collection of data security training courses as part of your cyber insurance policy.
The data security training courses provide organizations with training materials for the workforce in several key areas: Introduction to data breaches, Data security basics, Social engineering & Phishing, Safeguarding information, and HIPAA Privacy & Security Rules.
One important aspect of the training courses is the documentation features. The learning management system in place allows your organization to leverage training reports once workforce members have completed the assigned training courses.
OCR notes the importance of documentation in the newsletter, “Any investigator or auditor will ask for documentation, as required by the HIPAA Rules, to ensure compliance with the requirements of the Rules.”
To learn more about how you can leverage the data security training courses in your organization, reach out to our team at firstname.lastname@example.org.