For two years, a former emergency department worker of Florida Hospital Celebration gained unauthorized access to more than 763,000 electronic patient health records and sold 12,000 of them to a co-conspirator (and operator of two chiropractic centers) to solicit patients for legal and chiropractic services. While they may have viewed this as a way to quickly gain a network of potential clients, the HIPAA Privacy Rule dictates that they clearly accessed ePHI inappropriately and misused the data by selling it.
The insider threat means covered entities and business associates have to stay vigilant by monitoring and investigating any suspicious activity. From a technical perspective, daily log review is a service that involves monitoring, analyzing and reporting on user and system activity to help detect patterns of normal use and pinpoint potentially malicious users.
Another technical service to help monitor your files and systems is file integrity monitoring (FIM), which can directly alert you of any anomalies and tell you when a file is altered or destroyed. FIM is recommended to help meet HIPAA compliance, as it can satisfy the HIPAA standard §164.312(b) that requires covered entities and business associates to:
Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Since the Florida hospital is part of a 37 hospital network under Adventist Health System, the system now faces a class action lawsuit as a result of the data breach with affected individuals seeking damages for failing to secure ePHI (the former worker has been sentenced to a year in federal prison).
The lawsuit points out that employees that weren’t authorized to access the information were, in fact, able to with only log-in credentials; they permitted to share credentials; and their logins were allowed to be used to access multiple computers at the same time from multiple locations. It also maintains that they failed to train and monitor its employees’ access to sensitive information, according to HealthCareInfoSecurity.com
And it claims the hospital’s failure to segment and control its database in compliance with the HIPAA security regulations and industry standards fell short of its promises in patient agreements and privacy policies, according to the lawsuit document. While proper policies and procedures are an important aspect of meeting the administrative security standards of HIPAA compliance, they don’t really matter unless an organization’s employees are aware and abide by them. Policies should meet the HIPAA Security Rule’s organizational, policies and procedures documentation requirements, §164.316(a):
Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach].
This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart.
A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
Staff training is also required by the security awareness and training standard of the Administrative Safeguards required by the HIPAA Security Rule, 164.308(a)(5):
Implement a security awareness and training program for all members of its workforce (including management).
The lesson learned here is that one employee at one hospital can cause a significantly costly and messy legal case for the health system at large, if they fail to meet HIPAA compliance – people go to jail, legislation gets drawn out for years, and loss of credibility can deter the most loyal consumers. A wake-up call to healthcare CIOs, the technical, administrative and physical safeguards required by HIPAA are worth the ongoing investment if they wish to avoid the consequences of a data breach.
Overcoming Healthcare CIO Challenges with Secure & Scalable HIPAA Hosting
HHS Wall of Shame: Forty Percent of 2013 HIPAA Breaches Involved Business Associates
HIPAA Breach Lessons Learned: Store PHI in HIPAA Compliant Data Centers; Not Locally