Is your Covered Entity or Business Associate Capable of Responding to a CyberSecurity Incident?
Computer security incident response is an important element of an information technology program. It can assist Covered Entities and Business Associates in promptly detecting breaches, decreasing loss and damage, mitigating the weaknesses that were exploited, protecting the confidentiality, integrity, and availability of data, and restoring IT services back to normal.
HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of security incident at 45 CFR 164.304). HIPAA also identifies breaches as, generally, an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. (See the definition of breach at 45 CFR 164.402).
According to a survey recently conducted, 43% of the survey respondents lack formal incident response plans and procedures, and 55% percent of them lack formal incident response teams. Also, 61% of these respondents have experienced a data breach over the past two years, which included unauthorized access, denial of service, or malware infection. Cybersecurity-related attacks have continued to rise and become more destructive and disruptive. According to a different study, in 2014 the average cost to a company suffering a data breach affecting personally identifiable information (PII) was $3.5 million, with an average cost of $145 per individual.
With the constant upsurge of security breaches that involve cyberattacks and as required by the HIPAA Security Rule, Covered Entities and Business Associates should have security incident response capabilities established. Although effective incident response planning can be a complex task, it should be one of Covered Entities’ and Business Associates’ priorities.
When establishing incident response capabilities, Covered Entities and Business Associates should consider:
➢ Developing and Documenting incident response policies , plans, and procedures
➢ Building relationships and setting up plans for communicating with internal and external parties regarding incidents
➢ Staffing and training
See the full article at:
www.hhs.gov/sites/default/files/HIPAA-cyber-awareness-monthly-issue-6.pdf
Computer Networks of Roanoke, Inc.
Hank Wagner, Owner
hank.wagner@computernetworksinc.com
757-333-3299 x232
It doesn’t cost anything to talk.
PHI is everywhere. Find it. Protect it.
$2.75 million settlement with the University of Mississippi Medical Center (UMMC)
The University of Mississippi Medical Center (UMMC) has agreed to settle multiple alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). OCR’s investigation of UMMC was triggered by a breach of unsecured electronic protected health information (“ePHI”) affecting approximately 10,000 individuals. During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight. UMMC will pay a penalty of $2,750,000 and adopt a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules.
“In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame,” said OCR Director Jocelyn Samuels. “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.”
On March 21, 2013, OCR was notified of a breach after UMMC’s privacy officer discovered that a password-protected laptop was missing from UMMC’s Medical Intensive Care Unit (MICU). UMMC's investigation concluded that it had likely been stolen by a visitor to the MICU who had inquired about borrowing one of the laptops. OCR’s investigation revealed that ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password. The directory included 328 files containing the ePHI of an estimated 10,000 patients dating back to 2008.
July 18, 2016 Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University
Oregon Health & Science University (OHSU) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following an investigation by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) that found widespread and diverse problems at OHSU, which will be addressed through a comprehensive three-year corrective action plan. The settlement includes a monetary payment by OHSU to the Department for $2,700,000.
OCR’s investigation began after OHSU submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive. These incidents each garnered significant local and national press coverage. OCR’s investigation uncovered evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program, including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement.
OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses. The server stored a variety of ePHI including credit card and payment information, diagnoses, procedures, photos, driver’s license numbers and Social Security numbers.
OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule. While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level. OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.
OHSU is a large public academic health center and research university centered in Portland, Oregon, comprised of two hospitals, and multiple general and specialty clinics throughout Portland and throughout the State of Oregon.
OCR’s Phase Two HIPAA Audits Have Begun
Phase Two of OCR’s HIPAA audit program, which officially began a couple of months ago, has officially kicked into high gear. Selected covered entities have now received notification letters regarding their inclusion in the desk audit portion of the audit program. Letters were delivered on Monday, July 11, 2016 via email to 167 health plans, health care providers and health care clearinghouses (covered entities). The desk audits will examine the selected entities’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules.
The desk audits are focused examinations of documentation of entity compliance with certain requirements of the HIPAA Rules (see table below). OCR selected these provisions for focus during the desk audits because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent areas of noncompliance. Entities received two email communications, which were sent to the contact information confirmed by the entity during the pre-audit phase of the program. Nevertheless, these emails may be incorrectly classified as spam in the recipient’s email service. Covered entities should monitor their spam filtering and junk mail folders for emails from: OSOCRAudit@hhs.gov. One e-mail includes a notification letter providing instructions for responding to the desk audit document request, the timeline for response, and a unique link for each organization to submit documents via OCR’s secure online portal. A second email contains an additional request to provide a listing of the entity’s business associates and also provides information about an upcoming webinar, where OCR will explain the desk audit process for auditees and take their questions. Entities have 10 business days, until July 22, 2016, to respond to the document requests. Desk audits of business associates will follow this fall.
Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule after the theft of a CHCS mobile device compromised the protected health information (PHI) of hundreds of nursing home residents. CHCS provided management and information technology services as a business associate to six skilled nursing facilities. The total number of individuals affected by the combined breaches was 412. The settlement includes a monetary payment of $650,000 and a corrective action plan.
“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.” OCR initiated its investigation on April 17, 2014, after receiving notification that CHCS had experienced a breach of PHI involving the theft of a CHCS-issued employee iPhone. The iPhone was unencrypted and was not password protected. The information on the iPhone was extensive, and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information. At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident; OCR also determined that CHCS had no risk analysis or risk management plan.
In determining the resolution amount, OCR considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.
