[BreachExchange] Not worth the cost: 3 lessons about unprotected PHI

Inga Goddijn inga at riskbasedsecurity.com
Wed Mar 9 20:34:03 EST 2016


http://www.itproportal.com/2016/03/09/not-worth-the-cost-3-lessons-about-unprotected-phi/

When it comes to protecting patient data, technology is evolving so quickly
that it’s difficult for healthcare providers to keep up. While electronic
recordkeeping through computers, smart devices, and web-based services can
lead to higher efficiency and elevate patient care, providers must closely
monitor use to ensure the data contained remains safeguarded.

There’s more at stake than just patient trust for healthcare providers who
do not adequately shelter their patients’ Protected Health Information, or
PHI. The U.S. Department of Health and Human Services’ Office of Civil
Rights can hand down severe civil and even criminal charges for violations
of patient privacy. Even if a company doesn’t give away the information
intentionally, the government can hold it liable for data breaches,
particularly if there’s proof the company didn’t guard the data properly.

Electronic data breaches are becoming the latest, greatest way thieves
obtain sensitive information about patients, including Social Security and
bank account numbers. But physical theft is also a rising concern. For
instance, an average car break-in can turn into a massive data breach if
the car contains a device with unsecure PHI on it. Take a look at the
examples of PHI non-compliance below to better understand the seriousness
of this infraction.

*Lesson 1: Laptops*

Recently, a private practice radiation oncology group named Cancer Care was
ordered to pay $750,000
<http://www.hhs.gov/about/news/2015/09/02/750,000-dollar-hipaa-settlement-emphasizes-the-importance-of-risk-analysis-and-device-and-media-control-policies.html>
after someone stole a laptop containing PHI on patients from an employee’s
vehicle. The thief could easily obtain the unencrypted data from the
laptop. An investigation by the U.S. Department of Health and Human
Services (HHS), Office for Civil Rights (OCR) found that even before the
laptop theft, Cancer Care was not compliant with HIPAA privacy rules.

*Lesson 2: Web-based file sharing*

Massachusetts hospital St. Elizabeth’s Medical Center was hit with another
substantial HIPAA non-compliance fine
<http://www.healthcareitnews.com/news/hospital-repeat-security-failures-hit-218k-hipaa-fine>,
$218,400, for using a web-based file-sharing program to store sensitive
patient data. The complaint, filed by employees of the hospital, pointed
out that the information stored this way was not adequately protected, and
that it put 500 patients’ data at risk of a breach. HHS agreed with the
employees’ grievance and fined the hospital. The department also added a
fine for data stolen from a former employee’s laptop and USB
<https://luxsci.com/blog/jumpthumb-drives-and-phi-dont-mix.html> that
breached information for 595 hospital employees.

*Lesson 3: Physical files*

Lincare, Inc., a home healthcare provider, was recently fined $239,800
<http://healthitsecurity.com/news/home-health-provider-to-pay-240k-in-hipaa-violation-fines>
after an employee’s ex-husband called HHS to report that his former wife
had left behind protected health information for 278 patients when she left
their shared home. Not only was the data available for view by an
unauthorised person, but HHS also found that employees taking home any
patient files, or storing them in vehicles, violated HIPAA privacy laws.

*How to stay HIPAA-compliant*

It’s important for every healthcare provider or contractor to know what
data is Protected Health Information and to take inventory of all the
places (physical and electronic) that data exists. Hiring an information
security firm to evaluate your data management system and put safeguards,
like encryption, into place is vital for protecting the trusted information
patients share with you.

As the examples above show, it’s important to ensure that employees
understand the HIPAA law and their responsibility to uphold it. To that
end, put an employee PHI policy in writing and have employees sign that
they read it and understand their role in keeping patients’ data safe.

Healthcare providers have a great responsibility to protect the data of
their patients, and that includes traditional in-office recordkeeping as
well as electronic data that extends beyond office walls.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160309/60935d51/attachment-0001.html>


More information about the BreachExchange mailing list