On May 7th, the US Department of Health and Human Services (HHS) announced that two medical facilities working jointly agreed to pay a $4.8 million settlement, the largest ever paid, stemming from a security breach three years ago.
New York and Presbyterian Hospital and Columbia University self-reported the unintentional disclosure of 6,800 patients electronic Protected Health Information (PHI) in September 2010. The providers became aware of the situation when an individual reported that they found PHI of a deceased loved one on the internet; the information was accessible via Google search.
As with most catastrophic blunders, this one was arrived at by a series of several smaller, preventable mistakes. Below are the preventable HIPAA compliance security errors/oversights listed by HHS that led to the breach:
- “lack of technical safeguards”
- “neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections”
- “neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI”
- neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI””
- “NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management”
This is yet another example that even high-profile, teaching facilities are often not secure or efficient at managing the challenges of electronic PHI. The troubling question this evokes, unfortunately, is how are institutions with less funding or staffing maintaining HIPAA compliance in the digital age when even the prestigious institutions are struggling?
It means that companies need to find alternative means to provide these capabilities. Many businesses have tools in place to provide some level of security for their environments, but how do you know they’re working? More importantly, how do you know if they are not? Are they the right tools to protect everything you have? Have you re-evaluated since the last time you added a server or upgraded an application?
Our managed security solutions are meant to provide these security safeguards, with flexibility, operational efficiency and a team to back it up. That means better security, better reporting, someone to ask the critical questions too and overall better security posture for businesses.