News Events – Page 14 – RISC Management and Consulting

Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

The resolution agreement and press release can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-agreement.html.

For assistance please contact RISC Management.

Privacy and Security is important not just for healthcare information but in everyday aspects of our life, such as banking, that affect all of us. Recently, in Brooklyn, New York, six people were arrested and charged for stealing 45 million dollars from Middle East banks. According to NBC News, the “hackers stole debit card data from the National Bank of Ras Al-Khaimah in the United Arab Emirates and Bank Muscat in Oman in two attacks in December 2012 and February 2013, according to prosecutors. These individuals allegedly broke into payment-processing companies used by the two banks and raised the balances and withdrawal limits on the cards, prosecutors said. Crews in more than 20 countries, such as the cell arrested Monday, then withdrew $5 million between Dec. 21 and Dec. 22 and $40 million between Feb. 19 and Feb. 20.”

Exploiting cyber weaknesses

It would seem the same technology the healthcare industry is implementing for ensuring their protected health information stays private and secure is similar to banking industry needs and governmental-spying prevention. The Morning Sentinel reports encrypted email, and other privacy solutions are increasing in popularity in the wake of the National Security Agency’s reported surveillance programs. As a whole, our society has been tolerating privacy issues for many years, including those broken by our own National Security Agency (NSA) reported by the Washington Post on August 15^th, 2013. Many organizations such as Google shared the importance of encrypting their own data centers around the world to deter snooping, and protect their clients.

For one solution, Pogoplug, business is booming – it’s garnered close to 1 million paid subscribers in its first year – and the company is anxious to accommodate concerned clients. This month Pogoplug launched a $49 software package called Safeplug that prevents third parties, from the NSA to Google, from learning about a user’s location or browsing habits.

But many warn that encryption offers a false sense of security.

“The fundamental designers of cryptography are in an arms race right now, but there are a series of weaknesses and missing oversights that have nothing to do with encryption that leave people vulnerable,” says Patrick Peterson, CEO of Silicon Valley-based email security firm Agari. And many that do work, bog down or freeze computers, forcing “a trade-off between security and convenience,” he says.

Many hacking or data breach security incidents were not the result of complex attacks or zero day vulnerability exploitation. Rather they occur because of disinterest, overwork, poor configuration management, slow patching, and a complete lack of assessing, or PEN-testing an organization’s own systems.

Many security incidents, such as the too-popular crypto-locker, occur because an untrained or trained-but-curious employee opened an email with an attachment. Regardless of coaching and formal training employees find it hard to resist opening an interesting email.

Regardless, an information security, data privacy, and awareness training program for all members of your workforce is critical both to reduce risk and to show a track record of sincere and sustained efforts at compliance, according to Chris Heuman, Practice Leader at RISC Management.

This post brought to you by RISC Management & Consulting. Visit us at www.RISCsecurity.com

Resources:

Morning Sentinel: http://www.onlinesentinel.com/news/Computer_privacy_services_booming_in_wake_of_NSA_surveillance_fears.html?pagenum=2

NBC News: http://www.nbcnews.com/technology/6-arrested-45-million-global-atm-bank-cyberheist-2D11617858 and http://www.nbcnews.com/id/51850893/ns/technology_and_science-tech_and_gadgets/#.UpkQhcSsh8F

Washington Post: http://articles.washingtonpost.com/keyword/national-security-agency and http://articles.washingtonpost.com/2013-09-06/business/41831756_1_encryption-data-centers-intelligence-agencies