Tag: HIPAA

Data Breach, HIPAA / HITECH Enforcement, News Events

An Employee Mistake Leads to a HIPAA Data Breach

CJ Michael

Just last month, a Pennsylvania-based hospital suffered a breach of patient data caused by unauthorized access and transmission of PHI by an employee. The 551-bed Penn State Milton S. Hershey hospital discovered through an internal investigation that a lab technician accessed and transmitted protected health data outside of the hospital’s secure network. The key in this breach was that the employee was authorized to work with PHI but in this case did not access and transmit the PHI securely. He used his own USB device and sent patient data through his own personal email address to two physicians.

The important thing to note in this situation is what your organization can do to avoid a situation like this: train your workforce. Not only is workforce training required by HIPAA, it is a prudent means of improving efficiency and confidence in your workforce. Many organizations believe that their biggest threat lies outside their walls. While it is a smart business decision to implement security controls to prevent intrusions from external threats, your organization should also prioritize properly training your workforce. Below is a list of the most investigated issues as noted in the OCR Enforcement highlights.

 

From OCR Enforcement highlights:

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

Security Rule Enforcement Results as of the Date of This Summary

With regard to the subset of complaints specifically pertaining to the Security Rule, since the OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 880 complaints alleging a violation of the Security Rule. During this period, HHS closed 644 complaints after investigation and appropriate corrective action. As of May 31, 2014, OCR had 301 open complaints and compliance reviews.

 

Penn Breach Table

Here is the direct link to the Breaches Affecting 500 or More Individuals: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Data Breach, Risk Analysis/Risk Management, Tip of the Week, Vulnerability Testing & Management

Information Security Operations Planning

CJ Michael

One of the biggest threats for organizations today is the threat of the unknown. For many IT departments and Security Teams, it is a constant battle to know your enemy and protect the organization’s assets from being stolen or corrupted. Not long ago, installing a firewall for the network and anti-virus on workstations was adequate protection. Times have changed, and building a security program requires planning, specifically a good balance of Strategic, Tactical and Operational planning.

Strategic planning is all about allocating the right resources to satisfy long-term goals and protecting the data that helps make your organization valuable. As Darren Dannen explains, “Strategic planning is an organization’s process of defining its strategy or direction and making decisions about allocating its resources to pursue this strategy.” The decisions come mostly from management and are the guiding principles for everyday decisions made throughout the organization. Things to consider would include: What is important to protect? What needs to be monitored? How would you respond to threats? And how do you determine if you need outside assistance?

With these decisions made, the next step is to address Tactical planning, or the implementation of your organization’s strategy. The key here is building a security operations structure that is clear and effective in helping identify and stop attacks. One of the most important aspects of Tactical planning is clearly defining the proper roles within management and your security teams to define the structure of the organization. For healthcare organizations, that means stating who the Security Officer is and outlining Emergency Response Teams to react during a breach or security incident. The next step in Tactical planning is addressing training and techniques. This is when your organization establishes administrative, technological, operational, and analytical procedures to support both immediate and long-term goals.

In support of Strategic and Tactical planning is Operational planning. These activities revolve around protecting information assets through everyday tasks. According to Darren Dannen, there are five basic functions to plan for:

  1. Vulnerability management
  2. Device management
  3. Monitoring
  4. Threat Analysis
  5. Incident Response

Some key areas to address within these functions include patch management, vulnerability scanning, log, auditing, and risk mitigation. This planning process does not happen overnight and can require extra resources to get off the ground. If your organization needs assistance, contact RISC Management. Remember that the first step in establishing any security program is a Risk Analysis. If you don’t identify, analyze, and document your risk, you’ll never effectively manage it.

Sponsored by: RISC Management, www.RISCsecurity.com

References

Implementing Information Security in Healthcare: Building a Security Program