- HIPAA Compliance Alert: How to Defend Against a Data Breach
- March 23, 2015 | Authors: Kimberly T. Boike; Andrew P. Tecson
- Law Firm: Chuhak & Tecson, P.C. - Chicago Office
- The challenges of defending and responding to a data breach are appearing with increasing frequency in front page headlines, with large corporations ranging from retailers and banks to healthcare providers revealing that their customers’ personal information has been hacked. The multitude of devices and programs which store data has dramatically increased the number of potential vulnerabilities which may be exploited by a hacker. Because there are an extraordinary number of ways in which hackers can gain access to an IT system, and because the Internet has created a marketplace for the sale of personal data, the frequency of intrusion efforts and the number of intrusions is rapidly increasing.
Today’s environment has created an imperative for all healthcare providers to harden their defenses against a data breach in order to: (1) protect patient information; (2) mitigate the risk of fines which can be imposed under HIPAA; and (3) mitigate damages which may be claimed by patients through lawsuits alleging negligence and breach of contract. The risks include not only external threats such as hackers, but internal risks arising from errors related to the storage and disposal of protected health information (“PHI”). In fact, according to the most recent report of Office for Civil Rights of the U.S. Department of Health and Human Services (“OCR”) to Congress related to data breaches, hackers only accounted for nine percent of data breaches.
Two recent HIPAA settlements are instructive with respect to the need for healthcare providers to dramatically increase their discipline with respect to their internal policies and procedures that protect their patient data. Affinity Health Plan replaced its photocopy machines and did not erase electronic PHI (“ePHI”) of 344,579 patients which resided on the hard drives of those machines. The fine in this case was $1,215,780. A physician conducting research placed ePHI of 6,800 patients on his computer which resulted in inadvertent disclosure of the ePHI. Two affiliated hospitals, New York -Presbyterian Hospital and Columbia University Medical Center paid a combined fine of $4.8 million.
Hackers are increasingly posing a threat to a provider’s financial security. One medical group recently was attacked by malware which infected its servers and encrypted all of the group’s electronic medical records. The attacker demanded a ransom payment to be paid in bitcoin in exchange for giving the medical group access to the encryption key. Hackers have also been able to gain access to the networks of businesses and have been able to direct banks in which the businesses have deposits to wire funds to accounts controlled by hackers.
The first critical step in defending against data breaches is to conduct a disciplined risk assessment, which is required under the HIPAA Security Rules applicable to healthcare providers and their business associates. This is critical in order for a provider to create an inventory of what ePHI exists, where it is stored and what types of controls exist to prevent a breach. A risk assessment also determines the ability of a provider to recover data if the data becomes corrupted, and the ability to recover from a disaster if the data is lost. In several cases with fines in excess of $1 million, the OCR has emphasized that a factor in the magnitude of the fine was the failure of the provider to have conducted a risk assessment.