The internet security website Esecurityplanet.com reports that 91% of healthcare organizations have sustained a data breach in the past two years and 40% have had five or more in that time, citing the industry standard Ponemon Report.
While healthcare organizations are slow to figure out that they are a primary target, criminal organizations are obviously figuring it out as reports of hospitals and healthcare organizations with breaches and “ransomware attacks” are headlining across the country every week. (And, YES … Office of Civil Rights (OCR) has confirmed that most ransomware attacks constitute reportable HIPAA breaches.) Fines from OCR for HIPAA violations have already topped $15 million during the first half of 2016.
NOTE: OCR settlements report only their view of the events in question and do not constitute evidence of any wrong-doing on the part of the settling party.
EXAMPLE –What does it cost to lose a laptop?
It’s not just a laptop – when you have an OCR investigation, they are looking at your full system and policies.
In the first case, OCR reports:
OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.
As a consultant on many risk and compliance issues with the feds, the actual cost of the fine is a mere fraction of the costs of coming into compliance, negotiating a settlement, and maintaining compliance and settlement compliance for three to five years.
The second example reported by OCR states:
OCR received a breach notice in February 2012 from QCA Health Plan, Inc. of Arkansas reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI. QCA is also required to retrain its workforce and document its ongoing compliance efforts.
What about not having everyone covered by Business Associates Agreements?
North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.
Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.
OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.
OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.
Do you have regular risk and security assessments?
The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.
And it costs…$1.5 Million And Change
In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.
And about that Risk Assessment
In another case, OCR reports a covered entity conducted a number of risk analyses since 2003, but failed to include all of the ePHI in their systems and failed to implement actions to address issues that were discovered, such as encryption. OCR levied a $2.75 Million fine for the infractions.
The HOTTEST breach threat for 2016
While healthcare entities have certainly not gotten control over the existing risks, the top threat for 2016 is ransomware that locks healthcare providers out of their own data and endangers patient care, billing, and even medical devices. Ransomware attacks have jumped from a whopping 1,000 cases per day in the US during 2015 to an astounding 4,000 cases per day in 2016 according to FBI reports. More than half of these cases are against healthcare providers, industry sources acknowledge.
Free Ransomware Webinar
In order to address Ransomware in more detail, I will be announcing a free webinar for followers of my website in a few days. We will be testing a new webinar platform for this program, but initial testing suggests it will be an improvement. Watch this site and the weekly newsletter for more information