Risk
1/7/2013
01:07 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Healthcare Settlement Highlights Risk Analysis, Encryption Importance

HIPAA breach settlement proves size doesn’t matter when failing to safeguard sensitive patient information.

 7 Big Data Solutions Try To Reshape Healthcare
7 Big Data Solutions Try To Reshape Healthcare
(click image for larger view and for slideshow)
The Department of Health and Human Services (HHS) recently announced the first HIPAA breach settlement involving fewer than 500 patients. The Hospice of North Idaho (HONI) agreed to pay $50,000 after an investigation found the organization had violated the HIPAA security rule. HHS' Office for Civil Rights (OCR) began its investigation after HONI reported an unencrypted laptop containing electronic personal health information on 441 people was stolen in June 2010.

During the course of its investigation, OCR found HONI failed to conduct a risk analysis to protect personal health information throughout the organization, according to an HHS statement. In addition, the hospice didn't have "in place policies or procedures to address mobile device security, as required by the HIPAA security rule," the statement said. However, since the 2010 theft, the organization "has taken extensive additional steps to improve their HIPAA privacy and security compliance program."

OCR director Leon Rodriguez said in an interview with InformationWeek Healthcare that since the settlement was the first of its kind, he hopes it draws attention to OCR's overall monetary enforcement program, which "effectively delivers the message to the healthcare industry that we take privacy and security seriously," he said. "We're willing to work with providers and provide technical assistance to provide clear guidance and work with them on how to best provide education. But, at the same time, enforcement is now a reality throughout the industry."

[ To see how patient engagement can help transform medical care, check out 5 Healthcare Tools To Boost Patient Involvement. ]

Rodriguez added the settlement doesn't reflect a newfound focus on small breach reports on behalf of OCR. "Generally, we identify monetary enforcement cases by looking at situations we become aware of after a long-standing pattern of systematic non-compliance that correlates with the risk of the breach, not necessarily the breach itself," he said. "That's what brings out attention to a provider; it's more of what we see in terms of behavior of the provider once we look."

In regard to HONI, Rodriguez said two main issues came to light throughout the investigation. For starters, he said, the organization had failed to encrypt the device. "Lack of encryption is what's called an addressable requirement; it's a requirement but one that can be satisfied by applying a credible alternative ... [A provider] can do just as well with strong security or password protection."

The second issue, he added, was failure to conduct a risk analysis. According to Rodriquez, all organizations need to look at business processes and places where personal health information is stored, and take steps to mitigate risks of a breach. An inadequate risk analysis is a "global issue" among organizations, he said. Additionally OCR has found that, although there are alternatives to encryption, like HONI many organizations will either encrypt or "not do anything at all," he said. "In my semi-educated hypothesis about that, a lot of providers find at the end of the day that encryption is the safest and most cost-effective thing they can do to protect the information," he said.

A new educational initiative launched by HHS in December highlights other practical ways to protect patient data. The initiative, called "Mobile Devices: Know the Risks. Take the Steps. Protect and Secure Health Information," involves a set of tools providers and organizations can access online. Videos, fact sheets and posters that promote best practices to safeguard information are available for download.

Tech spending is looking up, but IT must focus more on customers and less on internal systems. Also in the new, all-digital Outlook 2013 issue of InformationWeek: Five painless rules for encryption. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
1/15/2013 | 6:01:16 AM
re: Healthcare Settlement Highlights Risk Analysis, Encryption Importance
I never like to see health organizations fined by the HHS, although in some cases it's warranted. Hopefully these fines will be enough to have other organizations seriously reconsider their encryption/security policies and take steps to improve the security compliance.

Jay Simmons
Information Week Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.