[BreachExchange] Hospital to Pay $250, 000 After Alleged False HITECH Claims

[Destry Winant]

https://www.databreachtoday.com/hospital-to-pay-250000-after-alleged-false-hitech-claims-a-12569

A Kansas hospital has agreed to pay $250,000 to settle allegations
that it falsely attested to conducting a security risk analysis as
required under the HITECH Act electronic health records financial
incentives program. Two whistleblowers in the case - the hospital's
former CIO and corporate compliance officer - who filed a lawsuit
under the federal False Claims Act - will receive $50,000 of the
settlement.

The hospital had received at least $3 million in HITECH payments for
its "meaningful use" of EHRs, federal regulators say.

The case illustrates the important role insiders can play in efforts
in safeguard data.

"There are usually at least a few employees who know all of an
entity's information security secrets, and this case demonstrates that
these secrets sometimes can be very valuable in a False Claims Act
action," says privacy attorney Adam Greene of the law firm Davis
Wright Tremaine, who is not involved in the case. "Entities should not
assume that security failures that don't result in a breach will go
unnoticed."

Federal regulators have taken enforcement action against a handful of
other organizations in cases involving alleged fraud related to the
HITECH Act EHR incentive program.

'False Claims'

In a May 31 statement, the U.S. Department of Justice alleges Coffey
Health System, which operates 25-bed Coffey County Hospital, a
critical access hospital in Burlington, Kansas, falsely attested that
the hospital conducted and/or reviewed security risk analyses in
accordance with requirements under the HITECH Act incentive program
for the reporting periods of 2012 and 2013.

"The government contended that the hospital submitted false claims to
the Medicare and Medicaid programs pursuant the EHR incentive
program," the justice department says in the statement.

Under the HITECH EHR "meaningful use program," the Department of
Health and Human Services offers incentive payments to healthcare
providers that adopt certified EHR technology and meet certain
requirements relating to their use of the technology. To obtain the
payments, providers must attest that they satisfy applicable
HHS-adopted criteria, including measures for analyzing and addressing
security risks to electronic health records, the Justice Department
notes.

"Providers who fail to properly ensure the security of electronic
health records must be held accountable," said Steve Hanson, special
agent at the HHS Office of Inspector General, Kansas City Region.

Whistleblower Case

The whistleblower case lawsuit documents indicate that in January
2016, Coffey Health System's former CIO, Bashar Awad, and former
corporate compliance officer, Cynthia McKerrigan, filed a lawsuit
against Coffey in a Kansas federal court on behalf of the U.S. under
the False Claims Act.

"Based upon personal knowledge, relevant documents, and information,"
the two former employees alleged that Coffey had been falsely
attesting from 2011 or 2012 to the present to HHS that it was in
compliance with certain security standards required to be eligible to
receive EHR incentive payments from Medicare and Medicaid, which
resulted in HHS wrongfully paying Coffey at least $3 million in
incentive payments, the whistleblower lawsuit complaint notes.

The not-for-profit Coffey Health System is a unit of Coffey County,
Kansas. In addition to its hospital, it operates a home health agency,
five clinics and two long-­term care facilities.

HITECH Requirements

To participate in the EHR incentive program and receive an incentive
payment, organizations are required to conduct an accurate and
thorough security risk analysis to meet the standards of HIPAA and
address any deficiencies identified, court documents note.

"All of [Coffey County Hospital's] yearly security risk attestations
from 2012 through the present ... were knowingly false when submitted
to the government," the 2016 lawsuit alleged.

CIO's Allegations

Court documents note that in June 2014, Awad began working as a
consultant in Coffey's IT department, and in August 2014, he was
promoted to CIO.

"By June 2014, Coffey had already made security risk attestations to
CMS on at least two separate occasions for the program years 2012 and
2013. Shortly after Awad was promoted to CIO by Coffey in August 2014,
Awad promptly sought to obtain copies of Coffey's most recent security
risk analysis.

"During this process, Awad confirmed, on several occasions, that no
security risk analysis had been performed ... for the years 2011
through 2013," court documents say.

