Lack of Risk Analysis and Malware Breach Result in HIPAA Fines

In 2013, a covered entity reported to the U.S. Department of Health and Human Services Office for Civil Rights  that one of its workstations was infected with a malware program. This resulted in the impermissible disclosure of 1,670 individuals’ electronic protected health information. The ePHI included names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses and procedure codes.

The covered entity, a hospital in the Northeast, determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because the organization did not have a firewall in place.

This is a common, basic lapse in compliance of covered entities. So, let’s examine the HIPAA settlement related to this organization. to better understand how you can improve your HIPAA compliance program.

Common to all HIPAA Fines

HIPAA fines always include a corrective action map , which requires a comprehensive HIPAA compliance program, mandated with attestation from an organization’s officer,  over the duration of the CAP period. The duration of the CAP period is typically two to three years.

In the case  of this hospital, the financial settlement was $650,000, the CAP was two years and attestation was required during that period by a hospital officer.

Recommendation to Senior Executives & the Board

Entities have faced HIPAA fines totaling more than $50 million since 2008. So far in 2016, we have witnessed 13 HIPAA fines totaling more than $20 million with an average fine of more than $1.8 million. Based on the frequency and amount of these fines this year, one thing is clear, very clear: lack of a credible HIPAA compliance program for an organization will lead to an increase in business risk. The $650,000 financial settlement imposed on that Northeast hospital is based on a relatively small breach of 1,670 records.

The recommendation to senior leadership: select a security framework and establish HIPAA compliance within the context of the framework. There are essentially three options for security frameworks: HITRUST, ISO 27001 and NIST.

Be deliberate, disciplined and steady to address HIPAA compliance in the context of a credible security framework. Senior executives must treat HIPAA compliance as a life-cycle, as a process. It will lower business risk!

HIPAA Compliance Program Failures at the Organization

The core HIPAA violations at this highlighted organization included:

• Failure to designate all its healthcare components when hybridizing. The hospital incorrectly determined that while an entity was a covered healthcare component, other components, including the department where the breach of ePHI occurred, were not covered components.
• Failure to designate an entity as a healthcare component. The organization did not implement policies and procedures to ensure compliance with HIPAA Privacy and Security Rules.
• Failure to secure ePHI of the 1,670 individuals whose information was maintained on a workstation that was infected by malware.
• Failure to implement technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place
• Failure to conduct an accurate and thorough risk analysis until September 2015

Your HIPAA Bar

Has your organization established a credible HIPAA compliance risk assessment and risk management program? You must continually address:

• HIPAA Privacy Rule
• HIPAA Security Rule
• HITECH Breach Notification Rules

OCR’s Statement for HIPAA Compliance

“HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats, such as malware,” OCR director Jocelyn Samuels said in a statement. “Entities that elect hybrid status must properly designate their healthcare components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”

Required Recommendations

• Conduct a comprehensive and thorough enterprise-wide risk analysis exercise annually (be disciplined on the timeline and process)
• Manage a technical vulnerability assessment and penetration testing program that formally assesses these areas for security deficiencies: external, internal, wireless, firewall/DMZ, and mission critical application(s) (e.g. EHR system)
• Conduct technical vulnerability assessments quarterly
• Conduct penetration testing exercise at least annually
• Establish a credible enterprise risk management program (ensure every compliance and security gap identified has a formal, documented response and appropriate capabilities implemented, including revising and updating policies and developing credible procedures)
• Review your firewall system architecture and actively monitor the implementation of your firewall and systems on the DMZ
• Implement credible malware protection capability across all systems that process ePHI
• Develop, update and implement appropriate capabilities to prevent, detect, contain and correct security violations
• Build a multi-pronged approach for enterprise security awareness training for all members of the workforce (continually raise the knowledge bar for HIPAA compliance and your enterprise security policies with a robust training program)
• Base your enterprise HIPAA compliance program on an industry-recognized security framework (e.g. HITRUST, ISO 27001, NIST)