BreachExchange mailing list archives
How Long Can Healthcare Data Breaches Affect Facilities?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 26 Nov 2014 19:03:56 -0700
http://healthitsecurity.com/2014/11/26/long-can-healthcare-data-breaches-affect-facilities/ Healthcare data breaches are unfortunately becoming a common scenario for hospitals, health systems and individual care providers. The ramifications of a security breach can be far-reaching, and organizations might have to work to prove themselves once again capable of keeping patients’protected health information (PHI) secure. But just how long can healthcare data breaches affect organizations? After a healthcare data breach has been discovered, covered entities must provide individual notifications to those potentially affected no later than 60 days, according to the Department of Health and Human Services (HHS). The notification can be done via first class mail or by email if the patient has agreed to electronic correspondence. HHS explained that the notification must include “a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).” But what happens after those 60 days? How easily can covered entities recover from a healthcare data breach? Unfortunately, the incident does not end once potentially affected patients are notified. Depending on the type of breach, the number of affected individuals, and even the type of technology at a facility, it can take an organization years to regain footing after a security issue. Let’s first take a look at a few of the more common types of data breaches that healthcare organizations could face. From there we’ll dissect the potential legal ramifications, as well as regulatory requirements, to understand exactly what a facility’s road to recovery could look like. Common types of breaches The theft or loss of portable devices – laptops, tablets, mobile phones – is a leading cause of PHI being put at risk. This is why data encryption is so critical, as it can help keep unauthorized persons out of the devices. However, as proven with the recent robbery of a Massachusetts’ physician, data encryption on its own will not be enough. In that scenario, the armed robbers forced the doctor to reveal the pass codes and encryption keys to the laptop and cell phone. Human error often leads to healthcare security issues. Whether it is incorrect items being sent through the mail, or simply unsecure transportation methods being used, employees must be properly trained on how best to care for PHI. All staff should be well-versed in an organization’s technical systems, while also being informed on all regulatory and HIPAA compliance standards. If an employee doesn’t know that taking a company laptop home is against the facility’s policy, they might transport the device and leave it in an unsecure location. However, it is important to remember that data breaches could be caused by a failure of administrative, technical, or physical safeguards – or even a combination of the three. Ignoring one type breach will not keep a covered entity immune from its potential dangers. Legal ramifications
From a legal standpoint, the ripple effects of a healthcare data breach can
go quite far. Even if an organization follows the HIPAA notification process correctly, it could still face tens of thousands of dollars in fines. Moreover, patients could choose to sue the covered entity for a failure to protect their PHI. A Connecticut court even ruled that patients can sue a medical office for HIPAA negligence if it violates regulations that dictate how healthcare organizations must maintain patient confidentiality. In Indiana,Walgreens was still found to be liable for HIPAA violations committed by an employee. This calls back to the importance of proper employee training. Even if an individual worker commits a crime, the organization itself might not be immune. The legal process is not quick, and a covered entity could be working through HIPAA issues years after the actual data breach takes place. Such is the case with the University of Massachusetts Memorial Medical Center, which is facing a civil lawsuit two years after patients’ PHI was potentially exposed. Regulatory requirements HIPAA was created nearly 20 years ago, but federal regulations can evolve along with technology. Moreover, specifications of HIPAA or even the HITECH Act can still come into question years later. For example, the OCR released a special HIPAA bulletin on how healthcare facilities should protect patient data during an emergency situation. “The HIPAA Privacy Rule protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” the bulletin explained. Regulatory fines and legal fees can be devastating to a healthcare organization. However, regaining patients’ trust could be even more difficult to overcome. Technology is only going to continue to evolve, and some healthcare executives believe that it is just a matter of time before a facility encounters a data breach. Covered entities must keep their policies and procedures current with the latest federal requirements. From there, comprehensive employee training is essential. When those initiatives are paired with strong technical and physical safeguards, a healthcare facility will be well-equipped to mitigate, and recover from, a data breach.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- How Long Can Healthcare Data Breaches Affect Facilities? Audrey McNeil (Dec 03)