The HIPAA Security Rule is in full effect! The first Business Associate HIPAA penalty made news Tuesday, following a data breach incident two years prior. Who's atoning for this cardinal data sin? The Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia, a nonprofit organization now forced to pay a $650,000 fine. As a business associate legally obligated to adhere to federal regulation, CHCS is being held financially responsible for the breach of six nursing facilities, compromising 412 patients' Protected Health Information (PHI).
While many MSPs are compelled and encouraged to meet the demand for HIPAA compliance by serving the lucrative healthcare vertical, let this ruling serve as a wake-up call that there are costly consequences when MSPs themselves aren't compliant. What led to this unprecedented turn of events, and how can you prevent your MSP practice from suffering the same fate? Here's the Who, What, When, Where, Why and How, our data breach MSP debrief!
So who are the major players involved?
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) - business associate that provided information technology management for six nursing homes and after settling for $650,000, is now required to take corrective action to maintain HIPAA compliance
The Department of Health and Human Services' Office for Civil Rights (OCR) - federal department that investigated the data breach and CHCS's role, as well as negotiated the terms and amount of the settlement
Nursing Facilities - covered entities that suffered and reported the data breach, which launched the federal investigation
For the first time in history, HIPAA has been enforced against a business associate after the nonprofit was found responsible for violating federal regulation, thereby enabling a breach that exposed the data of 412 patients. As a result, sensitive, personally identifiable information (PII) like social security numbers (SSNs) and electronic PHI like medical procedures, medication and diagnosis information were compromised. Due to the magnitude of the data disaster, OCR will monitor CHCS for two years to enforce the terms of the corrective action plan.
The nursing homes originally reported the breach to The Department of Health and Human Services (HHS) in February 2014, prompting a full OCR investigation which began in April of that year. Now two years later, as of June 29, the investigation has concluded and resolution agreement has been reached. But the impact for MSPs who also act as business associates in providing IT solutions to healthcare organizations is only just beginning.
Do you think this unprecedented event will trigger more penalties for business associates found not to be compliant? Is this just the beginning in terms of financial ramifications? Leave a comment below!
Philadelphia, Pennsylvania...though data breaches can happen anywhere. Update yourself on the state of cybersecurity in Europe with these latest findings!
Why is it CHCS and not the nursing homes that are being fined? To understand this, you may want to brush up on some of the fundamental vocabulary defined in our HIPAA and the Healthcare Vertical Opportunity MSPedia article.
Essentially, as the business associate, CHCS violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, A part of HIPAA legislation that establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity (the six nursing homes).
How did this all happen? What could CHCS have done differently to avoid such a hefty fee and federal intervention? More importantly, what vulnerabilities exist within your own IT security framework? Are you making any of the same mistakes?
In this instance, it all comes down to an employee's stolen iPhone that despite being provided by CHCS, was unencrypted and not password-protected. Is the mobile device management (MDM) alarm sounding for you yet? Had the smartphone's encryption met HIPAA's technical safeguards standards that protect and control access to electronic health information, there would be no issue. In accordance with these technologies, policies and procedures, even if a device were lost or stolen, the incident wouldn't be recognized as a data breach. Instead, CHCS failed to secure employee devices, and all it took was the theft of one phone to jeopardize the organization's public reputation and financial standing.
Now that you understand the nuts and bolts of this timely headline, what can you glean as a fellow business associate? Learn from CHCS's mistakes and if necessary, implement the same reform the organization is now forced to comply with!
Business Continuity Planning
According to Healthcare InfoSecurity, OCR's investigation into the breach revealed that "CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident." As stated by OCR Director Jocelyn Samuels, risk analysis and risk management planning "are the cornerstones of the HIPAA Security Rule." Have you established, documented and shared the necessary data disaster response policies and procedures with your covered entity clients? This should all be included in your disaster recovery or business continuity plan. Revisit, reassess and review annually to identify any vulnerabilities that arise or exist and may have been overlooked. Verify that your business continuity plan comprises everything you and your clients would need to know in the event of an emergency. Have you defined what constitutes a disaster scenario? Don't overlook mobile devices when conducting the risk and business impact analysis section. Every threat must be accounted for, documented and shared.
Backup and Disaster Recovery (BDR)
And what's business continuity planning without the business continuity solution that restores uptime and allows the medical practice to continue serving its patients? Many healthcare organizations bound by HIPAA are required to have a backup and disaster recovery solution. Whenever a device that stores PHI becomes compromised by ransomware, for instance, you'll want to recover it back to its last healthy, compliant state to prevent further contamination of data or connected systems. But you'll need a way to restore all data created or updated after that recovery point. Let's say the dentist office you serve acquires the electronic medical records (EMRs) of 50 new patients after that recovery point. You'll need to get those EMRs back.
While it appears that the CHCS smartphone thief didn't exploit the information they gained access to, who's to say someone couldn't change all administrative privileges and credentials upon obtaining the phone, thus holding that data hostage? If this were the case, you'd need a BDR solution capable of taking frequent, incremental backups, preferably at the block level, to minimize the recovery time objective (RTO), maximize the recovery point objective (RPO), mitigate the damage and restore the data with minimal downtime. If you're not already providing business continuity services for clients, add it to your offering to reduce resulting damages from a data breach or data loss incident.
Mobile Device Management (MDM)
If anything, the CHCS data breach should reaffirm the danger of having devices left unattended, misplaced, lost or stolen. With HIPAA compliance being a pressing issue, offer impacted clients MDM as an additional service. Should electronic PHI become compromised, you'll be able to remotely lock down and wipe the device storing or providing a gateway to this data.
Data Encryption and Password Management
As an additional security measure, confirm that HIPAA administrative, physical and technical safeguards are met. See the full list of safeguards here! As stated earlier, proper data encryption and password management fall under this latter condition, technical safeguards. Evaluate how your healthcare clients encrypt data, and immediately follow up with those that don't comply. Recall that the stolen phone in question was also not password protected. While anybody can see how risky that is, can you guarantee all of your employees are following password management best practices and encouraging clients to do the same? Maybe they know better than to forego passwords and leave devices completely accessible to the public, but use the same password for every account.
To recap, you can never be too safe when it comes to the security of your clients' data, especially when they're bound by compliance regulations like HIPAA. While specializing in the healthcare vertical is still a wise course of action for MSPs looking to tap into new revenue and markets, you must know what you're signing yourself up for. Like CHCS, in providing information technology services to covered entities, or organizations bound by HIPAA, you assume liability for any data disasters that may arise as a result of negligence or improper planning. Is your house in order?
By Hunter Smith
By Richard Harber
By Gretchen Hoffman