Although the CMS attestation portal noted that Coffey had attested
that appropriate security risk analyses had been performed from about
2012 through 2013, Awad learned that there was no documentation to
support the attestations, according to the court filing.

After learning that Coffey had never conducted an appropriate risk
analysis in 2014, Awad personally conducted some basic tests of
Coffey's network security, the lawsuit notes.

During his testing, Awad discovered that Coffey County Hospital shared
the same firewall as various Coffey county municipalities, according
to the complaint.

"Because Coffey [County Hospital] shared the same firewall as various
Coffey county municipalities, anyone could access [the hospital's]
private patient records simply by logging into Coffey's website
through its IP address at the local schools or libraries, without any
usernames or passwords," the whistleblower lawsuit alleges.

Third-Party Analysis

The lawsuit says Awad arranged for a third-party company to perform an
appropriate security risk analysis at the hospital in preparation for
its upcoming meaningful use attestation to be submitted for 2014, and
the assessment was completed by about October 16, 2014.

That risk analysis identified dozens of unique vulnerabilities in the
hospital's systems, including five critical vulnerabilities, the
complaint states.

Awad reported results of the 2014 security risk analysis to hospital
officials and began attempting to address some of the highest priority
vulnerabilities, the lawsuit says. But the hospital "was not
interested in devoting resources to the 2014 security risk analysis
findings and did not provide Awad with adequate tools or support to
properly address the deficiencies," the complaint states. "As a
result, very few of the deficiencies noted in the security risk
analysis were corrected."

Soon after the hospital failed to act on the security risk analysis,
it "caused another false security risk attestation to be submitted in
2014 to the government, seeking incentive payments under the EHR
incentive programs," the lawsuit contends.

Awad refused to support the 2014 attestations by the hospital and was
terminated while attempting to correct numerous security deficiencies,
the lawsuit states.

Liability Concerns

The former Coffey CIO and compliance officer were likely concerned
about their liability and responsibilities down the road, says Susan
Lucci, a senior privacy and security consultant at tw-Security.

"What's worse here is that ... there is a huge HIPAA violation in the
open access to health records due to the shared firewall which
required no username or password to access medical records," she
notes.

Other Cases

False attestations, including those related to EHR security features
or practices under the HITECH Act, have been the subject of a handful
of other enforcement actions by federal regulators.

For instance, in 2015, a former Texas hospital CFO was sentenced to 23
months in federal prison after pleading guilty in a case involving
submitting false documents to HHS so that the now-shuttered Shelby
Regional Medical Center in East Texas could receive payments under the
HITECH Act EHR incentive program.

And in February, the DoJ slapped Greenway Health with a $57.25 million
fine under the False Claims Act, with regulators alleging the company
misrepresented the capabilities of its EHR software - including those
involving data integrity and accuracy - to meet the certification
requirements of the HITECH Act EHR incentive program.

Weak Spot

Security risk analyses continues to be a weak spot for many healthcare
entities and their business associates.

"It's possible that some other hospitals may have attested [under the
HITECH Act] that they completed a security risk analysis but in
reality, they performed a HIPAA gap assessment against the HIPAA audit
protocol," notes Keith Fricke, principal consultant at tw-Security. "A
HIPAA gap analysis and a risk analysis are not the same. "

In addition to attestations in the meaningful use EHR incentive
program, HIPAA requires that covered entities and business associates
conduct thorough, enterprisewide risk analysis of PHI. The the failure
of entities to conduct those risk analyses has often been at the
center of HHS Office for Civil Rights HIPAA enforcement actions.

"The truth is that while HIPAA risk analyses are both a legal
requirement and a good idea, they are also costly and time consuming,
and OCR's preferred methodology often differs from what security
professionals consider a risk assessment," Greene notes. "The result
continues to be a lot of gap assessments, risk assessments that don't
capture all of the organization's ePHI or entities continually putting
off starting one."

Fricke offers a similar assessment. "Organizations may not fully
understand what a security risk analysis really entails, and if they
attempt completing risk analyses themselves, they may not get it
right. In some cases, a risk analysis may have been completed, but no
action ever taken on the findings. In other cases, the risk analysis
was not complete."

Coffey Health System did not immediately respond to Information
Security Media Group's request for comment on the case.