The Enemy Within - "Homegrown" HIPAA vulnerabilities

Just yesterday I briefly discussed the electronic vulnerabilities facing hospitals and health practitioners. Much of that note focused on hackers attacking the systems and holding them for ransom.  It is a major problem confronting the healthcare sector, and will continue to be for long to come.

Other threats linger, and this week we learned about one of the potential hazards we must guard against – the hazard that we hire bring to the table ourselves. In short, we can be our own worst enemies.  Such is the case at the University of Mississippi Medical Center and the Oregon Health & Science University.

At the University of Mississippi Medical Center (UMMC), staff allowed a party to “borrow” a hospital laptop while in the ICU. The borrowed laptop was not returned. While that fact is curious enough, this is when it gets really interesting.

The Mississippi hospital had secured its network, but on the laptop there was patient data that was protected with only the minimum “generic” of security safeguards. Apparently, no access tracking software was in place.

One wonders if the laptop itself had location software in place.  In other words, the equivalent of the “find my phone” application we all use (I know I do) to locate phones and tablets may not have been there.  Most of these tracking applications allow a user to wipe all data from a lost device – quite handy in the event a piece of hardware is lost. 

The folks at UMMC compounded the issue when they failed to notify patients’ whose data was breached of the potential exposure. We must ask – if they had no access tracking software in place, how do they know whose data was purloined and whose was not?

The OCR summarized UMMC's failures in its press release:

  • implement its policies and procedures to prevent, detect, contain, and correct security violations;
  • implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
  • assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI; and
  • notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

The UMMC settled with the HHS Office of Civil Rights, paying a penalty of $2.75M while not admitting any liability.  UMMC is working to overhaul its security standards as well.  Read the entire HHS OCR press release here   You can read the actual text of the settlement here.  

Oregon Health & Science University also felt the ire of the HHS OCR, paying a similar fine for breaches involving unsecured laptops and stolen USB thumb drives.  While OHSU self-reported, the OCR lamented OHSU's failure to respond appropriately to these breaches. 

This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.
— HHS OCR Director Jocelyn Samuels, discussing the OHSU settlement

The Oregon facility paid a fine of $2.7M and entered a three-year corrective action plan. Read the HHS OCR's press release here, and you can read the settlement text here.

These two actions underscore the aggressive stance of the OCR in the face of ever more common data breaches. They also demonstrate how we are often our own worst enemies.

And CEOs, Risk Managers, Compliance Officers, and IT professionals - please take these compliance matters seriously.  

For more on how to deal with these issues, contact the Spiers Group today.