8 Cybersecurity Trends the Healthcare Industry Must Pay Attention To

8 Cybersecurity Trends the Healthcare Industry Must Pay Attention To

As emerging technology changes the landscape of information security in healthcare, health organizations must ensure that their policies stay up to date to protect the privacy and security of patient information.

According to a joint study conducted by Information Security Media Group and email data security company, Zix Corp., many healthcare organizations believe they are meeting this goal—but key findings of the survey highlight the unpreparedness that many organizations face, and reveal several developing trends for healthcare providers to know of.

1. Awareness of Emerging Threats

Over a quarter (28 percent) of survey responders agreed that while hackers are a significant threat, the bigger security risk comes from in-house employees failing to meet basic security standards. Proper training of personnel is essential for HIPAA compliance.

2. Shifting Priorities

While the U.S. Department of Health and Human Services (HHS) is prioritizing EHR interoperability, survey responders indicated that other issues were of more concern:

  • Increased regulatory compliance
  • Better security awareness and training
  • Prevention and detection of breaches
  • Updating business continuity/disaster strategies
  • Monitoring HIPAA compliance of associates

3. Mobile Protection

Lost or unencrypted mobile devices are often the culprit behind data breaches. The best way to avoid unauthorized access is to keep privileged data off mobile devices when possible, and to maintain good security practices when mobile use is unavoidable.picjumbo.com_HNCK2614

4. Restrict Data Access

Increased regulation for data access is necessary to improve security. This includes multi-factor authentication and encryption of remotely-accessed data, and restriction of who has access to confidential information.

5. Better Risk Assessments

Thorough assessments of risk are necessary for HIPAA compliance. These audits typically result in updated and revised security practices, including the use of new security technology and educational initiatives.

6. No Cloud Confidence

Only 64 percent of survey respondents store data in the cloud, reflecting a fear of unauthorized remote access of privileged data. Only one-third of respondents claimed confidence in their vendor’s security standards.

7. Better Security Strategies

While security frameworks and policies are essential to information privacy, survey responders revealed that 40 percent of organizations still lack a documented security strategy.

8. Trained Staff

With the prevalence of IT breaches that occur in-house, proper training of staff is essential. This includes appointing a chief information security officer to oversee IT security, preferably an employee knowing security issues in healthcare and security auditing experience.

At iBridge, security is a serious topic and we continue to learn and provide information to the industry at-large. If you have a question about HIPAA assessments, compliance requirements and other security topics, feel free to contact us.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterCTA-ICD-10-eBook-1024x443

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Most consumers believe they can put their faith in HIPAA, the federal law designed to make health insurance more portable and to eliminate fraud. Notice we didn’t describe it as a privacy law; while some provisions put patient privacy at the forefront, HIPAA doesn’t always keep consumer personal health information (PHI) under lock and key.

The HIPAA Privacy Rule established national standards designed to protect consumer health information and medical records from cybercriminals by putting limits and conditions on what is usable and shareable without individual patient authorization. However, according to a new report from the California Healthcare Foundation entitled “Here’s Looking at You: How Personal Health Information Is Being Tracked and Used,” there’s a lot more consumer health information floating around in cyberspace than one might imagine.

Source: freedigitalphotos.net

Where Does Protection Come In?

There are many ways legitimate organizations and ill-intended miscreants can capture PHI and other private data and then sell it on the Internet black market without consumer consent or knowledge.

What are the different categories not protected under HIPAA’s privacy provisions? The extent of it might surprise the average patient:

  • Internet searches for health and healthcare information
  • Healthcare products and medications purchased online
  • Purchases of dubiously health-related items such as trans-fat laden fast foods or tobacco products
  • User profiles and activity on health-related social networks such as Sermo and PatientsLikeMe

While the revelation that the information above is not protected is sobering, is it cause for panic? Not necessarily. Much of the data collected via these avenues is used not for criminal reasons but for marketing. The report found that the data mined from these routes may be useful in improving results in clinical trials and targeting affected individuals who may benefit from upcoming vaccine or treatment trials.

Online Activity vs. Privacy Implications

Either way, consumers should know that their online activity – even that related to health and healthcare – is not private. Jane Sarasohn-Kahn, a health economist and principal author of the aforementioned report, states: “Even consumer footprints that are not expressly about health can be used to help determine a person’s physical or mental health. How we shop, the magazines we subscribe to, where we hang out on the weekend – this information is relatively easy to purchase by third parties.”

