According to a recent survey by KPMG, eighty percent (80%) of health care executives report that their information technology systems have been compromised by cyber attacks. Most healthcare institutions, the survey found, lack sufficient tracking and reporting capabilities and are failing to report and manage threats that are occurring on a daily basis.
Daily threats are the reality today, including incidents such as ping attacks and other broadcast attacks on system firewalls, port scans, unsuccessful log-on attempts and denials of service. As the KPMG report notes, it is imperative that healthcare organizations enhance their tracking and reporting capabilities as a matter of information security. On a more granular level, it is also important for organizations to review the terms of their business associate agreements (BAAs) to understand their obligations vis-à-vis daily attacks. What they are likely to find is that many BAAs in place today do not adequately address the reality of daily attacks. For example, it is not uncommon for a BAA to impose an obligation on the business associate to report every security incident to the covered entity promptly upon discovery. This type of provision is not only impractical in the current security environment but also a hidden liability for many organizations that have not considered their obligations carefully.
Covered entities and business associates alike should re-evaluate the reporting provisions in their BAAs, giving specific consideration to the reality of daily security threats. One helpful approach is to differentiate between “successful” and “unsuccessful” security incidents, allocating threats faced into one bucket or the other and creating tiered reporting obligations depending on the nature of the threat. This approach would reflect a more realistic understanding of the current security environment and would likely enhance HIPAA compliance by compelling organizations to think about security threats in a more practical, constructive manner.