Neville M. Bilimoria

The recent events of the Colonial Pipeline gas shortage in the Southeast have highlighted a very real concern for our nation’s cybersecurity. Cyber criminals are still out there, and seemingly stronger than ever.

But in our representation of nursing homes and assisted living providers nationwide, we know too well that cyber criminals do not just cause the high profile, disabling gas shortages you read about in the news. No. We know that cyber criminals attack, nay even target, smaller healthcare providers more than other businesses. Here’s why.

In my practice I have given several speeches and written articles about HIPAA and cybersecurity, attempting to help healthcare providers obtain HIPAA compliance to protect their data, including protected health information (“PHI”), to prevent them from having to call me when there is a HIPAA breach and it is too late. But what many unsuspecting providers fail to realize is that healthcare providers are targeted more than any other business out there in the cybercriminal world. Unfortunately, small healthcare providers such as nursing homes and assisted living facilities are the biggest targets for cybercriminals!

Many people do not realize that healthcare data is like gold to cybercriminals. I used to tell people that your medical information is worth 10 times more than your credit card number on the black market. (See Caroline Humer and Jim Finkle’s “Your medical record is worth more to hackers than your credit card,” Technology, Reuters, Sept. 24, 2014.)

That’s because medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk the identity of a patient’s credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected. However, the problem these days has gotten worse, to the point where I tell people that their medical information is now worth 50 (FIFTY) times more than your credit card information to cybercriminals. (See Ellen Neveux’s “Healthcare data: The new prize for hackers,” SecureLink, Feb. 5, 2020.) 

Still don’t believe that your facility is a target? Consider what has been happening during the pandemic. For example, from January through November of 2020, 79% of all reported data breaches involved healthcare organizations. In addition, healthcare entities witnessed a whopping 45% increase in cyberattacks between November 2020 and January 2021!  (See Riyan N. Alam’s “What Does The HIPAA Safe Harbor Bill Mean for Your Practice?” Tripwire, March 14, 2021.

New relief In sight

But there is good news. In addition to making sure you are HIPAA compliant so that you can minimize any attendant fines or penalties that often go hand-in-hand with cybercriminal attacks, healthcare providers can now also take advantage of a new HIPAA Safe Harbor law that was signed into law on Jan. 5, 2021.  

This new HIPAA Safe Harbor law amends the HITECH Act and requires the U.S. Department of Health and Human Services to recognize the existing good cybersecurity practices that an organization has in place when investigating a data breach. The new law also requires HHS to be more lenient with fines and enforcement if the healthcare organization is found to meet the basic HIPAA technical safeguard requirements. Under the new HIPAA Safe Harbor, the following factors apply:

  • HHS must consider cybersecurity measures that an entity has in place for at least 12 months prior to an attack when calculating HIPAA fines.
  • If the entity has met industry standard best security practices (such as the HIPAA Security Rule), HHS is required to decrease the extent and length of a HIPAA audit.
  • HHS cannot increase the HIPAA fine amount or extent of an audit if an entity is found not to meet basic security standards.
  • Compliance will be determined based on consistent practices of each organization.  

This new law allows nursing homes and assisted living facilities greater protection in the long run. Why?  Because when your facility falls victim to a cyber-attack, and you should be considered a “victim,” it doesn’t make sense for HHS to exacerbate the situation by fining your facility for HIPAA violations on top of the attack your facility has just endured.

In essence, the government realized in passing this new law that just because providers are victims of cyberattacks, that doesn’t mean that the attacks are preventable, so hefty fines should not be the answer. The FBI agrees, noting that cyberattacks are imminent in the medical community, and even the FBI knows they are not always preventable.   

The only thing that providers can do is to exercise best practices, and that means complying, now more than ever, with HIPAA Privacy and Security Rules.  These new amendments to the HITECH Act tell us that if you still do not have a robust HIPAA Security Rule compliance plan in place, you should get started now to take advantage of this new HIPAA Safe Harbor.  If you do that, HHS will be more lenient on your fines and penalties. And in this new age of successful cybercriminals, this makes HIPAA compliance even more important for facilities.  

Neville M. Bilimoria is a partner in the Chicago office of the Health Law Practice Group and member of the Post-Acute Care And Senior Services Subgroup at Duane Morris LLP; [email protected].