Understandably, many consumers and consumer advocates are disturbed by the revelations in the California Healthcare Foundation report. Fortunately, Sarasohn-Kahn offers several propositions designed to increase consumer protection without cutting off healthcare data sharing completely:

  • Increase security on PHI through “health data lockers” and more private cloud storage for healthcare data.
  • Boost transparency and simplicity in the healthcare data regulatory market so there is greater oversight and less rampant capturing, selling and use of consumer information without knowledge or consent.
  • Empower consumers by getting their consent before capturing data or enacting “meaningful protections” to prevent malevolent data mining and usage.

Even the FTC has weighed in on this issue. In a June 2014 statement, FTC commissioner Julie Brill demanded congressional action: “Since most consumers have never heard of data brokers, we call on Congress to enact legislation that would lay out their existence and activities at a centralized portal, a solution I have long advocated. At this portal, data brokers could identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs.”

What will be done to protect PHI remains to be seen. While HIPAA helps safeguard types of consumer information, the healthcare data that lies outside its jurisdiction is caught in a data-mining free-for-all that could put consumer privacy at significant risk.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

How Much Could a HIPAA Breach Cost You? A Rhode Island Hospital Finds Out the Hard Way

How Much Could a HIPAA Breach Cost You? A Rhode Island Hospital Finds Out the Hard Way

Playing fast and loose with patients’ personal health information is no small crime. In addition, for the administration at Rhode Island’s Women & Infants Hospital, a civil penalty of $150,000 is what it took to settle allegations of its negligence in safeguarding the private healthcare data of over 14,000 patients.

Though the hospital in question is located in Rhode Island, the suit was brought by Massachusetts Attorney General Martha Coakley because the vast majority of patients whose personal health information (PHI) was leaked – 12,127, to be exact – were Massachusetts residents. Information compromised in the HIPAA breach, which occurred in spring of 2012, included patients’ names and birthdates, ultrasound imagery, Social Security numbers, and physician information.

Source: freedigitalphotos.net

Perhaps most shocking is that the PHI compromised in this breach was stored on unencrypted backup tapes. In a modern healthcare security environment, there is no excuse for hospitals to forgo encryption on media, which includes patient data. The backup tapes, which numbered 19 were meant to be shipped to a secure off-site data center before being archived along with legacy radiology files and data in a new picture archiving and communication system (PACS). Somewhere along the way, however, the unencrypted tapes disappeared. Though they went missing in spring of 2012, the breach was not reported until September of the same year.

Of the epic healthcare security failure by Women & Infants Hospital (WIH) of Rhode Island, Coakley said: “Personal information and protected health information must be properly safeguarded by hospitals and other healthcare entities… This data breach put thousands of Massachusetts consumers at risk, and it is the hospital’s responsibility to ensure that this type of event does not happen again.”

Besides the first failure – a lack of encryption on the 19 backup tapes – Coakley’s office determined there was also other security missteps that led to the massive leak of PHI. The hospital had inadequate inventory and tracking systems and its lack of solid employee training in handling and securing private patient data resulted in a delay in its reporting of the breach.

On top of the hefty $150,000 fine, the settlement requires WIH of Rhode Island to undertake a few steps intended to prevent such a security breach from occurring in the future. They include:

  • Regular security auditing
  • Immediate action to correct any weaknesses or failures discovered during the audit process
  • Updating and maintaining chain of custody procedures
  • Inventory of any unencrypted devices containing PHI

It’s likely that the coming years will usher in a new era of no-nonsense enforcement of HIPAA security laws. Massachusetts has a history of being a stalwart defender of patient privacy with actions like this and several others. Healthcare institutions still being too casual with PHI should pay heed to the consequences faced by WIH of Rhode Island and investigate their own practices and procedures to ensure that patient security is a top priority.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

5 Tips for Gracefully Handling Your Data Breach

5 Tips for Gracefully Handling Your Data Breach

You can barely throw a rock on the Internet these days without hitting a piece of advice on the best way to prevent a data breach. Yet, any organization that falls victim to such an attack is likely to find little guidance about the next steps to take. What’s the most appropriate way to share the news about a security incident?

