Category Archives: Compliance

Healthcare Industry Data Loss Problems – And Their Easy Solutions

According to a report by the Ponemon Institute, nearly 90% of healthcare organizations suffer data breaches. Internal threats such as mistakes—unintentional employee actions, stolen computing devices—account for nearly half of the data breaches. This statistic certainly serves to show the staggering problems around data loss in the healthcare industry. While the scale of the problem, and therefore the solutions to it, may seem incredibly vast, there are actually strategies healthcare organizations should be implementing in order to combat this high-risk situation.

Why is theft, or loss with malicious intent, so high?

Firstly, medical records can fetch up to 50 times that of credit card records on the black market. While that may seem far-fetched, it’s surprisingly not, given the amount of credibility medical records hold when it comes to identification. Criminals can easily use medical records to fraudulently bill insurance companies, obtain prescription medicine, in addition to other identity theft practices.

The move to digital and the losses that come with it

The digitization of medical records has been seen as a long overdue step by the medical community to reduce mounting hospital administration and provide patients with more reliable diagnoses and care. Proper due diligence isn’t being paid when it comes to data loss protection for a variety of reasons, budgeting, outdated technology and lack of knowledge among them. As a result, breaches into healthcare systems are becoming more and more commonplace, particularly as online criminals become more skillful, as well as hospital staff accidentally releasing sensitive patient information.

The problem areas

Data loss is considered to be one of the most commonplace ways for healthcare organizations to lose a patient’s medical files. The main problem areas include criminal attack, a stolen computing device, unintentional employee action and technical glitches in the system.

The root problem

At the root of these problems are outdated legacy systems and medical devices and poor training in data loss protection. Healthcare organizations have an extremely unique set of challenges when it comes to digitized information. Particularly for hospitals, the scale at which they work, is huge. The number of individuals who have files stored on their systems, as well as the number of medical professionals who are not highly skilled in computer literacy, is vast. Combine this with computer systems that need updating and a lack of budget to do so, and it is easy to see why data loss is so prevalent in the healthcare industry.

The solution

The solution to the problem can be simplified into two parts – update computer systems so that strong security measures can be put in place, and implement a data loss prevention strategy across the organization. The first solution requires budget, but it is imperative that this is prioritized. Ransomware and malware are becoming an increasingly prevalent, malicious, and ruthless way of obtaining data. Trends suggest that it will become even more of an issue in coming years and the only way to combat it is through state of the art security measures.

A data loss prevention strategy, while still costly, especially if implementing on a large scale, is more of an upfront cost and a slow burn investment. For healthcare organizations, a data loss prevention strategy is an incredibly cost-effective way to protect against data loss as much of it involves staff onboarding and communication in order to make it work. Of course, software systems need to be installed to protect files, but much of the hard work comes from ensuring that all staff understand what they need to be doing in order to avoid the inadvertent leakage of sensitive information.

With just a quick online search, you can see the mounting concern about protecting patient data in the healthcare industry, and the ever-growing and alarming statistics about how much data is currently being compromised. Healthcare organizations need to reprioritize budget in order to implement easy and effective solutions like state-of-the-art security, and a data loss prevention strategy that has buy-in from staff working both in hospitals and medical centers on network devices, and remotely on mobile.

MAPFRE Settlement- An Expensive Lesson in Data Security

data loss preventionMAPFRE Life Insurance Company of Puerto Rico (“MAPFRE”) has agreed to pay a whopping $2.2 million in fines to enter into a settlement with the HHS Office of Civil rights for violations of the HIPAA privacy and security rules.

At the heart of this multi-million dollar storm was a humble USB pen drive.

On September 29, 2011, the unencrypted USB data storage device was left unsecured in the IT department of MAPFRE. This drive contained records of 2,209 individuals, including their full names, dates of birth and Social Security numbers. The pen drive was stolen overnight.

MAPFRE reported the device theft to OCR 55 days later. (60-days is the maximum time frame for reporting and announcing PHI breaches). OCR then launched an investigation to ascertain whether any HIPAA Rules had been violated. This is standard protocol for all breaches of ePHI that impact more than 500 individuals.

As the investigation proceeded, OCR discovered not one but several HIPAA non-compliance issues.

Officials at OCR determined that MAPFRE showed a callous attitude towards data protection  by not putting necessary safeguards in place to prevent the theft. MAPFRE had-

  • Failed to conduct required risk and vulnerabilities assessments to test the “confidentiality, integrity, and availability” of the ePHI under their control,
  • Did not implement any appropriate security measures
  • Had neglected to implement required security awareness and training programs for their workers.

As per the corrective action plan, MAPFRE was expected to:

  • Conduct a risk analysis and implement a risk management plan
  • Implement process for evaluating environmental and operational changes
  • Review – and revise if necessary – its current Privacy and Security Rules policies and procedures
  • Distribute the policies and procedures and assess, update, and revise them as necessary
  • Give regular training to workforce members and certify they’ve received it

MAPFRE delayed implementation of corrective measures that it had told OCR it would undertake. So despite the submission of a breach report to OCR on August 5, 2011, MAPFRE Life did not start encrypting data on laptop computers and portable storage devices until September 1, 2014.

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well,” OCR director Jocelyn Samuels said in a statement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”

The resolution amount was decided upon after taking the financial position of MAPFRE into consideration as well as keeping in mind the number and severity of its HIPAA violations. Not only does OCR require payment of $2,204,182 as fines, MAPFRE is also expected to adopt a corrective action plan that addresses all areas of noncompliance.

HHS states on its website, that “A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.” It also says that “A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.”

OCR has increased its enforcement of HIPAA Rules in recent years, with 2016 being a year when they made more settlements than in any other year to date. Last year alone a dozen healthcare organizations settled possible HIPAA violations with OCR. Earlier this year, Presence Health, a healthcare network serving residents of Illinois, agreed to pay OCR $475,000 due to an unnecessary delay in breach notification after the patients’ protected health information was exposed. OCR won’t be letting up on its aggressive enforcement pace of 2016 when it collected a record $23.5 million in HIPAA breach settlements, a steep rise up from $6.2 million in all of 2015.

There are some expensive lessons in these settlements that all HIPAA covered entities should pay heed to. Risk assessment and analysis can go a long way in keeping data secure. There should be a comprehensive risk management plan in place. In case of a breach, companies should make quick and accurate representations to OCR and should follow through on any commitments made to OCR.

Last but not the least, leaving unencrypted portable devices/drives is never a good idea and a humble USB pen drive can sometimes prove to be very very costly.