01:07 PM
Connect Directly

Healthcare Settlement Highlights Risk Analysis, Encryption Importance

HIPAA breach settlement proves size doesn’t matter when failing to safeguard sensitive patient information.

 7 Big Data Solutions Try To Reshape Healthcare
7 Big Data Solutions Try To Reshape Healthcare
(click image for larger view and for slideshow)
The Department of Health and Human Services (HHS) recently announced the first HIPAA breach settlement involving fewer than 500 patients. The Hospice of North Idaho (HONI) agreed to pay $50,000 after an investigation found the organization had violated the HIPAA security rule. HHS' Office for Civil Rights (OCR) began its investigation after HONI reported an unencrypted laptop containing electronic personal health information on 441 people was stolen in June 2010.

During the course of its investigation, OCR found HONI failed to conduct a risk analysis to protect personal health information throughout the organization, according to an HHS statement. In addition, the hospice didn't have "in place policies or procedures to address mobile device security, as required by the HIPAA security rule," the statement said. However, since the 2010 theft, the organization "has taken extensive additional steps to improve their HIPAA privacy and security compliance program."

OCR director Leon Rodriguez said in an interview with InformationWeek Healthcare that since the settlement was the first of its kind, he hopes it draws attention to OCR's overall monetary enforcement program, which "effectively delivers the message to the healthcare industry that we take privacy and security seriously," he said. "We're willing to work with providers and provide technical assistance to provide clear guidance and work with them on how to best provide education. But, at the same time, enforcement is now a reality throughout the industry."

[ To see how patient engagement can help transform medical care, check out 5 Healthcare Tools To Boost Patient Involvement. ]

Rodriguez added the settlement doesn't reflect a newfound focus on small breach reports on behalf of OCR. "Generally, we identify monetary enforcement cases by looking at situations we become aware of after a long-standing pattern of systematic non-compliance that correlates with the risk of the breach, not necessarily the breach itself," he said. "That's what brings out attention to a provider; it's more of what we see in terms of behavior of the provider once we look."

In regard to HONI, Rodriguez said two main issues came to light throughout the investigation. For starters, he said, the organization had failed to encrypt the device. "Lack of encryption is what's called an addressable requirement; it's a requirement but one that can be satisfied by applying a credible alternative ... [A provider] can do just as well with strong security or password protection."

The second issue, he added, was failure to conduct a risk analysis. According to Rodriquez, all organizations need to look at business processes and places where personal health information is stored, and take steps to mitigate risks of a breach. An inadequate risk analysis is a "global issue" among organizations, he said. Additionally OCR has found that, although there are alternatives to encryption, like HONI many organizations will either encrypt or "not do anything at all," he said. "In my semi-educated hypothesis about that, a lot of providers find at the end of the day that encryption is the safest and most cost-effective thing they can do to protect the information," he said.

A new educational initiative launched by HHS in December highlights other practical ways to protect patient data. The initiative, called "Mobile Devices: Know the Risks. Take the Steps. Protect and Secure Health Information," involves a set of tools providers and organizations can access online. Videos, fact sheets and posters that promote best practices to safeguard information are available for download.

Tech spending is looking up, but IT must focus more on customers and less on internal systems. Also in the new, all-digital Outlook 2013 issue of InformationWeek: Five painless rules for encryption. (Free registration required.)

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
1/15/2013 | 6:01:16 AM
re: Healthcare Settlement Highlights Risk Analysis, Encryption Importance
I never like to see health organizations fined by the HHS, although in some cases it's warranted. Hopefully these fines will be enough to have other organizations seriously reconsider their encryption/security policies and take steps to improve the security compliance.

Jay Simmons
Information Week Contributor
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-12
vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message.

Published: 2015-10-12
The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol.

Published: 2015-10-12
Cisco Unified Computing System (UCS) B Blade Server Software 2.2.x before 2.2.6 allows local users to cause a denial of service (host OS or BMC hang) by sending crafted packets over the Inter-IC (I2C) bus, aka Bug ID CSCuq77241.

Published: 2015-10-12
The process-management implementation in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows local users to gain privileges by terminating a firestarter.py supervised process and then triggering the restart of a process by the root account, aka Bug ID CSCuv12272.

Published: 2015-10-12
HP 3PAR Service Processor SP 4.2.0.GA-29 (GA) SPOCC, SP 4.3.0.GA-17 (GA) SPOCC, and SP 4.3.0-GA-24 (MU1) SPOCC allows remote authenticated users to obtain sensitive information via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.