$150K HIPAA Fine for Unpatched Software

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/150k-hipaa-fine-for-unpatched-software-a-7656

Federal regulators are sending a powerful message about the importance of
applying software patches by slapping an Alaska mental health services
providers with a $150,000 HIPAA sanction.

The Department of Health and Human Services' Office for Civil Rights says
Anchorage Community Mental Health Services' failure to apply software
patches contributed to a 2012 malware-related breach affecting more than
2,700 individuals.

ACMHS is a five-facility, non-for-profit organization providing behavioral
healthcare services to children, adults and families.

The HIPAA settlement in the Alaska case marks the first time OCR has levied
a penalty tied to unpatched software, which is not specifically addressed
in the HIPAA Security Rule.

Managing Risk

"Most of the previous [OCR] corrective action plans that I reviewed focused
on policies, procedures and other forms of documentation," says security
adviser Tom Walsh, president of Tom Walsh Consulting. "Many times, people
are surprised to discover that there is nothing specifically written in the
HIPAA Security Rule regarding vulnerability or patch management, firewalls,
and monitoring of inbound and outbound traffic. However, it is difficult to
manage risk appropriately without these prevailing security practices."

A meaningful risk analysis must include "looking beyond the minimum
requirements in the HIPAA Security Rule and exercising proper due diligence
to properly evaluate any risk factors that could affect patient
information," Walsh stresses.

Independent HIPAA and healthcare attorney Susan A. Miller notes: "This is a
wake-up call that people should be looking very closely at the security
risk assessment tools available from ONC and OCR, as well as NIST [National
Institute of Standards and Technology].

"The lesson here is that when a software patch or update is sent by a
vendor, they should be applied immediately," Miller adds. "That includes
operating systems, electronic health records, practice management - and any
electronic tool containing PHI."

Malware Incident

OCR says it opened an investigation after receiving notification in June
2012 from ACMHS regarding a March 2012 incident involving malware
compromising the security of the mental health provider's information
technology resources.

OCR's investigation revealed that ACMHS had adopted sample HIPAA Security
Rule policies and procedures in 2005, but these were not followed. The
security incident was the direct result of ACMHS failing to identify and
address basic risks, such as not regularly updating software with available
patches and running outdated, unsupported software, OCR says.

"ACMHS failed to implement technical security measures to guard against
unauthorized access to e-PHI that is transmitted over an electronic
communications network by failing to ensure that firewalls were in place
with threat identification monitoring of inbound and outbound traffic and
that information technology resources were both supported and regularly
updated with available patches," says the OCR resolution agreement with
ACMHS.

In addition, OCR says that contributing to the incident was ACMHS' failure
to conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of
e-PHI.

"Successful HIPAA compliance requires a common sense approach to assessing
and addressing the risks to ePHI on a regular basis," says OCR Director
Jocelyn Samuels. "This includes reviewing systems for unpatched
vulnerabilities and unsupported software that can leave patient information
susceptible to malware and other risks."

Corrective Actions

The corrective action plan with ACMHS calls for the mental health services
provider to revise and distribute to all members of its workforce the
organization's HIPAA Security Rule policies and procedures.

The plan also requires that ACMHS obtain a signed initial compliance
certification from all members of its workforce, stating that they have
read and agree to abide by the security rule policies and procedures. In
addition, the plan requires ACMHS' workforce to attend HIPAA security
training.

Also, the plan requires the organization to annually conduct a thorough
risk assessment and document the security measures it implements to address
the issues identified.

Other Settlements

The settlement with the Alaska provider is the third HIPAA resolution
agreement issued by OCR in 2014. OCR announced a record $4.8 million
settlement in May with New York-Presbyterian Hospital and Columbia
University. That case involved a breach of unsecured patient data on a
network, affecting about 6,800 patients. In that settlement, OCR cited,
among other factors, the lack of a risk analysis and failure to implement
appropriate security policies.

The other 2014 OCR resolution agreement was an $800,000 settlement with
Parkview Health System, a not-for-profit organization serving northeast
Indiana and northwest Ohio. The provider agreed to the settlement involving
"potential violations" of the HIPAA Privacy Rule as a result of an incident
in June 2009 involving the dumping of paper medical records of 5,000 to
8,000 patients.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!