Risk
1/7/2013
01:07 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Healthcare Settlement Highlights Risk Analysis, Encryption Importance

HIPAA breach settlement proves size doesn’t matter when failing to safeguard sensitive patient information.

 7 Big Data Solutions Try To Reshape Healthcare
7 Big Data Solutions Try To Reshape Healthcare
(click image for larger view and for slideshow)
The Department of Health and Human Services (HHS) recently announced the first HIPAA breach settlement involving fewer than 500 patients. The Hospice of North Idaho (HONI) agreed to pay $50,000 after an investigation found the organization had violated the HIPAA security rule. HHS' Office for Civil Rights (OCR) began its investigation after HONI reported an unencrypted laptop containing electronic personal health information on 441 people was stolen in June 2010.

During the course of its investigation, OCR found HONI failed to conduct a risk analysis to protect personal health information throughout the organization, according to an HHS statement. In addition, the hospice didn't have "in place policies or procedures to address mobile device security, as required by the HIPAA security rule," the statement said. However, since the 2010 theft, the organization "has taken extensive additional steps to improve their HIPAA privacy and security compliance program."

OCR director Leon Rodriguez said in an interview with InformationWeek Healthcare that since the settlement was the first of its kind, he hopes it draws attention to OCR's overall monetary enforcement program, which "effectively delivers the message to the healthcare industry that we take privacy and security seriously," he said. "We're willing to work with providers and provide technical assistance to provide clear guidance and work with them on how to best provide education. But, at the same time, enforcement is now a reality throughout the industry."

[ To see how patient engagement can help transform medical care, check out 5 Healthcare Tools To Boost Patient Involvement. ]

Rodriguez added the settlement doesn't reflect a newfound focus on small breach reports on behalf of OCR. "Generally, we identify monetary enforcement cases by looking at situations we become aware of after a long-standing pattern of systematic non-compliance that correlates with the risk of the breach, not necessarily the breach itself," he said. "That's what brings out attention to a provider; it's more of what we see in terms of behavior of the provider once we look."

In regard to HONI, Rodriguez said two main issues came to light throughout the investigation. For starters, he said, the organization had failed to encrypt the device. "Lack of encryption is what's called an addressable requirement; it's a requirement but one that can be satisfied by applying a credible alternative ... [A provider] can do just as well with strong security or password protection."

The second issue, he added, was failure to conduct a risk analysis. According to Rodriquez, all organizations need to look at business processes and places where personal health information is stored, and take steps to mitigate risks of a breach. An inadequate risk analysis is a "global issue" among organizations, he said. Additionally OCR has found that, although there are alternatives to encryption, like HONI many organizations will either encrypt or "not do anything at all," he said. "In my semi-educated hypothesis about that, a lot of providers find at the end of the day that encryption is the safest and most cost-effective thing they can do to protect the information," he said.

A new educational initiative launched by HHS in December highlights other practical ways to protect patient data. The initiative, called "Mobile Devices: Know the Risks. Take the Steps. Protect and Secure Health Information," involves a set of tools providers and organizations can access online. Videos, fact sheets and posters that promote best practices to safeguard information are available for download.

Tech spending is looking up, but IT must focus more on customers and less on internal systems. Also in the new, all-digital Outlook 2013 issue of InformationWeek: Five painless rules for encryption. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
1/15/2013 | 6:01:16 AM
re: Healthcare Settlement Highlights Risk Analysis, Encryption Importance
I never like to see health organizations fined by the HHS, although in some cases it's warranted. Hopefully these fines will be enough to have other organizations seriously reconsider their encryption/security policies and take steps to improve the security compliance.

Jay Simmons
Information Week Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio