Privacy & Security
Breaches rose in number last year and continued causing operational, financial and reputational damage to healthcare organizations.
SPONSORED
Even the strongest IT security doesn’t always “walk the walk” when it comes to the IoT.
Today’s growing economy is forcing healthcare organizations to pay more for top talent. And many hospitals are finding that out the hard way.
The U.S. Department of Health and Human Services’ Office for Civil Rights fined Children’s Medical Center of Dallas $3.2 million for HIPAA noncompliance and impermissible disclosure of unsecured ePHI stemming from two data breaches caused by a lack of encryption, HHS announced today.
Children’s is part of Children’s Health, the seventh largest pediatric healthcare provider in the U.S.
The first breach involved the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the ePHI of about 3,800 patients. Children’s reported the breach to OCR on January 18, 2010.
The second incident involved the theft of an unencrypted laptop from Children’s the first week of April 2013. The computer contained the ePHI of 2,462 patients. The hospital failed to report the theft to OCR until July 5, 2013.
Although Children’s physically protected part of the laptop storage area with badge access and a security camera, it also allowed access to staff members who weren’t authorized to access ePHI, officials said.
The subsequent OCR investigation further revealed HIPAA noncompliance that included a failure to implement risk management plans – despite external recommendations to do so. Further, the hospital failed to use encryption or equivalent method on its laptops, workstations, mobile devices and removable storage until April 9, 2013.
Children’s also issued unencrypted BlackBerry devices to nurses and allowed staff to continue use of unencrypted laptops and mobile devices until 2013, although the hospital was warned about the risk of unencrypted ePHI on devices as far back as 2007, officials found.
OCR issued a Notice of Proposed Determination, which provided instruction on how Children’s could request a hearing, officials said. However, Children’s didn’t request it. As a result, Children’s paid the full penalty.
“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential,” OCR Acting Director Robinsue Frohboese, said in a statement.
“Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine,” she added.
The new initiative aims to takes the guesswork out readiness, articulating threats, mapping them to CSF controls and giving healthcare organizations a blueprint for better cybersecurity posture.
The research firm offers five cybersecurity predictions for 2017, ranging from Internet of Things devices to Trump facing a cyber-crisis.
Employees of Wyoming-based Campbell County Health and eHealthInsurance are the latest victims of a W-2 phishing scam, the organizations announced last week.
And 36 percent of respondents are worried that their health information will get into the wrong hands.
SPONSORED
A look at how sensors, devices and analytics are reshaping enterprise at the operational level.
Lack of regulation and visibility of hacks to the public allow organizations to put IoT and mobile security on the back burner, but Arxan exec Mandeep Khera expects both regulations and hacks to increase this year.
