The latest HIPAA data breach penalty reported by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) includes some simple but important messages for all health care organizations and their Business Associates.
The OCR press release says Idaho State University (ISU) was fined $ 400,000 for unauthorized access to electronic Protected Health Information (ePHI) because its network firewalls had been disabled and unauthorized access to patient data was not detected for 10 months. The specific charges were that the university, which provides health care through 29 outpatient clinics, had not identified the risk of a network breach in a HIPAA Risk Analysis; had not addressed the risk through a Risk Management process; and had not conducted an Information System Activity Review that could have revealed the unauthorized access much sooner. These are the first requirements in the HIPAA Security Rule (along with a Sanction Policy) so this $ 400,000 penalty did not require a full compliance assessment— just proof that the most basic HIPAA fundamentals were not performed.
From the OCR Press Release:
“OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.
“Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said OCR Director Leon Rodriguez. “Proper security measures and policies help mitigate potential risk to patient information.”
A common complaint about HIPAA is that it tells you to do something but does not explain how to do it. This penalty contains a strong message that your organization must review the Guidance provided to help explain how to protect patient data, that you need to invest in equipment and qualified IT staff (often through an outsourced IT provider) to make sure it is set up and working properly, and that you must document your activities in accordance with specific HIPAA requirements to protect your organization in case of an audit or a data breach.
Here are the top 5 ways to avoid a HIPAA fine and more importantly, protect your patients’ sensitive data:
1) Perform a Risk Analysis: Trying to do this one yourself is like asking your patients to do their own chiropractic assessment. This is one you need to outsource to someone that understands the HIPAA Security Rule and understands I.T. vulnerabilities (Click HERE to request your Chiropractic HIPAA Risk Audit). Then you can put a plan in place to address the risks and keep them mitigated. It’s required in the Administrative Safeguards – Security Management Process (164.308(a)(1)). But the benefits to your office are much greater. If a patient could be told that they have a major problem brewing because their liver isn’t functioning properly because of an underlying subluxation, wouldn’t it be great that the patient comes in to see a chiropractor? Could you perform a “Risk Analysis” and put a plan in place to help them? Why would you think that the same isn’t necessary and possible with your technology?
2) Monitor and Manage your PC’s: New patches are released every month by Microsoft. All the third party applications (java, reader, flash player, itunes, etc) present a huge security risk to your office if not properly updated. These all need to be done on a regular basis to protect your network. In addition, you need to ensure you have antivirus and antispyware software installed on your PC, up to date, and setup to alert/email you (or your IT provider) when there is a virus found. Remember, part of what ISU was violated for was NOT KNOWING that something had gone wrong in their systems. Administrative Safeguard – Security Awareness and Training (164.308(a)(5)) requires protection from malicious software and that includes MONITORING that it’s working. Compliance is just the tip of the iceberg. True PC management will optimize your PC’s so your employees can be more productive too. You are paying them to help your business grow and not wait for their PC’s right?
3) Backup your data onsite and offsite: If you had an employee that went bad and decided to delete a bunch of record (it happens), or a fire that destroyed your network, or just a hardware failure, are you CONFIDENT that you can recover? You say yes? Have you TESTED your plan? You do have a plan right? Have you tested your backups? Administrative Safeguard – Contingency Plan (164.308(a)(7)) requires a Data Backup Plan and a Disaster Recovery Plan. Plans are great, but the HOW isn’t dictated. Backup Offsite is a necessity, but backup onsite in addition can greatly shorten your recovery time objective. If just the hard drive fails do you really want to download all the data stored offsite over an internet connection? Depending how fast this connection is, it may take you a few days or more to recover that data. These are all questions and answers that should be part of a disaster recovery plan.
4) Install a REAL firewall in your network: HIPAA does not even mention firewalls, but ISU paid $ 400,000 because theirs were not working. Their PLAN showed that that was a means of risk mitigation to remain compliant and therefore not having it working constituted a violation. You need to have them and they need to be effective. A firewall is a device that connects your network to the Internet, and includes security features that detect and prevent unauthorized network access. Most firewalls have optional features that can block viruses and malware; content filtering to block offensive or unauthorized web sites; secure VPN tunnels to connect multiple offices; and multiple Internet connections to automatically keep you connected if one Internet service fails. Firewalls are not mentioned in HIPAA, but are included in HIPAA compliance guidance from the National Institute of Standards and Technology (NIST.)
Simple consumer-quality routers (like the small blue boxes found in many offices) are not effective firewalls and do not prevent unauthorized network access. You need a real firewall that includes real security features that will prevent unauthorized access. It needs to be set up by a real IT professional and have a current security subscription. And you need real ongoing professional support through Managed IT Services to continually monitor the equipment and to review your systems activity to ensure real HIPAA compliance.
5) Hire Qualified IT Security Staff: When it comes to protecting patient data you can no longer rely on amateurs, “your nephew who is good with computers” or someone you call only when something fails. Security is a full-time job, but you can outsource IT Security Managed Services and pay a fraction of employing a qualified staff member. Like chiropractic care, IT Security has specialists you can go to for evaluation and treatment. You should insist your IT provider has staff that is certified in Security, certified to deploy firewalls, and is certified in HIPAA. How do you know? Ask them for proof!
No Dust Allowed
Security can fail silently without causing a network interruption or symptom that would require you to call someone for help. You cannot write HIPAA policies and procedures and leave them on a shelf gathering dust. Nor can you cannot just set up network security tools and expect that they will continue to work effectively.
ISU was unaware of its security failure for 10 months—longer than it takes to have a baby! There are tools they could have used to monitor their firewalls, and also to audit who was accessing their patient data. Most medical practices do not have these tools and would not know how to deploy and interpret them. Just like referring a patient to a specialist, you need to refer yourself to an IT security professional for the proper diagnosis and treatment.
Security Documentation
Even if you have a qualified staff doing the right things, nothing can be proven without proper documentation. Records need to be kept detailing the configuration settings of your security tools, maintenance records showing patches and updates, and proof that periodic reviews have taken place to ensure that your security is active and effective
Cost vs. Benefit
The $ 400,000 penalty does not include any of the costs for Idaho State University to notify the affected patients, correct its security problems, and implement the Corrective Action Plan required by OCR. Implementing effective security is much less costly than paying for a data breach and this latest HIPAA penalty is a strong message that OCR is looking at firewalls. Don’t wait.
What can you do about this?
Call us to discuss your options and get an audit. You can reach us three ways:
1) Email dan.hipaa@techsublux.com
2) Go to https://www2.techsublux.com/#contact and fill out the form
3) Call 877-540-6789 and ask dial extension 801 and ask for an audit.
Leave A Reply (No comments so far)