Source: freedigitalphotos/Stuart Miles

Know Your Audience

The key in finding the best approach to take is to first understand that the message may have to vary slightly depending on the recipients to address their pain points and concerns:

  • Consumers worry about their privacy. Will they need to switch banks? Cancel cards? Should they continue doing business with the affected company?
  • Regulatory bodies like the Federal Trade Commission will want to verify that the technical aspects—like fulfilling any statutory obligations—of the announcement meet certain standards.
  • Banks will want details about how the affected company will address the costs for issuing new cards to consumers.
  • The board and the shareholders are more concerned about company worth and viability, and how or if such an incident compromises an organization’s value.

Given this is just a cross-section of those who might be affected by a data breach; it is easy to see how any official message must be tailored according to the audience.

Tips for Taking the Plunge

Once it’s time to explain, remember that honesty is the best policy… with these tips:

  1. Find the right balance between planning when and how to discuss any cyberattack with those affected, whether that means shareholder or cardholder. Some companies have found success with making an initial limited disclosure, then releasing more details upon investigation completion, but don’t deliberately downplay the gravity of the situation either. Also, comply with all mandatory disclosure timelines.
  2. Remember that language is everything. A “cyberattack” suggests an unforeseen and unpredictable outside force, while a “data breach incident” subtly implies that the company is at fault. Choose every word carefully.
  3. Know your rights. Reporting information to the authorities may negate the protective status of attorney-client privilege. Although cooperation with law enforcement is a must, do so with the guidance and advice of counsel rather than disseminating information too quickly.
  4. Remember that excessive compensation isn’t a must. Although offering a type of loyalty reward, like free credit monitoring, as a gesture of thanks to affected customers is understandable (and often appropriate), going overboard with an offer that’s disproportionately generous can seem suspicious in an overly culpable kind of way. Always weigh the considerations of such offers against the possible costs.
  5. Don’t be afraid to involve forensics consultants as part of damage control. Digital evidence can uncover any indicators that could point to a preventable security compromise. Or, proof that could absolve an affected company completely.

Although any data breach incident—ahem, cyberattack—can feel like a PR nightmare, it doesn’t have to be. Going public with a data breach can be handled with professionalism and grace, as long as a solid strategy is set in place before any information is released about the incident.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

20 HIPAA Breach Response Tips From Experts

20 HIPAA Breach Response Tips From Experts

Medical identity theft is undeniably one of the biggest challenges facing the healthcare industry today. The guidelines laid out by HIPAA provide an excellent frame of reference to help better protect patient data. When you are faced with a breach, however, what’s the best response? Here’s a look at 20 tips from the experts.

Source: freedigitalphotos.net/Stuart Miles

1. Locate Breach

The very first thing to do if you suspect a breach is to find it. No other steps can be taken without knowing exactly what you’re up against.

2. Containment

After identifying the breach, the next step is containment. The goal here is the IT equivalent of stopping the bleeding, whether that means disabling compromised accounts or blocking access to infected machines.

3. Damage Control

Damage control begins as soon as the immediate threat is under control. Determine what was accessed, and investigate other potential vulnerabilities to gauge the extent of any collateral damage.

4. Restore Services

Your organization must continue functioning effectively, and this means getting critical systems up and running again as quickly as possible. Once you’re sure that you’ve accurately identified and contained the source of the breach, restore essential services.

5. Internal Notification

Next, develop an internal report that notifies everyone from the ground up about what just happened. This is important for managing the rumor mill, but also contributes to the U.S. Department of Health and Human Services documentation requirements.

6. Be Honest

Don’t bother trying to combine sugarcoating and information dissemination. Just be honest and explain the facts behind the breach.

7. Change Passwords

Change all passwords and authorizations right away. It’s hard to tell how much information a hacker had time to grab, so err on the side of caution.

8. Preserve Evidence

As you’re doing things like changing passwords and containing the breach, be sure to save evidence of both the breach itself and the corrective measures you’re taking for future reference.

9. Gather Documentation

The OCR will require extensive documentation, including but not limited to: a copy of your most recent risk assessment, records of corrective action taken to correct the breach, proof of plans to prevent future recurrence, and much more.

