A Summary of OCR’s 2023 HIPAA Breach Retrospective

Dave Bour
5 min readOct 31, 2023

--

Photo by Matthew Henry on Unsplash

In last October 2023, the Office of Civil Rights (OCR) published a review of HIPAA breach notifications. Terribly informative but equally dry, my goal is to summarize the 45 minute presentation while making it relevant to my clients. As an independent consultant, I work with early stage companies to develop their IT, Security, and Compliance program. Feel free to reach out if yours would benefit from an IT Plan.

Key Points

The OCR is responsible for enforcing standards for handling PHI set forth in HIPAA’s security and privacy rules. In a nutshell, these read:

  1. PHI must be securely stored and transmitted while maintaining its confidentiality, integrity, and availability.
  2. Reasonable measures must be taken to protect PHI, which include access controls, identity verification, backups and logging.
  3. Your workforce must be informed of HIPAA requirements and the company must assess risk to PHI and remediate vulnerabilities.
  4. PHI may be disclosed to those providing care, for billing operations, to individuals designated by a patient, or to those supporting healthcare operations have a legitimate business need for it.

A breach occurs when PHI is disclosed to unauthorized individuals, but OCR defines a large breach as affecting 500 or more individuals.

A Historical Look at Breach Incidents

In 2023, 97% of large breach incidents occurred through Hacking/IT and Unauthorized/Improper Disclosure.

Office for Civil Rights, How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks | October 23, 2023

From 2009 through 2022, Theft and Loss accounted for 22% of breach reports but just 2% of incidents in 2023. Its share was swallowed by Hacking/IT which ballooned from half of all incidents to over three quarters.

Office for Civil Rights, How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks | October 23, 2023

Within this category, OCR breaks out the number of incidents attributed to ransomware, which receives the majority of media attention, and general, which is responsible for 76% of all incidents in this category.

What constitutes Hacking/IT?

In a nutshell, the same things you’ve been hearing since 1992.

  1. Don’t give your password to strangers (Phishing),
  2. Don’t make your password password (Compromised Accounts), and
  3. Run your updates (Unpatched Vulnerabilities).

So long as humans are involved, so will be human error. Here’s how to reduce the risk that any one of these scenarios affect your company.

Enact annual HIPAA compliance and IT Security training for all staff, with a comprehension quiz acting as the certificate of completion. The cost is about $35 per employee per year for a training platform, or I charge a one-time $2,500 fee to build a custom training and quiz and host a training that is recorded for new employees.

Enforce strong passwords with multifactor authentication across all services. No cost.

Use Device Management to enforce encryption, strong password creation, and an update schedule. If your company issues devices, this program is about $36 per device per year. If staff bring their own devices and you issue virtual workstations, the cost is $75 per workstation per year.

Breach reports to OCR include context and many noted Network Servers and/or Networked Storage as the compromised asset. In a traditional IT environment, this is an actual server in an IT closet in a hospital or data center that houses company data. At a startup, this is often a database in AWS or files in Google Drive. The major difference is that in a traditional setup, the entity is responsible for configuration and maintenance of the hardware while startups outsource much of that responsibility to the platform provider.

A Practical Application for Startups

To avoid IT whack-a-mole, I recommend a holistic approach to IT, Security, and Compliance versus point-in-time solutions. It’s analogous to planning for a hike — we may pick out points on the map that we want to visit, but the real challenge is charting out how we get from point A to point B.

One Path towards HIPAA Compliance

The first step to planning a route is having the map. Your map is constructed with an assessment that considers the following data points:

Industry/Use Case
HIPAA applies not only to healthcare entities billing insurance, but downstream providers who handle PHI. The type of business and exposure to PHI will help set your goals.

Resources
HIPAA is a set of standards that allows room to maneuver. A billion dollar healthcare network will be held to a different set of expectations than a bootstrapped startup. This ultimately benefits early stage companies but does not absolve them of the responsibility to protect PHI or be ignorant to the laws. The resources available to you will determine your speed.

Constraints
Startups usually exist without IT, Security, nor Compliance personnel for quite some time. Complex technical solutions quickly break down when part time resources are extracted from the equation. Your constraints will outline the solutions.

We’ll the use your goals, solutions, and speed (priorities) to build a foundation through five pillars — Support, Device Management, Identity Management, Governance, Network & Data Security.

The IT Plan, Early Stage IT Development

Your IT roadmap should climb each pillar through an iterative processes that ultimately builds towards a low-risk posture over time with solutions that work together throughout the journey.

For example, the policies developed through Governance are used to develop the training in the Support pillar and Device Management platforms will be used to implement data security by enforcing device encryption.

Cost // Benefit — Making the Case for the Step One

The 80/20 of developing an IT Organization happens with just the first step in each of these pillars. In less than 6 months, your IT/Sec/Compliance environment should include:

An Assessment $3,000 One Time
Policy Development
Free or $3,500 One Time or $1,200/year
Staff Training $2500/year or $30 per staff member per year
Data Categorization and Segmentation
Free (Label data and use share drives to segment it)
Device
$36 per device per year
Password Management $72 per staff member per year

For a company of 20 staff, the direct monetary costs are less than $5k on the low end and under $10k on the high end.

The outcome of this investment will be a prioritized set of clear policies used to train your workforce and catalogue data while implementing device and SaaS security through centralized management platforms.

The best part about this process is that it doesn’t require adding to your headcount. I work with companies in fractional, consultative, and ad-hoc capacities on flat fee or an hourly basis to design their roadmap, identify solutions, and even implement them. If this would benefit your organization, please reach out via email or my website to schedule a free and impartial chat about your strategy.

--

--

Dave Bour

Building IT infrastructure and teams where there was none before. Fitness, wellness, and adventure enthusiast. Engagements at theitplan.com