I found some interesting data in a new survey by Healthcare IT News and HIMSS Analytics that showed more than half of hospitals were hit with ransomware from April 2015 to April 2016, but breach reporting to the OCR was practically non-existent.
The Office for Civil Rights (OCR) is an organization within the U.S. Department of Health & Human Services (HHS). Under the Health Insurance Portability and Accountability Act (HIPAA), the OCR can levy significant fines to health care providers and their business associates if personal health information is lost or stolen.
As ransomware attacks have increased, one would expect OCR breach reporting to have increased more or less concurrently, but only nine (!) organizations reported malware or ransomware breaches to OCR in 2016.
"Because ransomware is so common, hospitals aren't reporting them all," said ICIT Senior Fellow James Scott. "And ransomware is just the start for more specific actors to send in another attack and start mapping the system."
Four Reasons Why Breaches Do Not Get Reported
There are four major reasons hospitals don't report breaches, said ICIT's Scott.
You have 60 Days To Report
The 60-day timer starts the moment a breach is discovered, which is the first day the covered entity knew about the breach. And it applies to all staff within the organization. For example, when someone at the help desk learns about a breach, the timer starts then – even if it takes a week for the incident to be reported to higher staff, according to Erin Whaley, a partner at Troutman Sanders in Richmond, Virginia.
"However, many healthcare organizations remain non-compliant out of calculated non-compliance (the fine is cheaper than the reporting costs and impact) or out of lack of resources (they cannot afford the technical controls, contractors and other needs to investigate incidents to HHS satisfaction," he added. "Considering that some hospitals are seeing 20 or more ransomware attacks per day, hesitance to report out of fear or reputation loss or lack of resources, is not surprising."
Especially interesting if you are in Healthcare IT, but recommended reading if you are required to report data breaches when ransomware infects your network, and excellent ammo for more IT security budget.