BreachExchange mailing list archives
Not worth the cost: 3 lessons about unprotected PHI
From: inga () riskbasedsecurity com (Inga Goddijn)
Date: Wed, 9 Mar 2016 19:34:03 -0600
http://www.itproportal.com/2016/03/09/not-worth-the-cost-3-lessons-about-unprotected-phi/ When it comes to protecting patient data, technology is evolving so quickly that itâs difficult for healthcare providers to keep up. While electronic recordkeeping through computers, smart devices, and web-based services can lead to higher efficiency and elevate patient care, providers must closely monitor use to ensure the data contained remains safeguarded. Thereâs more at stake than just patient trust for healthcare providers who do not adequately shelter their patientsâ Protected Health Information, or PHI. The U.S. Department of Health and Human Servicesâ Office of Civil Rights can hand down severe civil and even criminal charges for violations of patient privacy. Even if a company doesnât give away the information intentionally, the government can hold it liable for data breaches, particularly if thereâs proof the company didnât guard the data properly. Electronic data breaches are becoming the latest, greatest way thieves obtain sensitive information about patients, including Social Security and bank account numbers. But physical theft is also a rising concern. For instance, an average car break-in can turn into a massive data breach if the car contains a device with unsecure PHI on it. Take a look at the examples of PHI non-compliance below to better understand the seriousness of this infraction. *Lesson 1: Laptops* Recently, a private practice radiation oncology group named Cancer Care was ordered to pay $750,000 <http://www.hhs.gov/about/news/2015/09/02/750,000-dollar-hipaa-settlement-emphasizes-the-importance-of-risk-analysis-and-device-and-media-control-policies.html> after someone stole a laptop containing PHI on patients from an employeeâs vehicle. The thief could easily obtain the unencrypted data from the laptop. An investigation by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) found that even before the laptop theft, Cancer Care was not compliant with HIPAA privacy rules. *Lesson 2: Web-based file sharing* Massachusetts hospital St. Elizabethâs Medical Center was hit with another substantial HIPAA non-compliance fine <http://www.healthcareitnews.com/news/hospital-repeat-security-failures-hit-218k-hipaa-fine>, $218,400, for using a web-based file-sharing program to store sensitive patient data. The complaint, filed by employees of the hospital, pointed out that the information stored this way was not adequately protected, and that it put 500 patientsâ data at risk of a breach. HHS agreed with the employeesâ grievance and fined the hospital. The department also added a fine for data stolen from a former employeeâs laptop and USB <https://luxsci.com/blog/jumpthumb-drives-and-phi-dont-mix.html> that breached information for 595 hospital employees. *Lesson 3: Physical files* Lincare, Inc., a home healthcare provider, was recently fined $239,800 <http://healthitsecurity.com/news/home-health-provider-to-pay-240k-in-hipaa-violation-fines> after an employeeâs ex-husband called HHS to report that his former wife had left behind protected health information for 278 patients when she left their shared home. Not only was the data available for view by an unauthorised person, but HHS also found that employees taking home any patient files, or storing them in vehicles, violated HIPAA privacy laws. *How to stay HIPAA-compliant* Itâs important for every healthcare provider or contractor to know what data is Protected Health Information and to take inventory of all the places (physical and electronic) that data exists. Hiring an information security firm to evaluate your data management system and put safeguards, like encryption, into place is vital for protecting the trusted information patients share with you. As the examples above show, itâs important to ensure that employees understand the HIPAA law and their responsibility to uphold it. To that end, put an employee PHI policy in writing and have employees sign that they read it and understand their role in keeping patientsâ data safe. Healthcare providers have a great responsibility to protect the data of their patients, and that includes traditional in-office recordkeeping as well as electronic data that extends beyond office walls. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160309/60935d51/attachment-0001.html>
Current thread:
- Not worth the cost: 3 lessons about unprotected PHI Inga Goddijn (Mar 09)