Healthcare cybersecurity from access to record disposal
Spring 2015 brought a number of reports of HIPAA data breaches:
Mercy Iowa – Data-Gathering Virus
A malware infection resulted in the theft of 15,000 medical records from Mercy Iowa City and Mercy Clinics in Iowa City. In March 2016, Mercy Iowa had to announce to a number of their patients that their data had been exposed to a privacy breach.
Information collected may have included patient demographic information, such as dates of birth and addresses; clinical information, such as treatment, diagnosis and medications; or health insurance information, including the insurer’s name and policy number. In some instances, Social Security numbers may have been accessed, the release said.
Bad as the incident is, it could have been far worse. Margaret Reese, interim director of marketing and community relations and president of the Mercy Hospital Foundation described the 15,000 breached records as, “… a small percentage…”, of the total number of patients the Mercy group serves. That is likely to be cold comfort to those affected by the breach.
MedStar Health – Cyber Attack Shut Down
Also in March 2016, a cyber attack forced Washington, D.C:’s MedStar Health which operates 10 hospitals, 250 outpatient clinics and treats hundreds of thousands of patients in the area, to shut down their computers and email. By the next day, patients were being turned away or treated without access to their EHR and by that evening medical staff could read but not update patient records.
This inability to keep records up to date or access crucial information could have resulted in the delay of life saving surgery or harm to patients, for example, dispensing a medication to a patient who had a documented allergic reaction. The MedStar cyberattack caused the Chairman of the Senate Health Committee, Lamar Alexander to call out for the urgent implementation of cybersecurity legislation that has already been passed by Congress:
““Congress has passed a law to help keep hospitals and patients safe from these malicious attacks – calling for Health and Human Services to give hospitals and doctors clear information on the best ways to prevent a hack in the first place and putting someone at the agency on the flagpole if a cyber attack occurs. Yesterday’s attack, which, unfortunately, is not unique, shows the need for HHS to implement the law with the urgency patients and hospitals deserve.”
Concentra Health Services – Loss of Electronic Device
According to a report by Verizon, one of the most frequent causes of data breach is the loss or theft of an electronic device such as a laptop.
According to Maria Korolov’s coverage of the Verizon report in CSO Online, device loss accounts for 45% of all healthcare breaches. This is particularly interesting because across industries device loss accounts for only 15% of cases.
Mobile devices are easily lost or stolen. The OCR takes a dim view of any organization that keeps PHI on unencrypted devices of any size. Consequently, HIPAA Covered Entities and Business Associates are at greater risk for enforcement action in the event of data breach involving an unencrypted mobile derice.
OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.
Community Mercy Hospital Partners – Negligent Disposal of Medical Records
Here in Eagle’s home state of Ohio, during in November 2015, Community Mercy Hospital Partners in Springfield Ohio disposed of 113,000 medical records in a public recycling bin.
This event has, to date, been the largest loss of PHI in the state since records began in 2009 although it was not the first time in the 2015 that Community Mercy Hospital exposed their patients’ data. In February, invoices containing patient names, addresses, billing codes such as diagnosis and procedural codes, service dates, locations, and account balances were inadvertently sent to incorrect people. Eagle Consulting Partners President Gary Pritts was interviewed by the local media regarding this incident and responded to the sentiment in the community was that the OCR has been lax in enforcement. “Major HIPAA breaches result in OCR enforcement only about 2% of the time,” said Pritts. He based is comments on an analysis of the publicly reported data breaches in comparison to the number of enforcement actions. “However,” Pritts cautioned, “OCR enforcement cases typically require two to three years of effort” so it may well be possible that OCR is considering this case for possible action.
Increase in threat from Ransomware
Multiple incidents have been reported in 2016 relating to ransomware. New varieties of ransomware have emerged which are even more damaging and sophisticated than ever before. Worse, healthcare entities appear to be targeted. Eagle offers a wide variety of services to help both HIPAA covered entities and business associates protect against these threats. One “layer of protection” that we recommend is a regular scan of known vulnerabilities in the network, so that these can be corrected. By correcting these known vulnerabilities, a high percentage of ransomware attacks can be prevented in the first place.
Eagle will be pleased to run a vulnerability analysis for your organization.
