Risk
1/7/2013
01:07 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Healthcare Settlement Highlights Risk Analysis, Encryption Importance

HIPAA breach settlement proves size doesn’t matter when failing to safeguard sensitive patient information.

 7 Big Data Solutions Try To Reshape Healthcare
7 Big Data Solutions Try To Reshape Healthcare
(click image for larger view and for slideshow)
The Department of Health and Human Services (HHS) recently announced the first HIPAA breach settlement involving fewer than 500 patients. The Hospice of North Idaho (HONI) agreed to pay $50,000 after an investigation found the organization had violated the HIPAA security rule. HHS' Office for Civil Rights (OCR) began its investigation after HONI reported an unencrypted laptop containing electronic personal health information on 441 people was stolen in June 2010.

During the course of its investigation, OCR found HONI failed to conduct a risk analysis to protect personal health information throughout the organization, according to an HHS statement. In addition, the hospice didn't have "in place policies or procedures to address mobile device security, as required by the HIPAA security rule," the statement said. However, since the 2010 theft, the organization "has taken extensive additional steps to improve their HIPAA privacy and security compliance program."

OCR director Leon Rodriguez said in an interview with InformationWeek Healthcare that since the settlement was the first of its kind, he hopes it draws attention to OCR's overall monetary enforcement program, which "effectively delivers the message to the healthcare industry that we take privacy and security seriously," he said. "We're willing to work with providers and provide technical assistance to provide clear guidance and work with them on how to best provide education. But, at the same time, enforcement is now a reality throughout the industry."

[ To see how patient engagement can help transform medical care, check out 5 Healthcare Tools To Boost Patient Involvement. ]

Rodriguez added the settlement doesn't reflect a newfound focus on small breach reports on behalf of OCR. "Generally, we identify monetary enforcement cases by looking at situations we become aware of after a long-standing pattern of systematic non-compliance that correlates with the risk of the breach, not necessarily the breach itself," he said. "That's what brings out attention to a provider; it's more of what we see in terms of behavior of the provider once we look."

In regard to HONI, Rodriguez said two main issues came to light throughout the investigation. For starters, he said, the organization had failed to encrypt the device. "Lack of encryption is what's called an addressable requirement; it's a requirement but one that can be satisfied by applying a credible alternative ... [A provider] can do just as well with strong security or password protection."

The second issue, he added, was failure to conduct a risk analysis. According to Rodriquez, all organizations need to look at business processes and places where personal health information is stored, and take steps to mitigate risks of a breach. An inadequate risk analysis is a "global issue" among organizations, he said. Additionally OCR has found that, although there are alternatives to encryption, like HONI many organizations will either encrypt or "not do anything at all," he said. "In my semi-educated hypothesis about that, a lot of providers find at the end of the day that encryption is the safest and most cost-effective thing they can do to protect the information," he said.

A new educational initiative launched by HHS in December highlights other practical ways to protect patient data. The initiative, called "Mobile Devices: Know the Risks. Take the Steps. Protect and Secure Health Information," involves a set of tools providers and organizations can access online. Videos, fact sheets and posters that promote best practices to safeguard information are available for download.

Tech spending is looking up, but IT must focus more on customers and less on internal systems. Also in the new, all-digital Outlook 2013 issue of InformationWeek: Five painless rules for encryption. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
1/15/2013 | 6:01:16 AM
re: Healthcare Settlement Highlights Risk Analysis, Encryption Importance
I never like to see health organizations fined by the HHS, although in some cases it's warranted. Hopefully these fines will be enough to have other organizations seriously reconsider their encryption/security policies and take steps to improve the security compliance.

Jay Simmons
Information Week Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio