"OCR looks at an information security incident that results in a breach as a symptom of larger issues that indicate general failures to have appropriate safeguards in place," - Adam Greene, Law firm Davis Wright Tremaine
What is the true cost of being unprepared? For a Colorado-based community healthcare center it cost $400,000. The Department of Health and Human Services Office for Civil Rights agreed to a settlement in reponse to a data breach suffered by Metro Community Provider Network in January 2012.
In a statement released by the OCR, MCPN had failed to conduct a risk analysis in accordance with HIPAA privacy and security rules. During the breach hackers were able to access employees emails and obtain 3,200 electronic protected health information (ePHI) via a phishing attack. Although MCPN had taken the necessary measures after the attack to remediate the situation, OCR discovered that a risk assessment wasn't preformed until February, a month after the breach had occurred.
"Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis," OCR stated. Even after the February risk assessment it was discovered that MCPN was not HIPAA compliant or fit to be handling patient records.
"The investigation focused on the failure of conducting an enterprise wide information security risk analysis and implementing a risk management plan to address the vulnerabilities found by the assessment." said David Holtzman, vice president of compliance at security consulting firm CynergisTek.
"OCR looks at an information security incident that results in a breach as a symptom of larger issues that indicate general failures to have appropriate safeguards in place," notes attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
OCR's has investigated many incidents prior to this breach that have involved hacking towards organizations that have the necessary procedures in place. In those instances OCR didn't feel the need to enforce action against them. "This is part of OCR's overall enforcement approach, which is reasonable, appropriate and thoughtful, and distinguishes between entities that are trying hard, and those that aren't."
MCPN Corrective Action Plan
In its corrective action plan with OCR, MCPN agreed to take a number of steps to bolster its security practices, including:
Conducting a comprehensive and thorough risk analysis of security risks and vulnerabilities that includes systems at all current MCPN facilities;
Developing an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
Reviewing, and if necessary, revising, its current HIPAA security rule policies and procedures based on the findings of the risk analysis;
Providing its workforce with revised training materials based on any revisions to its policies and procedures as a result of the MCPN risk analysis findings.
"OCR continues to view a good risk analysis as foundational to HIPAA Security Rule compliance," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
The biggest take away from this settlement is to conduct regular risk assessments to make sure that an organizations cybersecurity health is in good standing with compliance regulations. MCPN was fined because they had not preformed risk analysis to assess the vulnerabilities and threats prior to their breach.
Source: U.S. Department of Health & Human Services