Data breaches that cause HIPAA violations can be very expensive when it comes to penalties
Continuing a big month of HIPAA enforcement activities, the HHS Office of Civil Rights announced today yet another settlement – the University of Washington Medicine (UWM) agreed to a $750,000 settlement regarding potential HIPAA violations. UWM includes various entities under the control of the University of Washington, which include the University of Washington Medical Center, its primary teaching hospital. In addition to the monetary payment, UWM agreed to a corrective action plan and annual reports on the organization’s compliance efforts.
This settlement stems from OCR’s investigation of a breach report on November 27, 2013, that indicated that
the electronic protected health information (ePHI) of approximately 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organization’s network. Information breached included patient demographic information including the social security numbers and insurance IDs for approximately 15,000 of the patients involved.
“The specific problem that led to this breach was a failure to adequately protect against malicious software.”
OCR’s investigation showed that while UWM’s security policies required the various units of the university to have up-to-date, documented system-level risk assessments, the various affiliates were not properly conducting risk assessments and were not appropriately responding to potential risks and vulnerabilities.
Additional information regarding the settlement is available at the OCR Website.
The OCR’s press release continued their emphasis on conducting a thorough and accurate risk analysis. They highlighted further that the risk analysis needs to be done on a system level, that is, for each of the application programs that an organization operates. In a hospital environment such as the University of Washington Medical Center, this would include their electronic record, revenue cycle, lab, pharmacy, patient portal and other systems that process ePHI.
The specific problem that led to this breach was a failure to adequately protect against malicious software. Effective protection against this problem requires layers of protection. For an organization of this size, effective protection would commonly include:
- Up to date firewall, properly configured
- Web filtering capability to protect users from web-delivered malware
- Email spam and malware filtering
- Server and workstation level anti-malware protection
- A robust patching program to update both operating system and 3rd party software such as Adobe, Java and web browsers
- Employee security awareness training
While a lot of attention is focused on the Meaningful Use requirement to conduct a risk assessment that insures the security of data in the electronic record system, it is important to note that the HIPAA Security rule was promulgated in 2005 and since that time has required periodic risk assessments on all systems. It appears that this breach did not directly involve the electronic record system.
An effective risk analysis will first inventory all of the ePHI in the organization and identify its location. This could include the various application systems, the file server which typically contain spreadsheets and/or letters containing patient information, hard drives of workstations, magnetic media such as backup tapes, portable hard drives and USB Flash drives, cloud storage systems and on the computers of business associates. Only after one knows where the ePHI is can one effectively protect it.
Once an organization knows where its PHI is, it can identify the controls that can effectively protect it.
For more information on how to conduct a risk analysis (risk assessment), these other Eagle consulting posts may be of interest:
