In May 2014, New York Presbyterian Hospital and Columbia University Medical Center reached a settlement agreement...
with HHS to pay a $4.8 million fine for HIPAA violations. This was the second seven-figure HIPAA violation fine in 2014, following a $1.7 million enforcement action against Humana subsidiary Concentra in late April.
These million-dollar penalties are drawing the attention of HIPAA-covered entities around the nation. To avoid running afoul of HIPAA regulations, there are a few steps organizations should take immediately to learn from these incidents and ensure the privacy and security of protected health information.
In this tip, we examine three ways organizations can protect their data assets from similar breaches and HIPAA violation fines.
Follow formal decommissioning procedures
The root cause of the New York Presbyterian (NYP) incident was a failure of the organization to properly decommission a server containing personal health information (PHI). A physician sought to deactivate a personally owned server that resided on the NYP network and contained the health records of 6,800 patients. Those records included patient status information, vital signs, medication details and laboratory results. Unfortunately, the steps taken by the physician to decommission the server resulted in the exposure of those health records on the public Internet.
The lesson here is straightforward: Any device that contains health records must be decommissioned through a formal process that includes purging data on hard drives with a secure disk sanitization tool. Organizations should be cautious and apply this process to any system that resides on their networks to reduce the risk of disclosing health records placed on a system accidentally.
Encrypt mobile devices
In the case of Concentra, an unencrypted laptop was stolen from a company-owned physical therapy center in Springfield, Mo. The $1.7 million fine levied on Concentra was announced at the same time as a $250,000 fine against Arkansas' QCA Health Plan, where an unencrypted laptop was stolen from an employee's vehicle. In both cases, it must be presumed that the theft of these devices in unencrypted form constituted a breach of the PHI they contained.
All of these incidents could have been avoided if the companies had had basic security controls requiring the encryption of all mobile devices. While it's likely that every HIPAA-covered entity has a policy requiring the use of encryption technology, many devices still slip through the cracks. In Concentra's case, HHS cited a laptop encryption project that had been ongoing within Concentra for at least three years that had encrypted only 434 out of 597 laptops. Covered entities should conduct periodic audits of all mobile devices to ensure that they have encryption technology installed and enabled to protect health records from disclosure in the event of device theft. This inexpensive control can prevent multimillion-dollar HIPAA violation fines.
Know where PHI resides
Developing a complete inventory of systems containing health records is critical to the implementation of a HIPAA compliance plan. It is impossible to protect sensitive data if a company doesn't know where it resides. In the NYP case, a physician placed health records on a personally owned computer -- possibly in violation of the organization's security policies. In Concentra's case, the company should have had a policy prohibiting the placement of health records on an unencrypted mobile computer.
Organizations seeking to draw boundaries around health records should begin with an asset management review that not only tracks the systems belonging to the organization but also identifies which systems contain health information or are connected to a network containing such records. The network itself should use a network access control mechanism that prevents unknown devices from connecting to sensitive networks. While bring your own device, or BYOD, is an increasingly common approach to computing, HIPAA-covered records are no place to experiment with personally owned computers. Finally, companies should consider the use of a data-loss-prevention technology that identifies the presence of sensitive information on unexpected systems or networks.
HIPAA security breaches are tragic for the organizations where they occur but present learning opportunities for the rest of the industry. Each time the HHS issues a press release announcing a HIPAA violation fine, take the time to read it carefully and ask whether your organization might be following the same bad practices that led to the breach. After all, as the old maxim says, those of us who fail to learn from history are doomed to repeat it.
About the author:
Mike Chapple, Ph.D., CISA, CISSP, is senior director for IT service delivery at the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as a site expert on network security, and is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and the Security+ Training Kit.
Learn more about HIPAA-covered entities and updating business associate agreements.