The latest HIPAA data breach penalty reported by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) includes some simple but important messages for all health care organizations and their Business Associates.
The OCR press release says Idaho State University (ISU) was fined $ 400,000 for unauthorized access to electronic Protected Health Information (ePHI) because its network firewalls had been disabled and unauthorized access to patient data was not detected for 10 months. The specific charges were that the university, which provides health care through 29 outpatient clinics, had not identified the risk of a network breach in a HIPAA Risk Analysis; had not addressed the risk through a Risk Management process; and had not conducted an Information System Activity Review that could have revealed the unauthorized access much sooner. These are the first requirements in the HIPAA Security Rule (along with a Sanction Policy) so this $ 400,000 penalty did not require a full compliance assessment— just proof that the most basic HIPAA fundamentals were not performed.
From the OCR Press Release:
“OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.
“Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said OCR Director Leon Rodriguez. “Proper security measures and policies help mitigate potential risk to patient information.”
A common complaint about HIPAA is that it tells you to do something but does not explain how to do it. This penalty contains a strong message that your organization must review the Guidance provided to help explain how to protect patient data, that you need to invest in equipment and qualified IT staff (often through an outsourced IT provider) to make sure it is set up and working properly, and that you must document your activities in accordance with specific HIPAA requirements to protect your organization in case of an audit or a data breach.
HIPAA does not even mention firewalls, but ISU paid $ 400,000 because theirs were not working. You need to have them and they need to be effective. A firewall is a device that connects your network to the Internet, and includes security features that detect and prevent unauthorized network access. Most firewalls have optional features that can block viruses and malware; content filtering to block offensive or unauthorized web sites; secure VPN tunnels to connect multiple offices; and multiple Internet connections to automatically keep you connected if one Internet service fails. Firewalls are not mentioned in HIPAA, but are included in HIPAA compliance guidance from the National Institute of Standards and Technology (NIST.)
Simple consumer-quality routers (like the small blue boxes found in many offices) are not effective firewalls and do not prevent unauthorized network access. You need a real firewall that includes real security features that will prevent unauthorized access. It needs to be set up by a real IT professional and have a current security subscription. And you need real ongoing professional support through Managed IT Services to continually monitor the equipment and to review your systems activity to ensure real HIPAA compliance.
Qualified IT Security Staff
When it comes to protecting patient data you can no longer rely on amateurs or someone you call only when something fails. Security is a full-time job, but you can outsource IT Security Managed Services and pay a fraction of employing a qualified staff member.
Like health care, IT Security has specialists you can go to for diagnosis and treatment. You should insist your IT provider has staff that is certified in Security, certified to deploy firewalls, and is certified in HIPAA. How do you know? Ask them for proof or find someone through the 4Med Pro Network.
Security can fail silently without causing a network interruption or symptom that would require you to call someone for help. You cannot write HIPAA policies and procedures and leave them on a shelf gathering dust. Nor can you cannot just set up network security tools and expect that they will continue to work effectively.
ISU was unaware of its security failure for 10 months—longer than it takes to have a baby! There are tools they could have used to monitor their firewalls, and also to audit who was accessing their patient data. Most medical practices do not have these tools and would not know how to deploy and interpret them. Just like referring a patient to a specialist, you need to refer yourself to an IT security professional for the proper diagnosis and treatment.
Even if you have a qualified staff doing the right things, nothing can be proven without proper documentation. Records need to be kept detailing the configuration settings of your security tools, maintenance records showing patches and updates, and proof that periodic reviews have taken place to ensure that your security is active and effective
Cost vs. Benefit
The $ 400,000 penalty does not include any of the costs for Idaho State University to notify the affected patients, correct its security problems, and implement the Corrective Action Plan required by OCR. Implementing effective security is much less costly than paying for a data breach and this latest HIPAA penalty is a strong message that OCR is looking at firewalls. Don’t wait.