The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) recently announced that the Children’s Medical Center of Dallas has a $3.2 million fine for multiple HIPAA violations.
On January 18, 2010, Children’s acknowledged that an unencrypted, non-password protected BlackBerry containing 3,800 people’s PHI was lost at Dallas/Fort Worth International Airport on November 19, 2009 — and on July 5, 2013, Children’s acknowledged that an unencrypted laptop containing 2,462 people’s PHI was stolen from its premises sometime in early April of 2013.
“OCR’s investigation revealed Children’s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable store media until April 9, 2013,” OCR said in a statement.
Despite the fact that Children’s clearly knew about the importance of encrypting patient data after the 2009 breach, it continued to issue unencrypted BlackBerry devices to its nurses and allowed employees to use unencrypted laptops and other mobile devices until the 2013 breach.
“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential,” OCR acting director Robinsue Frohboese said in a statement.
Alertsec CEO Ebba Blitz told eSecurity Planet by email that it’s important to remember that HIPAA is ultimately about protecting individuals’ privacy. “It is of great importance that an IT department makes sure every portable device is encrypted — including phones, tablets and all laptops — as these not only store data locally, they can also be the gateway into the network,” she said.
“The best way to be on top of this is to either manage all devices in-house and not let anyone use their own device, or have a clear strategy for how to mitigate the risks of BYOD (Bring Your Own Device),” Blitz added. “I should underscore that password protection is not the same as encryption.”
According to the results of a recent Ponemon Institute survey of 641 people involved in risk management activities within their organizations, 76 percent of respondents’ companies don’t have a comprehensive risk management strategy in place.
The survey, sponsored by RiskVision, also found that respondents’ leading concerns regarding a lack of risk management are long-term damage to brand and reputation (63 percent), security breaches (51 percent), business disruption (51 percent), and intellectual property loss (37 percent).
While 83 percent of respondents said managing risk in their organization is either a “significant” or “very significant” commitment for them, just 14 percent of respondents said their organization’s risk management processes are truly effective.
Fifty-two percent of organizations don’t have a formal budget for enterprise risk management.
“In light of numerous large-scale and high profile data breaches in the headlines throughout 2016, organizations are increasingly aware that they need to understand their risk exposure,” Ponemon Institute chairman and founder Dr. Larry Ponemon said in a statement. “And the biggest fear for most organizations isn’t security breaches, but long-term damage to brand and reputation.”
“While security breaches are costly to detect and remediate, the expenses are finite,” Ponemon added. “On the other hand, expenses around compliance, customer attrition and negative public relations incurred due to the resulting loss of brand and reputation are ongoing, sometimes dragged out for months or even years, and are much more difficult, if not almmost impossible to predict or gauge.”