How Long Can Healthcare Data Breaches Affect Facilities?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2014/11/26/long-can-healthcare-data-breaches-affect-facilities/

Healthcare data breaches are unfortunately becoming a common scenario for
hospitals, health systems and individual care providers. The ramifications
of a security breach can be far-reaching, and organizations might have to
work to prove themselves once again capable of keeping patients’protected
health information (PHI) secure.

But just how long can healthcare data breaches affect organizations?

After a healthcare data breach has been discovered, covered entities must
provide individual notifications to those potentially affected no later
than 60 days, according to the Department of Health and Human Services
(HHS). The notification can be done via first class mail or by email if the
patient has agreed to electronic correspondence.

HHS explained that the notification must include “a brief description of
the breach, a description of the types of information that were involved in
the breach, the steps affected individuals should take to protect
themselves from potential harm, a brief description of what the covered
entity is doing to investigate the breach, mitigate the harm, and prevent
further breaches, as well as contact information for the covered entity (or
business associate, as applicable).”

But what happens after those 60 days? How easily can covered entities
recover from a healthcare data breach? Unfortunately, the incident does not
end once potentially affected patients are notified. Depending on the type
of breach, the number of affected individuals, and even the type of
technology at a facility, it can take an organization years to regain
footing after a security issue.

Let’s first take a look at a few of the more common types of data breaches
that healthcare organizations could face. From there we’ll dissect the
potential legal ramifications, as well as regulatory requirements, to
understand exactly what a facility’s road to recovery could look like.

Common types of breaches

The theft or loss of portable devices – laptops, tablets, mobile phones –
is a leading cause of PHI being put at risk. This is why data encryption is
so critical, as it can help keep unauthorized persons out of the devices.
However, as proven with the recent robbery of a Massachusetts’ physician,
data encryption on its own will not be enough.

In that scenario, the armed robbers forced the doctor to reveal the pass
codes and encryption keys to the laptop and cell phone.

Human error often leads to healthcare security issues. Whether it is
incorrect items being sent through the mail, or simply unsecure
transportation methods being used, employees must be properly trained on
how best to care for PHI. All staff should be well-versed in an
organization’s technical systems, while also being informed on all
regulatory and HIPAA compliance standards. If an employee doesn’t know that
taking a company laptop home is against the facility’s policy, they might
transport the device and leave it in an unsecure location.

However, it is important to remember that data breaches could be caused by
a failure of administrative, technical, or physical safeguards – or even a
combination of the three. Ignoring one type breach will not keep a covered
entity immune from its potential dangers.

Legal ramifications

> From a legal standpoint, the ripple effects of a healthcare data breach can
go quite far. Even if an organization follows the HIPAA notification
process correctly, it could still face tens of thousands of dollars in
fines.

Moreover, patients could choose to sue the covered entity for a failure to
protect their PHI. A Connecticut court even ruled that patients can sue a
medical office for HIPAA negligence if it violates regulations that dictate
how healthcare organizations must maintain patient confidentiality. In
Indiana,Walgreens was still found to be liable for HIPAA violations
committed by an employee. This calls back to the importance of proper
employee training. Even if an individual worker commits a crime, the
organization itself might not be immune.
The legal process is not quick, and a covered entity could be working
through HIPAA issues years after the actual data breach takes place. Such
is the case with the University of Massachusetts Memorial Medical Center,
which is facing a civil lawsuit two years after patients’ PHI was
potentially exposed.

Regulatory requirements

HIPAA was created nearly 20 years ago, but federal regulations can evolve
along with technology. Moreover, specifications of HIPAA or even the HITECH
Act can still come into question years later. For example, the OCR released
a special HIPAA bulletin on how healthcare facilities should protect
patient data during an emergency situation.

“The HIPAA Privacy Rule protects the privacy of patients’ health
information (protected health information) but is balanced to ensure that
appropriate uses and disclosures of the information still may be made when
necessary to treat a patient, to protect the nation’s public health, and
for other critical purposes,” the bulletin explained.

Regulatory fines and legal fees can be devastating to a healthcare
organization. However, regaining patients’ trust could be even more
difficult to overcome. Technology is only going to continue to evolve, and
some healthcare executives believe that it is just a matter of time before
a facility encounters a data breach.

Covered entities must keep their policies and procedures current with the
latest federal requirements. From there, comprehensive employee training is
essential. When those initiatives are paired with strong technical and
physical safeguards, a healthcare facility will be well-equipped to
mitigate, and recover from, a data breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!