Cyberattacks against healthcare systems have skyrocketed in recent years, but reports show that those who oversee the industry’s cybersecurity measures aren’t always doing their jobs as intended.
The government agency in charge of enforcing the Health Insurance Portability and Accountability Act (HIPAA), which protects patients’ private healthcare information, hasn’t performed any compliance audits since 2017, according to a report released November 25 by the Office of Inspector General (OIG), a division of the US Department of Health and Human Services (HHS).
The agency, another HHS division called the Office for Civil Rights (OCR), is required by law to conduct periodic audits of healthcare facilities that hold protected patient information to make sure they’re following all of HIPAA’s many rules designed to protect patient data privacy.
But OIG found that the audits the agency has conducted since 2016 have only assessed eight out of HIPAA’s 180 requirements.
“OCR oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates,” the OIG report concluded.
OCR Director Melanie Fontes Rainer responded in a letter included in OIG’s report, saying that the agency doesn’t have the budget or staff to conduct larger-scale audits.
The number of complaints OCR has received since FY 2010 has increased 306% (from 11,426 to 46,401), and reports of large data breaches have increased 35,950% (from two to 721), Rainer wrote in the letter. At the same time, OCR’s investigative staff decreased 30% (from 130 to 91), hitting an all-time-low in FY 2022.
“Currently, OCR has less than 100 investigators, or less than two per each state, which has resulted in unsustainably high caseloads and frequent attrition,” she wrote.
Navigate the healthcare industry
Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.
As of FY 2020, OCR’s budget was roughly $39 million—a number that virtually hadn’t changed since 2017.
Likely because OCR has such scarce resources, the agency has worked with the National Institute of Standards and Technology to develop a tool published in February that allows healthcare facilities to conduct self-audits of their cybersecurity standards, according to Leslie Bender, a senior counsel at law firm Eversheds Sutherland who specializes in HIPAA and data security.
The healthcare industry “should be” using the tool to test and audit its own cybersecurity standards, Bender told Healthcare Brew, adding that “it feels unfair to criticize the OCR for not doing something that it didn’t have the money to do.”
“Ransomware attacks on healthcare entities are really treasure troves of incredibly valuable information,” she said. “I think that’s why there are so many cyberattacks that target healthcare entities, and I don’t know how 91 people working for the OCR could prevent that.”
Zooming out. A separate report released by the Government Accountability Office on November 13 found that HHS has “faced challenges” doing its job to improve healthcare cybersecurity.
Congress has gotten involved, with four senators introducing a bipartisan bill on November 21 that would force the HHS secretary and the director of the Cybersecurity and Infrastructure Security Agency to “coordinate to improve cybersecurity in the healthcare and public health sectors.”
Healthcare Brew reached out to both OIG and OCR for comment but did not receive responses by publication.