Recently, Feinstein Institute, a research institution, agreed to pay $3.9 million for a HIPAA settlement; after a 2012 OCR health data breach investigation. A costly expense that could have been avoided if the institution had set up a holistic information security posture to cover all their bases.
This breach story can impart some valuable lessons for healthcare executives and the overall industry, especially in a time where OCR HIPAA audits are set to increase. Just this past week OCR announced they will be holding 200 HIPAA audits of which fifty will be on-site and 150 desk audits. Out of the 50 on-site audits, 10 will be at business associates. This reminds executives that it is not only healthcare facilities that must comply with HIPAA Rules, but any institution that holds health data.
- As OCR Director, Jocelyn Samuels, states, “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”
This statement is valid for the healthcare industry at large and the fact that a recent study by Trend Micro showed that more than one-quarter (26.9%) of the data breaches reported in a 10-year span (2005-2015) were in healthcare isn’t the best of signs for better health data security within the industry.
Also, when you consider that this same study found 41% of breaches to be caused by lost devices and then take note that Feinstein Institute’s breach was caused by a computer programmer’s laptop being stolen, you wonder what steps healthcare organizations are actually taking to protect the data they manage and store.
Feinstein Institute’s OCR investigation found that they lacked a couple fundamental data security components, which could have avoided 13,000 individuals being potentially affected by the data breach (and the $3.9 million they will have to pay).
- Feinstein Institute’s security management system was “limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.”
- Furthermore, the institution lacked appropriate policies and procedures for authorizing access to ePHI, setting up safeguards to restrict access to sensitive data by unauthorized users and the physical movement of laptops containing ePHI into and out of the facility.
A policies and procedures plan needs to be all inclusive. You can’t set up policies and procedures that only cover some of your needs, you need to develop one that includes your facility’s entire business and communications structure. Any method you use to transfer, store and access data need to be accounted for and included in your data security policies and procedures.
Addressing physical security is just as important as policies and procedures because of the fact that someone can physically gain access to data. Too many times physical security gets put aside during the risk management process; potentially due to it not being immediately linked to data risks since physical structure isn’t online (where all the data is stored and accessible by hackers). Nevertheless, CEOs need to remember that leaving physical security out of the overall risk management plan will leave organizations vulnerable no doubt.
When you look at what Feinstein Institute is doing to increase security, you notice they are expanding their efforts to include more security posture components.
- In addition to improving their physical security and policies and procedures; they are also including training and oversight, deploying additional technical safeguards, and analyzing their security posture.
They’re adding components because an organization can’t beat risks without a holistic information security posture. Online you need to be proactive with technology and continuous monitoring, as well as set up your incident response plan, be able to identify false positives; having eyes on your network means exactly that. For offline security measures you need your physical security inspection and set up, an all-inclusive and customized policies and procedures plan in place. You also need a business continuity plan to get you back up and running if an interruption were to occur that makes data inaccessible. Basically, the same way CEOs plan for growth and risks, they need to plan for risks without leaving any stone unturned.
Make sure your facility isn’t vulnerable and that you are implementing a holistic information security posture. Get in touch! The sooner you get started, the sooner you know where you stand with your security and/or decrease your data vulnerability risks.
Photo courtesy of Nata-Lia