10. Report Immediately

Although you technically have 60 days to report the breach to HHS and the press, it’s better to go public sooner rather than later. This shows that you’re taking the issue seriously, which in turn bolsters confidence in your organization.

11. Inform HHS

Tell HHS about your breach. Remember, any incident that affects more than 500 patients should be reported directly to the Office of Civil Rights.

12. Contact Your Patients

All companies are required to inform potentially affected individuals that a breach has occurred. Again, this should be taken care of as quickly as is reasonable, for the same reasons mentioned above.

13. Tell the Media

As the saying goes, he who breaks the story controls the manner of its release. Acknowledging the breach openly with the media is much better PR than trying to cover anything up.

14. Remediate

Everyone makes mistakes, but those who make an effort to rectify those mistakes rebuild trust in their organization that much faster. Do the right thing by offering help where help is needed.

15. Offer Resources

As part of the remediation process, provide resources to patients who are concerned about their privacy. For example, you can create a dedicated 1-800 number help line for affected parties to easily get answers to the questions they have, or offer free credit monitoring for one month.

16. Discipline

If your data breach resulted from a clear internal violation of your existing policies, the responsible party has to suffer the appropriate consequences. Take the necessary steps to discipline where called for.

17. Review Policies

Any data breach is a good indicator that it’s time to review your processes and policies to prevent similar incidents in the future.

18. Uptrain

Further investigation of the breach could reveal that remedial training is required to ensure that all employees are in compliance with current data guidelines.

19. Promote Awareness

Most healthcare organizations have a great number of various policies and procedures that employees are expected to follow, and it’s possible that data security concerns could get lost in the shuffle. Encourage awareness of the importance of HIPAA compliance, and make it clear that ignorance is not an acceptable excuse for noncompliance.

20. Prevent

While all of these steps are important for handling a data breach with professionalism and grace, the truth is that prevention is still the best policy when it comes to keeping information secure. Going the extra mile now to limit the potential of dealing with fallout later on is well worth the extra effort.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Ramped-Up HIPAA Audits: What They Mean to You

Ramped-Up HIPAA Audits: What They Mean to You

Over the last 12 months, more than $10 million has been recovered by the U.S. Department of Health and Human Services (HHS) in connection with alleged HIPAA violations. Yet, the upcoming year is likely to bring on a few more game-changers: namely, a seriously ramped-up effort when it comes to audits. The HHS Office of Civil Rights (OCR) has decided it’s time to broadcast a definitive message throughout the industry by conducting new HIPAA audits among hundreds of organizations that have been identified as being at high risk. What will this mean for those in the healthcare industry? 

Source: freedigitalphotos.net/Stuart Miles

HIPAA Sticking Points

The statistics gathered by the OCR are sobering:

  • The number of individuals who were impacted by smaller breaches increased over the last two years, more than tripling between 2010 and 2011 and increasing again in 2012.
  • There has been an increase in breaches related to hacking, although theft and loss account for them majority of large breaches
  • Most large breach incidents were traced back to business associates, which has led to the OCR’s announcement that business associates will be included in future audits
  • The majority of small breaches occurred due to unauthorized access or disclosures such as incorrect billing, sending information to an outdated physical address or otherwise misdirected communications
  • More small breaches involved paper records rather than electronically stored health records

According to current guidelines, HIPAA applies to anyone defined as either a covered entity or a business associate of a covered entity. This classification can cause confusion out of the gate for many organizations that remain unsure whether they’re actually bound by HIPAA requirements. (Here’s a helpful hint: when in doubt, assume that you need to follow the guidelines. It’s much easier to take extra precautions than suffer the consequences of being found in violation.)

Another sticking point when it comes to HIPAA is the widespread use of mobile devices outside the office. Personal devices such as smartphones and tablets that are being used to access company data are often responsible for a large number of complaints and data breaches because they lack the proper security specifications and aren’t always held to the same standards as on-site equipment.

Protecting Yourself

When it comes to protecting your business against the ramifications of a data breach, the most important step you can take as a healthcare organization is to conduct an exhaustive risk assessment (as required by HIPAA) to examine existing policies and procedures in an effort to more accurately identify potential problems. From there, don’t hesitate to take steps to shore up weak spots and revise current practices as needed to safeguard sensitive information from a potential data breach… and limit the possibility of a future audit by the OCR.

