[BreachExchange] HIPAA Violations Examples and Cases – Eight Cautionary Tales

Fri Oct 7 14:09:33 EDT 2016

https://blog.cloudsecurityalliance.org/2016/10/06/hipaa-violations-
examples-cases-eight-cautionary-tales/

The Health Insurance Portability and Accountability Act (HIPAA) helps
protect patient privacy by requiring healthcare organizations and their
business associates to protect sensitive data — including how the data is
used and disclosed. As the healthcare industry is increasingly being
targeted by cyber attackers, HIPAA gives healthcare organizations minimum
benchmarks for assessing and implementing their cyber defenses.

Patient health data is highly sought after by cyber criminals because they
can exploit it in many different ways and for much longer periods of time
as compared to information such as credit card numbers. On black market
marketplaces on the Darkweb, stolen medical data can sell for 10 to 20
times more than credit card data. One report found that stolen Medicare
numbers sold for nearly $500 each.

Because medical records are rich with information, they can be used for
committing identity theft, medical identity theft, and tax fraud; obtaining
loans or credit cards, sending fake bills to insurance companies; obtaining
and then reselling expensive medical equipment — and the list goes on. And
unlike a credit card number, that can easily be cancelled if it has been
compromised, medical health records can’t be altered and tend to last a lot
longer. Stolen medical records of terminally ill patients are especially
valuable because that information can be used to receive other services on
behalf of the patient long after the patient has passed away.

HIPAA requires that healthcare organizations report any data breaches
involving more than 500 patient records. According to the HHS web portal,
there have been 205 such breaches so far this year. Many data breaches of
electronic protected health information (ePHI) that have resulted in HIPAA
fines were the result of carelessness or lack of data protection and could
have been avoided.

Numerous HIPAA fines have stemmed from the lack of risk assessments or
properly implemented risk management plans. A risk assessment is a
foundational step that healthcare organizations must take in order to
evaluate all the vulnerabilities, threats, and gaps in defenses in order to
mitigate security risks.

The Worst HIPAA Violations — and What You Can Learn from Them

Advocate Health Care Network, $5.5 million
This is the largest HIPAA settlement as of September 2016 and was the
result of three separate data breaches that affected a total of 4 million
individuals. One of the incidents involved an unencrypted laptop that was
stolen from an employee vehicle and another incident involved the theft of
four computers.

The Department of Human and Health Services Office of Civil Rights (OCR),
which enforces HIPAA, noted that Advocate Health Care failed to conduct an
accurate and thorough risk analysis of all of its facilities, information
systems, applications, and equipment that handle ePHI. This risk management
plan needs to include not only technical but also physical and
administrative measures.

New York and Presbyterian Hospital (NYP) and Columbia University, $4.8
million
In a joint case, the two organizations were fined after 6,800 patient
records were accidently exposed publicly to search engines. The breach was
caused by an improperly configured computer server that was personally
owned by a physician. The server was connected to the network that
contained ePHI.

NYP lacked processes for assessing and monitoring all its systems,
equipment, and applications connected with patient data. It also didn’t
have appropriate policies and procedures for authorizing access to patient
databases. Both of these violations would have been easy to prevent through
administrative processes.

WellPoint, Inc., $1.7 million
The managed care company exposed the records of more than 600,000
individuals over the internet after upgrading an internet-based database
containing ePHI. WellPoint didn’t know about the breach until a lawsuit
notified the company that the data was available through a web portal.

This kind of incident could be avoided by:

Performing a technical evaluation of changes resulting from software
upgrades ahead of deployment
Implementing technology, policies, and procedures for authenticating users
that are accessing ePHI as well as limiting the categories of users who can
access the data.

Anchorage Community Mental Health Services (ACMHS), $150,000
A malware infection compromised the records of more than 2,700 individuals.
ASMHS did not review its systems for unpatched and unsupported software and
did not regularly update its IT resources.

This case underscores the importance of having policies and procedures in
place for running regular updates and patches. It’s a simple yet often
ignored practice that could have major implications.

St. Elizabeth’s Medical Center, $218,400
This settlement stemmed from two incidents, one of which was in connection
with staff use of a cloud-based file-sharing application. Specifically, the
medical center did not evaluate the risks of using this cloud service,
putting ePHI of nearly 500 people at risk.

As more healthcare organizations are embracing the cloud as a scalable,
cost-effective and flexible solution for storing and sharing patient data,
it’s critical to conduct a risk assessment prior to migrating to a cloud
environment. This evaluation should also include a comprehensive analysis
of the security capabilities of prospective vendors.

University of Mississippi Medical Center (UMMC), $2.75 million
UMMC reported a breach after a password-protected laptop loaned to a
visitor went missing. Subsequently, OCR’s investigation found that users
could access a network drive containing ePHI via a wireless network with a
generic user name and password. The accessible network drive contained ePHI
of 10,000 patients dating as far back as five years.

According to Verizon’s 2016 Data Breach Investigations Report, more than 60
percent of data breaches in 2015 involved weak, stolen, or default
passwords. Passwords are a major problem that can have serious consequences
for organizations, yet it’s a problem that’s easy to mitigate by
implementing strong password-management policies as well as techniques like
multi-factor authentication.

Triple-S Management Corp., $3.5 million
This case was the result of multiple, extensive violations involving
several subsidiaries. One notable violation related to two former employees
whose access rights to a restricted database were not terminated when they
left the company. The two then accessed the internet Independent Practice
Association (IPA) database, which contained members’ diagnostic and
treatment codes, while being employed by a competitor.

Just like poor password-management policies, user-privilege policies are a
major problem for organizations. Too often, user access is not terminated
when employees leave the company or move to another position within same
company that changes their status. Many unauthorized access incidents can
be avoided with tools and procedures that manage user access.

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear
Associates, Inc. (MEEI), $1.5 million
OCR found multiple violations after investigating the theft of a personal
unencrypted laptop containing patients’ prescriptions and clinical data.
The violations included longtime failures to conduct a risk analysis and
implement security measures for portable devices.

“In an age when health information is stored and transported on portable
devices such as laptops, tablets and mobile phones, special attention must
be paid to safeguarding the information held on these devices,” OCR
Director Leon Rodriguez said in the announcement.

Many of the HIPAA settlements to data have involved stolen or lost devices
such as laptops as well as removable media like USB drives. What makes this
case stand out from many others involving stolen or lost laptops is the
fact that this was a personal device.

As healthcare organizations become more open to the bring your own device
(BYOD) policies, it’s important to have practices and procedures in place
for devices that are not managed by the IT department. Best practices could
include credentialing or “registration” of personal devices and controls
for giving IT staff advance permission to remotely wipe or lock a stolen
device.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161007/fc430265/attachment.html>