[BreachExchange] Lessons Learned from the OCR Fine of Children’s Medical Center of Dallas

[Audrey McNeil]

http://www.himss.org/news/lessons-learned-ocr-fine-
children-s-medical-center-dallas

The OCR $3.2 million fine of Children’s Medical Center of Dallas indicates
not simply the importance of encryption for HIPAA security, but also the
inevitable system vulnerabilities created by users.

You know, human beings.  One of the breaches involved the loss of an
unencrypted, non-password protected Blackberry device at an airport. The
device contained PHI for 3,800 patients.  How might Children’s have avoided
this situation?

Most covered entities that permit use of BYOD, limit use by prohibiting
downloading of PHI.  Double or triple factor authentication for access to a
database, sure.  But, covered entities and business associates should never
permit downloading of PHI onto mobile devices.

There is no reason to do so.  Even those of us who treasured (yes past
tense) our Blackberry keyboards would acknowledge the limited utility of
hosting that much PHI on a handheld device. In its announcement OCR also
referenced the failure of Children’s to implement recommended risk
management plans, and recommended encryption generally and specifically for
laptops and mobile devices.

This failure points out another risk for covered entities and business
associates.  The problem with getting sound advice is that you will be
expected to adopt it.  OCR considers things like making a good faith effort
to comply to be important.

Failure to implement sound advice is a signal to OCR that a covered entity
or business associate is not taking privacy and security seriously.  Note
that the medical center did not even bother to appeal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170307/3623d00c/attachment.html>