- Use Cases
- Why Dizzion
Another major HIPAA violation settlement recently made the news, reminding us not only how sensitive personal health information (PHI) is, but also how important it is to pay close attention to security and compliance at the end user and endpoint level.
Tampa General Hospital just announced that it will settle a data breach lawsuit by paying each plaintiff $10,000 plus up to $7,500 in some cases to cover legal fees tied to the suit, according to coverage by HIPAA Journal.
Aside from the large settlement, what’s so eye catching about this situation is that the data breach appears to be the result of malicious acts by an employee. From HIPAA Journal:
“An individual was arrested and found to be in possession of patient records that had been stolen from Tampa General. The individual did not work at the hospital but had allegedly obtained the data from a hospital employee. … Tampa General Hospital denies any wrongdoing and maintains that it is not responsible for the alleged actions of some of its former employees. The decision to settle the case was taken to avoid the expense and burden of taking the case to trial.”
The main takeaway from this story is simple: Organizations are ultimately responsible for the actions of their employees when a data breach occurs.
This is nothing new. How personal health information is compromised doesn’t matter, health organizations and their HIPAA-covered business associates are obligated to report a breach to the U.S. Department of Health & Human Services Office for Civil Rights. The OCR publishes information about breaches affecting more than 500 records, which brings to light how easy it is for poor end user security or endpoint management decisions to cause a data breach.
To date for 2016 the OCR lists 299 data breach reports, 197 of which are attributed to theft, loss or unauthorized access/disclosure. For those records that include a description of the incident, a few major themes are evident:
Quite a few of the incidents with details stem from a lost or stolen device that contained PHI. In many cases, the description specifically notes that the devices were not properly encrypted, leaving the PHI to fall into unauthorized hands. Whether the result of a thief or someone who lost their device during a trip, the outcome is the same: a data breach.
A few of the descriptions include additional details that further point to end user fault, such as the health care auditor who took (and subsequently lost) his “firm-issued laptop computer on a non-business weekend trip” or the business associate of a covered entity that “misconfigured a File Transfer Protocol site (FTP), which may have allowed access from the internet to transcription documents from a number of healthcare entities.” It’s important to remember that end user vulnerabilities extend beyond your employees and include the employees at any covered business associate.
Another 94 reports were the result of Hacking/IT Incidents. In some cases, the end user can be the point of entry for a malicious attack, such as with phishing emails or infected email attachments. In other cases, proper security wasn’t extended to the entire infrastructure, leaving vulnerabilities.
While data breaches will never entirely disappear, there are some proactive steps HIPAA regulated organizations can take to help prevent the issue, particularly incidents stemming from end users and endpoints.
Don’t take a “wait and see” approach. While many companies drag their feet on cyber security because of the cost, a data breach can have a devastating financial and reputational effect. And it’s not so much a matter of “if” but “when” it will happen.
Be diligent about ensuring proper security and enterprise-grade antimalware throughout your network so you have multi-layered security stance. Most importantly, ensure any data stored on the device level is encrypted when stored and transferred. This will help protect data if a device is lost or stolen and help guard data from a network breach.
Security isn’t the job of just one person – the entire organization should have a good understanding how important protecting PHI is. Make security a regular topic of discussion so it’s always top of mind and make it clear that your policies, procedures and safeguards are in place for a reason and absolutely must be followed. Often employees think their actions – like emailing a file so they can work at home or taking their computer on a trip – aren’t “big deals.” By stressing why actions like this aren’t allowed you can help instill a healthy attitude toward proper security within your end users.
Engage the Right Tools
Look for solutions that provide good security and control options, such as desktop-as-a-service. This limits your risk footprint by drastically minimizing the endpoint risk (since no data is stored on the device itself). It also helps protect against end user risk by allowing you to enable controls that physically stop certain actions that could be a security threat, like printing, flash drive access and saving files to unauthorized areas. Choosing smart solutions makes maintaining security less time and resource intensive.
It’s clear from the Office of Civil Rights’ running log that more needs to be done to protect PHI at the end user and endpoint level. Companies need to view these recurring instances as a warning and take actions to prevent a breach. Being diligent, making security a priority and making smart solution choices can go a long way in protecting against a breach.