Written by Simeon D. Rapoport

Simeon D. Rapoport is the Vice President & General Counsel for iBridge. He’s been an attorney for more than 25 years, began his career working in the courts and private practice for more than 10 years, and has been in-house corporate counsel since 1998. Rapoport’s experience includes private practice with the large West Coast firm of Bullivant Houser and more than 10 years at Standard Insurance Company. Rapoport is a frequent author and speaker, and he enjoys being active in Bar and civic groups. His interests include family, fitness, outdoor activities, and travel.

Is Your Healthcare IT Security Stuck in The Stone Age?

Is Your Healthcare IT Security Stuck in The Stone Age?

It has been more than a decade since HIPAA’s security rule was introduced. In the intervening years, the field of healthcare IT security has evolved dramatically. However, not all practices and providers have gone along for the ride.
Are you part of an organization running a Flintstones-era healthcare infosec operation? If so, you may be playing fast and loose not only with patient welfare but also federal regulations. With the impending implementation of IDC-10 and the ongoing shift to fully electronic medical records, chinks in your healthcare IT security armor may leave both your patients and your organization vulnerable to costly and compromising breaches.

Head in the Cloud?Image via freedigitalphotos.net/ddpavumba

Cloud computing has lifted physicians’ abilities to communicate, collaborate, and compare patient information into the stratosphere. Developments in cloud computing technology put staggering amounts of useful information in the hands of healthcare providers in both megacities and small municipalities.

But for all the benefits that come from this open access platform, there is also great risk involved. Managing data across multiple platforms and great distances exposes sensitive patient information to huge numbers of eyes. If you haven’t made security a priority, you may inadvertently – and unknowingly – be exposing patient reports, EMRs, and images to nefarious individuals or entities. Be sure any outsourced firms with which your organization or practice contracts has a top-of-the-line IT security system and federal approval for capturing and storing confidential patient information.

Security Alphabet Soup

When swimming in a sea of EHR/EMR, HIPAA, HITECH and many other acronyms, it’s easy to let information security fall to the bottom of your list of compliance priorities. However, the federal government is ramping up efforts to monitor and intervene in even the smallest of HIPAA breaches. In a world of rogue “hacktivists” and ever-changing security threats and standards, how can you be sure you’re doing everything possible to keep patient information secure? Here’s a hint: if you don’t know what “hacktivists” are, you may be in the middle of a Stone Age healthcare IT security situation.

In the new cyber economy, even small- to medium-sized businesses and practices face security threats more commonly associated with institutions on an enterprise-level scale. Putting healthcare IT security higher on your list of priorities shouldn’t even be up for debate.

Top Healthcare IT Security Threats

A few of the most vulnerable points for IT security include:

  • Providers and contractors with multiple, untraceable, unencrypted mobile devices – Constantly upgraded operating systems make these ubiquitous devices are especially vulnerable to cyber hacking and viruses.
  • The shift from desktop systems to cloud-based servers – The ability to use multiple applications from one virtualized “desktop” saves hardware dollars but exposes private health information to a wider array of infosec threats.
  • Social media vulnerability – It’s nearly impossible to restrict employee access to social media, but these networks are also rife with quickly-spreading viruses and security bugs.

Healthcare Security for the Modern Age

If you aren’t sure whether your healthcare security processes and procedures are up-to-date, they’re most likely behind the times. Get smart with your healthcare IT security policies in order to ensure both federal compliance and patient privacy. Leaving your practice and patients vulnerable to cyber infection is as great a charge as the cause of improving physical health. To guarantee the security of both patient data and your vital business information, make IT security a top priority. Doing so may require enlisting an outside contractor with the expertise to make your healthcare IT security completely airtight.

Image via freedigitalphotos.net/ddpavumba

How to Minimize Data Exposure Risks

How to Minimize Data Exposure Risks

Recently, HIPAA reported one of the largest ever security breaches in the healthcare industry: namely, the theft of over 400,000 individuals’ protected health information (PHI) from a Texas healthcare system. The breach, which occurred in December 2013, spanned three days and resulted in the loss of social security numbers, addresses and birth dates for employees as well as patients, along with more detailed medical information. How can such an attack impact the affected parties, and what can be done to prevent future vulnerabilities of a similar nature?

