The surprising consequences of health plan data breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://ebn.benefitnews.com/blog/ebviews/the-surprising-consequences-of-health-plan-data-breaches-2743033-1.html?portal=ebn_co_benefits_communic

With all the commotion surrounding health reform, it’s easy for senior
leaders at Group Health Plans to lose focus on data security. They may get
lulled into complacency by two fallacies about data breaches: that only big
retailers are experiencing costly security breaches – and teenage hackers
or international cyber-teams are always to blame.

The Department of Health and Human Services has a web page dubbed the “Wall
of Shame” that includes the names of hundreds of large and small healthcare
organizations – including GHPs – that have been victimized by data breaches
affecting millions of Americans. Only about 6 percent of those breaches are
due to hacking or IT incidents; the other 94% are the result of dumb
mistakes and mischief by employees, yours and your many business
associates. As a covered entity under the HIPAA rules, a group plan is
responsible for any data breaches caused by BAs, like those who handle
eligibility, enrollment, claims management and IT services for the plan.

The penalties for HIPAA violations and data breaches have gotten much
stiffer in recent years. In addition to legal and regulatory penalties, a
GHP can rack up millions in costs when you include class action lawsuits
and the cost of forensics, mitigation/remediation, and media notification.
A single HIPAA violation involving willful neglect used to carry a maximum
penalty of $25,000; now it’s a jaw-dropping $1.5 million. And a typical
data breach involves multiple HIPAA violations.

The most common miscues leading to a security breach are pretty obvious:
losing a laptop containing unencrypted Protected Health Information (PHI),
using an insecure wi-fi connection, and so on. All breaches must be
reported to HHS and to the affected individuals, and any breach involving
more than 500 patient records is made public on the Wall of Shame and (if
in one jurisdiction) must be reported to the media. Here are some recent
ones involving group health plans:

- Group Health Plan of Hurley (Minnesota) Medical Center – Unauthorized
disclosure of 2,289 patient records via e-mail.
- Trinity Health Corporation Welfare Benefit Plan – Breach involving 1,073
records by business associate Mercer Health & Benefits, which lost a server
backup tape sent via FedEx.

Federal regulators are also on the lookout for what they call “small-scale
snooping.” That’s where an employee gains unauthorized access to the
medical records of a friend, relative or even a celebrity. Not
surprisingly, most of the celebrity snoops are in major metro areas, while
“friends and family” snooping is more common in smaller communities.

In recent years, healthcare employees have either been suspended or fired
for snooping into the files of A-list celebrities like George Clooney, Tom
Cruise and Kim Kardashian. Most snooping incidents go unreported, with many
organizations quietly firing the employee and compensating the victim. But
all it takes is one high-profile lawsuit to cause big problems.

Here are some ways that a GHP can reduce its exposure to HIPAA violations
and data breaches:

Conduct a full-fledged risk analysis – This is a no-brainer because the
HIPAA Security Rule requires you to conduct a bona fide security risk
analysis to identify all current threats, vulnerabilities, safeguards and
controls associated with assets that receive, create, maintain or transmit
PHI.  Virtually all the organizations involved in breach settlement
agreements with HHS failed to conduct a risk analysis before getting into
trouble.

Make policies crystal-clear – It’s critical to document policies and
procedures that cover all applicable regulations – and specifically
prohibit activities like snooping. All GHP employees and BAs need to know
exactly what’s required and what’s prohibited – and it’s wise to have
tiered sanctions based on the circumstances of a violation (e.g., whether
the access/disclosure was malicious or unintentional, first-time or repeat
offense, and so on).

Don’t make training a sleepy routine – You can’t rely solely on a
general-purpose 30-minute online HIPAA training video to educate your
workforce. Employees need to know how the HIPAA regulations relate
specifically to their job responsibilities – and how to report complaints
and suspected or confirmed violations. Keep training logs so you can impose
sanctions on employees who try to skip this vital instruction.

Keep a close eye on BA relationships – Make sure that all your BAs have
signed up-to-date BA agreements incorporating the requirements of the
Omnibus Final Rule.  Assign risk ratings to your BAs based on the data they
access, the services they provide and the likelihood and impact of a breach.

You can calculate the cost of a data breach with help from an impartial
organization: the American National Standards Institute (ANSI). This group
offers a free publication called “The Financial Impact of Breached
Protected Health Information” (available online atwebstore.ansi.org/phi).
This document provides an excellent overview of the data breach landscape
and includes tools for calculating the cost of a breach specifically for
your organization.

HIPAA violations and data breaches come in all varieties, from the theft of
a laptop to an employee snooping into a colleague’s medical records. By
taking the actions outlined here, you can help ensure that your group
health plan doesn’t add its name to the Wall of Shame.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!