HIPAA Breach Tally and Enforcement Grow

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/hipaa-breach-tally-enforcement-grow-a-6780

The federal tally of major breaches continues to grow. But even relatively
small breaches can result in tough federal sanctions, as settlements
announced earlier this week show (see 2 Stolen Laptop Incidents Lead to
Penalties).

As of April 23, the federal "wall of shame" tally included 966 major
breaches affecting a total about 31.1 million individuals since 2009. About
35 breaches have been added to the tally, which tracks breaches affecting
500 or more individuals, in the past month (seeHealth Breach Tally: 30
Million Victims).

But while the tally helps draw attention to bigger breaches, two recent
Department of Health and Human Services HIPAA compliance settlements offer
a reminder that that even very small breaches can result in sanctions if an
investigation turns up serious issues. The settlements in cases involving
stolen unencrypted laptops highlight the importance of encrypting data on
mobile devices to prevent breaches. And keep in mind, the federal tally
shows that the loss or theft of unencrypted devices or media has been the
No. 1 cause of major breaches.

In an announcement of the settlements, Susan McAndrew, deputy director of
health information privacy at the HHS Office for Civil Rights, which
enforces HIPAA, notes: "Covered entities and business associates must
understand that mobile device security is their obligation. Our message to
these organizations is simple: Encryption is your best defense against
these incidents."

OCR entered a $250,000 resolution agreement with QCA Health Plan, based in
Little Rock, Ark., which was the result of a HIPAA compliance investigation
sparked by a breach involving a stolen unencrypted laptop that affected
only 148 individuals - too small to make the federal tally of major
breaches.

The other OCR settlement announced this week, which included a $1.72
million penalty, involved the theft of an unencrypted laptop from a
facility owned by Concentra Health Services, an urgent care provider that's
a subsidiary of Humana. That incident affected 870 individuals.

OCR says its investigation revealed that Concentra had previously
recognized in multiple risk analyses that a lack of encryption on its
laptops, desktop computers, medical equipment, tablets and other devices
containing electronic protected health information was a critical risk.

While steps were taken to begin encryption, Concentra's efforts were
incomplete and inconsistent over time leaving patient information
vulnerable throughout the organization, OCR says.

Awareness of Risk

"Many healthcare organizations are in the same situation as Concentra, and
they're usually aware of the risk, as was Concentra," says security and
privacy expert Kate Borten, president of consulting firm The Marblehead
Group.

Like Concentra, QCA had also begun encrypting its mobile computers, but
hadn't completed that work at the time of its breach.

"That doesn't excuse the breach, but, for example, when individuals use
their own laptops or when a medical center acquires a small practice where
security technologies and practices are not embedded, there is a
significant risk, and such breaches are likely to continue for years to
come," Borten says. "My hope is that the number of such breaches drops over
time, and that breaches occur only in 'outlier' circumstances."

Security expert Brian Evans, principal consultant at Tom Walsh Consulting,
says the two settlements demonstrate that breaches don't have to be large
to spur investigations that result in HIPAA penalties. "I do believe this
action is confirmation that OCR will be scrutinizing CEs and BAs regardless
of size or circumstances," he says.

That means covered entities and business associates need to conduct a
thorough and timely risk assessment and then take action to mitigate the
risks identified to help prevent breaches.

Lessons to Be Learned

"The primary lesson to be learned [from these recent cases] is that the
cost to prevent mobile device data breaches is far less than the cost of
mitigation," Evans says.

"The goal of encryption is to provide confidentiality protection for
information. Most mobile devices have encryption already built into their
operating systems," he notes.

BitLocker Drive Encryption is available in the Windows 7 operating system,
which became available in 2009, he points out, and encryption is built into
BlackBerry and Android and is enabled by default on iPhones, iPads and
Windows Phone 8 and RT devices.

"I would suggest organizations assess their current state of encryption on
all mobile devices," Evans says. "This would include organizationally
provisioned as well as personally owned devices that handle confidential
information.

"If encryption is not enabled on these devices, then determine how best to
implement encryption or disallow their access to confidential information.
The goal should be to have encryption enabled on all mobile devices
accessing confidential information."

Other Costs

Jennifer Smith, QCA's legal counsel, points out that the cost of a
settlement with OCR goes far beyond any financial penalty.

She estimates the cost of carrying out OCR's corrective action plan
requirements as part of the settlement "will probably be in the
seven-figures." Under the plan, QCA must present to OCR "risk analysis and
a corresponding risk management plan that contains security measures to
reduce the risks and vulnerabilities to the electronic protected health
information maintained by QCA to a reasonable and appropriate level,"
according to the resolution agreement.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!