Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

3/21/2012
08:40 PM
50%
50%

$1.5M Fine Marks A New Era In HITECH Enforcement

Data breach at BlueCross BlueShield of Tennessee, and subsequent penalty, stands as example of financial fallout from poor healthcare IT security practices

Enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just reached a new level of reality last week when the department announced a $1.5 million settlement with BlueCross BlueShield of Tennessee over a 2010 data breach, making the organization the first to pay out penalties since the Health Information Technology for Economic and Clinical Health Act (HITECH) went live in 2009. The question now is whether such tangible examples of financial fallout will convince healthcare IT to invest in better security measures.

"It's certainly a warning shot for the healthcare industry," says John Nicholson, a Washington, D.C.-based counsel for the global sourcing practice at law firm Pillsbury Winthrop Shaw Pittman LLP. "But is that a sufficient amount to act as a deterrent? It's hard to tell at this point. It's at the upper end of what organizations can be penalized [for], and when you break it down, it equals about a buck a record lost. For companies that are dealing in millions of records, that penalty can add up. But that's just at very large companies. And data breaches are becoming sufficiently routine that everyone sort of looks at it and goes, 'Eh, it's another one.'"

But Nav Ranajee, director of healthcare vertical for CoreLink Data Centers, believes that starting to hit the big organizations in the pocketbook and making a spectacle out of the process should have the desired effect. Many of these organizations have been deprioritizing security because there just hasn't been enough financial incentive to push it up the stack on the IT to-do list, he says. The HHS making the risk of pecuniary damage a real risk of failing to comply with Health Insurance Portability and Accountability Act (HIPAA) security requirements changes that financial equation for these organizations, he says.

"What I'm seeing now when we talk to our clients, say a hospital or a business associate like a software company that services a hospital, is that when it comes to HIPAA, the first priority of a CIO has historically been to allocate funds to get that new EMR in-house or that new clinical system, because that’s going to pay off in revenue," he says. "But when it comes to making sure HIPAA requirements are up to date, that's usually the last line item on the budget because it's really a sunk cost. Now they're going to have to look at the risk involved and wonder, 'Do I risk having a million-dollar lawsuit if I don't put the right security protocols in place?'"

The settlement BlueCross BlueShield of Tennessee paid to HHS was a penalty for failing to prevent a breach that saw the theft of 57 unencrypted hard drives containing recordings of customer service phone calls. The drives were left behind in a data closet after the company stopped using a leased facility.

"This settlement sends an important message that OCR expects health plans and healthcare providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program," said Leon Rodriguez, director of HHS OCR. "The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients' right to private and secure health information."

According to Nicholson, the breach is a good lesson to healthcare organizations on how compliance really could have helped the security of the organization and maybe even prevented a breach. "One of the things that HIPAA and HITECH require is that you go through an assessment of your policies and procedures whenever your operations significantly change. I don't know for sure, but it seems like BlueCross BlueShield of Tennessee may not have done that evaluation. If they had done it, they might have said, 'We've got these hard drives containing this unencrypted PHI and it's in a locked closet, but that's not sufficient in this leased space,'" he says. "That's probably a lesson to healthcare organizations. You really need to do those evaluations anytime a significant aspect of your operation changes that has implications on PHI."

For his part, Ranajee says the BlueCross BlueShield of Tennessee incident stands as yet another testament of the importance of encryption for healthcare data protection.

"Really, it's all about making sure that if you have data servers in your office or workplace, they need to be locked down--they need two locks on them -- and they need to be encrypted," he says. "Those are two of the main things that are not commonplace, but they should be."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Franscella
50%
50%
Joe Franscella,
User Rank: Apprentice
3/22/2012 | 3:45:52 PM
re: $1.5M Fine Marks A New Era In HITECH Enforcement
Hey Ericka, Great Story. It would be interesting to know how that fine money is dispersed. Does it go to the victims, the agency, R&D for better security?
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29446
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29451
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
CVE-2021-29452
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
CVE-2021-29444
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...