[BreachExchange] Key Takeaways from OCR’s Latest HIPAA Fine: Hospital to Pay $3.2 Million for Its Cybersecurity Violations

Inga Goddijn inga at riskbasedsecurity.com
Wed Feb 15 19:38:33 EST 2017 

http://www.lexology.com/library/detail.aspx?g=e6b94cbd-40f8-4a39-96c5-f2d1943141a1

Earlier this month, the U.S. Department of Health and Human Services,
Office for Civil Rights (OCR), has announced a Health Insurance Portability
and Accountability Act of 1996 (HIPAA) civil money penalty of $3,217,000.00
against Children’s Medical Center of Dallas (Children’s), a pediatric
hospital that is part of Children’s Health, the seventh largest pediatric
health care provider in the nation. OCR based this penalty on its finding
that Children’s failed to comply with HIPAA Security Rule over many years
and that Children’s impermissibly disclosed unsecured electronic protected
health information (ePHI) when it suffered two data breaches that were
reportable to OCR.

*The Breaches *

   - On January 18, 2010, Children’s reported to OCR the loss of an
   unencrypted, non-password protected BlackBerry device at an airport on
   November 19, 2009. The device contained the ePHI of approximately 3,800
   individuals.
   - On July 5, 2013, Children’s reported to OCR the theft of an
   unencrypted laptop from its premises sometime between April 4 and April 9,
   2013. The device contained the ePHI of approximately 2,462 individuals.

Because Children’s devices were unencrypted, Children’s was obligated to
report their loss, along with the unsecured ePHI they contained, to the
HHS. Had Children’s devices been encrypted, it could have taken advantage
of the “safe harbor” rule, pursuant to which covered entities and business
associates are not required to report a breach of information that is not
“unsecured.”

*The Investigation*

   - OCR’s investigation revealed that, in violation of HIPAA Rules,
   Children’s (1) failed to implement risk management plans, contrary to prior
   external recommendations to do so, and (2) knowingly and over the course of
   several years, failed to encrypt, or alternatively protect, all of its
   laptops, work stations, mobile devices, and removable storage media.
      - OCR’s investigation established that Children’s knew about the risk
      of maintaining unencrypted ePHI on its devices as far back as 2007.
      - Despite this knowledge, Children’s issued unencrypted BlackBerry
      devices to nurses and allowed its workforce members to continue using
      unencrypted laptops and other mobile devices until 2013.

*The Takeaways*

   - *Implement HIPAA Safeguards. * HIPAA covered entities and business
   associates should implement appropriate administrative, physical, and
   technical safeguards to ensure the confidentiality, integrity, and
   availability of ePHI, as required by the Security Rule
   <https://www.hhs.gov/hipaa/for-professionals/security/index.html>.
   - *Don’t delay. * If you are a HIPAA covered entity or business
   associate, your Legal and IT should ensure that the safeguards are
   implemented entity-wide and without any undue delays. Your employees travel
   for business and probably take work home. You quite literally could be one
   lost device away from a disastrous data breach and a multi-million dollar
   fine.
   - *Encrypt your ePHI. *An important technical safeguard is encryption of
   ePHI, which is not expressly, but effectively required under HIPAA, since
   only breaches of *unsecured* ePHI must be reported to the HHS. *See *45
   C.F.R. § 164.408
   <https://www.gpo.gov/fdsys/granule/CFR-2011-title45-vol1/CFR-2011-title45-vol1-sec164-408>
   .
   - *Don’t lose your encryption key.* The encryption key should be stored
   separately from the ePHI. As specified in the HIPAA Security Rule, ePHI is
   encrypted by “the use of an algorithmic process to transform data into a
   form in which there is a low probability of assigning meaning without use
   of a confidential process or key” (45 CFR 164.304 definition of
   encryption
   <https://www.gpo.gov/fdsys/pkg/CFR-2016-title45-vol1/pdf/CFR-2016-title45-vol1-sec164-304.pdf>)
   *and such confidential process or key that might enable decryption has
   not been breached*.
   - *Security is (usually) not a DIY project.* For many covered entities
   and business associates, implementation of the Security Rule is outside of
   their wheelhouse. Hiring a reputable, skilled technology vendor to
   implement the physical safeguards, and hiring an knowledgeable outside
   legal counsel to ensure compliance with all aspects of the Security Rule,
   as well as to ensure a certain level of privilege protection, can go a long
   way to avoiding a reportable data breach.

As discussed in our previous post, “Top Five Data Breach Trend Predictions
for 2017,”
<http://www.carpedatumlaw.com/2017/01/top-five-data-breach-trend-predictions-2017/>
medical identity theft is likely to remain cybercriminal’s top target this
year, since medical information is lucrative and easy to exploit. After
all, compared to a stolen credit card number, a stolen medical record
offers so much more personal information. Healthcare organizations need to
ensure they have proper, up-to-date security measures in place, including
data-breach response plans, ePHI encryption, and adequate employee training
about the importance of security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170215/e199d36b/attachment.html>

More information about the BreachExchange mailing list