Hindsight is 20/20; it’s easy to look back on past mistakes and identify ways to prevent them from reoccurring, especially when it comes to breaches reported on the Office for Civil Rights’ (OCR) “wall of shame.” To better serve our healthcare provider clients, we recently looked back at the past year of Health Insurance Portability and Accountability Act (HIPAA) settlements and identified what went wrong in 10 of the reported breaches, then pulled key takeaways for other healthcare providers to learn from. Our analysis is summarized in the just-published “Lessons Learned From The Latest HIPAA Security And Privacy Incidents,” available to our clients today.

What did we learn?

Hacking Incidents Were The Top Cause Of HIPAA Breaches In 2018

Healthcare security teams have worked hard to improve their security fundamentals, prompting increasing security budgets and adoption of basic security tools. In the past, device loss and theft were top causes of HIPAA settlements, but this is no longer the case as healthcare providers mature their security practices (see figure). We now see hacking/IT incidents as the top cause of breaches leading to HIPAA investigations.

Compliance Is Only A Baseline When Protecting Patient Data

As hacking incidents and more sophisticated threats lead to more expensive HIPAA violations, healthcare providers must finally move beyond compliance guidelines provided by the OCR and opt instead to adopt industry best practices. We listed several in the report that healthcare providers can follow to better ensure that the mistakes of the past aren’t repeated. Some practices, such as adopting a Zero Trust architecture for an organization’s network, will require serious commitment and resources. However, there are also smaller steps, like better enforcement measures of security policies that have already been approved by the security team, that can be implemented today to better protect sensitive data. The best road maps will include a combination of these short- and long-term improvements to your organization’s security posture.

(Written with Benjamin Corey, research associate at Forrester)