Information and Identity Theft

The access to personal records like dates of birth and social security numbers gathered with the initial data theft is really only the first stage for hackers. This sensitive information can then be leveraged into accessing accounts that have additional levels of protection in place. For example, many online bank accounts and credit card accounts require a two-step verification process that begins with a user name and password, and then adds another qualifying factor such as a PIN or answer to a secret question.

After hackers are armed with medical records and employee information, it’s much easier to decipher passwords, PINs and other verification methods. For example, many people may use their birth year or anniversary date as their PIN, or as part of their password. Additionally, information like full legal name plus social security number can allow the hacker to open lines of credit in the victim’s name, file fraudulent tax returns in order to gain access to refund money and other forms of identity theft. The original hackers may perform these operations themselves, or may opt to sell the stolen information to the highest bidder for use by other cybercriminals.

Adding Protection

While user education—on issues like how to generate more secure passwords and practice other sensible precautions online—is an important step in limiting personal loss even if a breach of this type occurs, the impacted organizations themselves can provide a better first line of defense as well. For example, data encryption would help to prevent data exposure, as would the implementation of a monitoring plan that would identify and analyze potential breach points. Regular scans and analysis would help IT security personnel recognize a potential breach on the network much sooner, allowing more time for preventative measures to be taken.

There’s never just one finger with which to point blame on the occasion of this or any other successful hack. Instead of looking around for who may or may not be guilty, energies are far better spent on ensuring that a more secure infrastructure is put into place that will better protect organizations and individuals against cyber-attacks in the future.

$2M Laptops? Unencrypted Stolen Computers Cost Organizations

$2M Laptops? Unencrypted Stolen Computers Cost Organizations

Unencrypted Stolen Computers The federal government isn’t exactly known as an entity that commonly takes quick and decisive action. We like to bemoan our do-nothing Congress and the stifling layers of bureaucracy that stand between leadership and actual legislation. Yet in some cases, the feds like to keep us on our toes; such is the story with recent hefty fines levied against a couple of healthcare entities found guilty of playing fast and loose with patient information.

For those healthcare providers still resistant to upgrading their IT security practices, consider yourselves warned: the grand total in fines for these two entities and their violations of HIPAA Privacy and Security Rules came to nearly two million dollars. If you still think no one is paying attention to what healthcare institutions are doing to guarantee patient privacy and healthcare information security, think again.

Crimes and Punishments

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) levied the fines. Speaking on behalf of OCR, Susan McAndrew, deputy director of health information privacy, stated: “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.”

The incidents that led to these hefty fines involved stolen unencrypted laptops. In the first incident, discovered by OCR during a HIPAA compliance review of a physical therapy program administered by Concentra Health Services in Springfield, Missouri. Here are the facts:

  • Concentra conducted a number of risk analysis studies and discovered that unencrypted laptops, desktops, and other mobile devices such as laptops all contained sensitive patient information.
  • Concentra failed to take any significant action to guard patient information against these admitted points of vulnerability.
  • As a result of their failure to take action to resolve the security risks and a finding of generally insufficient patient information security, Concentra will have to write a $1,725,220 check. That’s enough to make anyone need physical therapy.

In the other incident, Arkansas-based QualChoice QCA Health Plan, Inc. reported theft of an unencrypted laptop containing the sensitive patient information of nearly 150 people. The laptop in question was stolen from a QCA employee’s car. Hindsight being 20/20, QCA took immediate action to encrypt the remainder of their devices, but OCR determined that in this case it was just too little, too late. QCA settled with OCR for $250,000 and must also submit a healthcare technology security risk analysis and corresponding plan to guard itself against any discovered points of IT security weakness.

Taking Action

So, if your organization is behind the times with regard to healthcare information security, you may also be behind the 8-ball of federal HIPAA enforcement efforts. If your institution is still working on unencrypted devices, here are a few immediate steps to take:

  • Perform a thorough risk analysis of your healthcare IT security
  • Address any discovered chinks in your infosec armor
  • Retrain staff on meeting current standards
  • Keep thorough records of steps taken to improve healthcare IT security in the event that you find yourself under investigation following a breach

Health and Human Services’ OCR offers a number of training programs for healthcare providers. Designed to help personnel understand HIPAA Privacy and Security Rules and ensure compliance, these programs are free with Continuing Medical Education credits available. For more information, visit OCR’s training site.