If a business has $1.5 million available, it’s a safe bet it would rather not spend that money paying to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. So, taking a look at a September settlement by an orthopedic clinic, let us share six lessons to avoid noncompliance with the HIPAA Security Rule.
Athens Orthopedic Clinic PA (Athens Orthopedic) paid its $1.5 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). The clinic, located in Georgia, provides orthopedic services to approximately 138,000 patients annually. In addition to the monetary settlement, Athens Orthopedic agreed to a robust corrective action plan that includes two years of monitoring.
It’s a big settlement to pay, and the years of legal fees were likely steep. Plus, the corrective action won’t come cheap. So, what happened?
A hacker used a vendor’s credentials to access Athens Orthopedic’s electronic medical record (EMR) system. Beginning on June 14, 2016, the hacker exfiltrated patient health data and continued to access patient protected health information (PHI) for over a month until July 16, 2016.
On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach. The PHI disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.
That’s not good. But, why was the fine so large? Athens Orthopedic could easily have done more.
Longstanding, Systemic Noncompliance with HIPAA Security Rule
- On June 26, 2016, a journalist notified Athens Orthopedic that a database of their patient records may have been posted online for sale.
- Two days later a hacker group known as “The Dark Overlord” contacted Athens Orthopedic and demanded money in return for a complete copy of the stolen database.
Just a reminder:
- The hackers had continued access to the PHI until July 16 (nearly three weeks after the first alert).
- The breach wasn’t reported until July 29
The settlement agreement notes that “AOC terminated the compromised credentials on June 27, 2016.” Yet “the Dark Overlord’s continued intrusion was not effectively blocked until July 16, 2016.”
In fact, “OCR’s investigation discovered longstanding, systemic noncompliance” by Athens Orthopedic. This included failures to:
- Conduct a risk analysis
- Implement risk management and audit controls
- Maintain HIPAA policies and procedures
- Secure business associate agreements with multiple business associates
- Provide HIPAA Privacy Rule training to workforce members
Considering the risk, these shortfalls were risky ones. “Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” stated OCR Director Roger Severino.
Lessons Learned from this HIPAA Security Ruling
#1 Healthcare hacking is a real threat. In case you didn’t believe it before. Even though a gang calling itself “The Dark Overlord” might seem laughable, the breach of more than 208,000 individuals’ records is no joke.
#2 Review of vendor and third party service provider credentials needs to be ongoing. As part of its Corrective Action Obligations, Athens Orthopedics must now account for any of its business associates. It must also provide descriptions of the business associate’s handling of/interaction with PHI.
#3 Keep an accurate, thorough technology inventory. An enterprise-wide analysis of security risks and vulnerabilities is necessary. Incorporate all electronic equipment, data systems, programs and applications that contain, store, transmit or receive ePHI.
#4 Conduct risk analysis. Risk assessment is part of the HIPAA Security Ruling. Beyond assessing risk, it’s also critical to develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities.
#5 Limit access. Athens Orthopedics is also required to revisit its access control procedures and policies. In particular, the agreement calls for:
- Implementing technical access controls for any and all network/server equipment and systems to prevent impermissible access and disclosure of ePHI
- Restricting access to all software applications that contain ePHI to ensure authorized access is limited to the minimum amount necessary,
- Creating access and activity logs as well as administrative procedures to routinely review logs for suspicious events and respond appropriately
- Terminating user accounts when necessary and appropriate
- Configuring user accounts to comply with the Minimum Necessary Rule
#6 Train your humans. Creating and documenting workforce training is key to HIPAA Privacy Rule compliance. In the agreement, HHS calls for training new workforce members within 14 days of hiring. And, “in all cases before being provided access to PHI.”
The MSPs HIPAA Responsibility
More and more healthcare organizations are turning to managed service providers (MSP) for technology solutions. MSPs need to understand the HIPAA Security Rule and compliance best practices.
As the MSP for a healthcare organization, you’re a business associate the HHS can hold accountable. As a result, you need to comply with all aspects of HIPAA. Prioritize compliance and protecting your clients’ patient data.
A risk assessment to ensure compliance with HIPAA’s administrative, physical, and technical safeguards helps determine risks and identify methods to mitigate weaknesses. In fact, the Office of the National Coordinator for Health Information Technology (ONC) offers a Security Risk Assessment Tool.
HIPAA noncompliance is costly. In 2018, just 55 cases of noncompliance amounted to $79 million in penalties. So, recognize healthcare is a high risk area. Plus, encrypt everything. Also document proactive measures. And keep records of training and partnership agreements. Finally, always be looking to improve and keep up with the latest.
Ultimately, Calyptix Security can help. Our healthcare offering blocks threats such as hackers, malware, and spam. Plus, the simple interface makes it easy to manage your network at a budget-friendly price. AccessEnforcer provides advanced security for small and medium healthcare networks.