🍂 Each October in healthcare facilities, healthcare workers anticipate the start of flu vaccine administration and cybersecurity awareness training. 👩💻
🙇♀️ For those of us not so enthusiastic about either, a good educational refresher on their respective importance- and mandated requirements- helped to bolster compliance. 👩🏫
This year, in lieu of the always ingeniously insightful informational offerings I previously had the honor of learning from David S. Moore (https://www.linkedin.com/in/dsmoore), I tapped Google Bard for a current healthcare cybersecurity summary.
Summary of lawsuits in the last 4 years involving healthcare cybersecurity
- Number of lawsuits: The number of lawsuits filed against healthcare organizations for cybersecurity breaches has been increasing steadily in recent years. In 2023, there have been over 100 lawsuits filed so far, compared to just 25 in 2020.
- Types of lawsuits: The most common types of lawsuits filed against healthcare organizations for cybersecurity breaches are class-action lawsuits and individual lawsuits. Class-action lawsuits are filed on behalf of a group of people who have been harmed by a data breach, while individual lawsuits are filed by people who have been harmed by a data breach on their own behalf.
- Allegations: The most common allegations made in lawsuits against healthcare organizations for cybersecurity breaches are negligence, breach of contract, and violation of state and federal privacy laws. Negligence is the failure to take reasonable care to protect patient data. Breach of contract is the failure to uphold the terms of a contract, such as a privacy policy. Violation of state and federal privacy laws is the failure to comply with laws that protect patient data, such as the Health Insurance Portability and Accountability Act (HIPAA).
- Outcomes: The outcomes of lawsuits against healthcare organizations for cybersecurity breaches vary depending on the specific facts of the case. However, in recent years, there has been a trend towards settlements. In 2023, there have been over 50 settlements reached in lawsuits against healthcare organizations for cybersecurity breaches. The average settlement amount has been $10 million.
Examples of notable lawsuits
- In 2020, Anthem was sued for a data breach that affected over 78 million people. The lawsuit alleged that Anthem was negligent in protecting patient data and that the breach caused patients to suffer harm, such as identity theft and emotional distress. The lawsuit was settled for $115 million.
- In 2021, Premera Blue Cross was sued for a data breach that affected over 11 million people. The lawsuit alleged that Premera failed to take reasonable steps to protect patient data and that the breach caused patients to suffer harm, such as identity theft and financial loss. The lawsuit was settled for $67 million.
- In 2022, Scripps Health was sued for a data breach that affected over 1.5 million people. The lawsuit alleged that Scripps failed to implement basic security measures and that the breach caused patients to suffer harm, such as identity theft and emotional distress. The lawsuit is ongoing.
Summary of regulations about healthcare facilities’ requirements to present cybersecurity awareness training:
Health Insurance Portability and Accountability Act (HIPAA)
The HIPAA Security Rule requires covered entities to implement a security awareness and training program for all members of the workforce (including management). The training must be tailored to the workforce and address the following topics:
- The importance of protecting patient information
- The types of security threats and risks to patient information
- The policies and procedures in place to protect patient information
- The employee’s role in protecting patient information
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
The National Institute of Standards and Technology (NIST) Cybersecurity Framework includes a number of standards and guidelines that can be used to improve cybersecurity. One of the standards, NIST SP 800-53, specifically addresses security awareness and training. SP 800-53 recommends that organizations develop and implement a security awareness and training program that covers the following topics:
- The importance of cybersecurity
- The types of security threats and risks
- The organization’s security policies and procedures
- The employee’s role in cybersecurity
- Applicable state and local laws
In addition to federal regulations, there may also be state and local laws that require healthcare facilities to provide cybersecurity awareness training. For example, the California Consumer Privacy Act (CCPA) requires businesses that collect personal information from California residents to provide training to their employees on how to protect that information.
Conclusion
Healthcare facilities are required by a number of regulations to provide cybersecurity awareness training to their employees. This training is essential for helping employees understand the importance of cybersecurity and their role in protecting patient information.
The number of lawsuits filed against healthcare organizations for cybersecurity breaches is likely to continue to increase in the coming years. Healthcare organizations must take steps to improve their cybersecurity posture in order to reduce the risk of data breaches and lawsuits.