$1.5M Fine Marks A New Era In HITECH Enforcement

  /     /     /  
Publicated : 22/11/2024   Category : security


$1.5M Fine Marks A New Era In HITECH Enforcement


Data breach at BlueCross BlueShield of Tennessee, and subsequent penalty, stands as example of financial fallout from poor healthcare IT security practices



Enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just reached a new level of reality last week when the department announced a $1.5 million settlement with BlueCross BlueShield of Tennessee over a 2010 data breach, making the organization the first to pay out penalties since the Health Information Technology for Economic and Clinical Health Act (HITECH) went live in 2009. The question now is whether such tangible examples of financial fallout will convince healthcare IT to invest in better security measures.
Its certainly a warning shot for the healthcare industry, says John Nicholson, a Washington, D.C.-based counsel for the global sourcing practice at law firm Pillsbury Winthrop Shaw Pittman LLP. But is that a sufficient amount to act as a deterrent? Its hard to tell at this point. Its at the upper end of what organizations can be penalized [for], and when you break it down, it equals about a buck a record lost. For companies that are dealing in millions of records, that penalty can add up. But thats just at very large companies. And data breaches are becoming sufficiently routine that everyone sort of looks at it and goes, Eh, its another one.
But Nav Ranajee, director of healthcare vertical for CoreLink Data Centers, believes that starting to hit the big organizations in the pocketbook and making a spectacle out of the process should have the desired effect. Many of these organizations have been deprioritizing security because there just hasnt been enough financial incentive to push it up the stack on the IT to-do list, he says. The HHS making the risk of pecuniary damage a real risk of failing to comply with Health Insurance Portability and Accountability Act (HIPAA) security requirements changes that financial equation for these organizations, he says.
What Im seeing now when we talk to our clients, say a hospital or a business associate like a software company that services a hospital, is that when it comes to HIPAA, the first priority of a CIO has historically been to allocate funds to get that new EMR in-house or that new clinical system, because that’s going to pay off in revenue, he says. But when it comes to making sure HIPAA requirements are up to date, thats usually the last line item on the budget because its really a sunk cost. Now theyre going to have to look at the risk involved and wonder, Do I risk having a million-dollar lawsuit if I dont put the right security protocols in place?
The settlement BlueCross BlueShield of Tennessee paid to HHS was a penalty for failing to prevent a breach that saw the theft of 57 unencrypted hard drives containing recordings of customer service phone calls. The drives were left behind in a data closet after the company stopped using a leased facility.
This settlement sends an important message that OCR expects health plans and healthcare providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program, said Leon Rodriguez, director of HHS OCR. The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients right to private and secure health information.
According to Nicholson, the breach is a good lesson to healthcare organizations on how compliance really could have helped the security of the organization and maybe even prevented a breach. One of the things that HIPAA and HITECH require is that you go through an assessment of your policies and procedures whenever your operations significantly change. I dont know for sure, but it seems like BlueCross BlueShield of Tennessee may not have done that evaluation. If they had done it, they might have said, Weve got these hard drives containing this unencrypted PHI and its in a locked closet, but thats not sufficient in this leased space, he says. Thats probably a lesson to healthcare organizations. You really need to do those evaluations anytime a significant aspect of your operation changes that has implications on PHI.
For his part, Ranajee says the BlueCross BlueShield of Tennessee incident stands as yet another testament of the importance of encryption for healthcare data protection.
Really, its all about making sure that if you have data servers in your office or workplace, they need to be locked down--they need two locks on them -- and they need to be encrypted, he says. Those are two of the main things that are not commonplace, but they should be.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
$1.5M Fine Marks A New Era In HITECH Enforcement