TRICARE in Trouble Again- More Lawsuits to Face
Although there has been enough and more said about the importance of encryption in safeguarding protected health information (PHI), data breaches resulting due to lack of encryption seem to still be occurring. Almost every other day there is a new headline about a healthcare institution or a hospital encountering a HIPAA breach. It is disturbing to see that we still see massive numbers of breaches with the root causes continuing to result from the most preventable, avoidable behaviors. While there has been persistent emphasis on the need for conducting risk analysis and encrypting data, there are still many providers who are yet to take these calls for action seriously. Recently occurred incidents have revealed two entities that have had pay the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations.
The failure to analyze risks associated with health information, negligence or irresponsibility in safeguarding protected health information will be inevitably followed by settlements and penalties. This is clearly illustrated in the case of Concentra Health Services (Concentra), where OCR opened a compliance review upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. Investigations reveal that despite Concentra recognizing a lack of encryption on its laptops, other devices containing electronic protected health information (ePHI), incomplete and inconsistent efforts to rectify the same left PHI vulnerable throughout the organization. Further OCR’s investigation revealed that Concentra had insufficient security management processes in place to safeguard patient information, and consequently had to pay OCR $1,725,220 to settle potential violations.
Breaches involving thefts of unencrypted computers clearly indicate that lack of encryption remains one of the top reasons for data breaches. Susan McAndrew, OCR’s deputy director of health information privacy, emphasizes that encryption is your best defense against these incidents. Every covered entity and business associate needs to understand that mobile device security is a crucial obligation. However, stolen or lost unencrypted mobile devices keep on posing a significant threat to healthcare entities. Take the example of QCA Health Plan, Inc. of Arkansas. OCR received a breach notice in February 2012 reporting the theft of an unencrypted laptop computer containing the ePHI of 148 individuals from a workforce member’s car. Further OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, thus resulting in a $250,000 monetary settlement.
What these incidents repeatedly remind us is that protecting patient health information, serious continual effort is crucial. Firstly, healthcare entities should know that encryption is a must, and that one good reason to get the encryption program started soon is the HIPAA Omnibus Rule, which necessitates encryption. Covered entities should remember that non-compliance under the HIPAA Omnibus rule can attract penalties.
Comprehensive security solutions such as Aegify Security Posture Management and Aegify SecureGRC can facilitate meeting this ongoing requirement. With built-in policies, procedures, and frameworks for HIPAA compliance, these security solutions can greatly simplify the process of compliance and dramatically improve the security posture of healthcare entities.
Related posts
Ruptures including robberies of decoded PCs obviously show that absence of encryption stays one of the top explanations behind information breaks. Susan McAndrew, OCR’s appointee executive of wellbeing data security, underscores that encryption is your best protection against these episodes. Each secured element and business relate requirements to comprehend that cell phone security is a pivotal commitment. Nonetheless, stolen or lost decoded cell phones continue representing a huge danger to social insurance substances. Take the case of QCA Health Plan, Inc. of Arkansas. OCR got a rupture notice in February 2012 reporting the robbery of a decoded Portable workstation the ePHI of 148 people from a workforce part’s auto. Further OCR’s examination uncovered that QCA neglected to conform to various necessities of the HIPAA Privacy and Security Rules, in this way bringing about a $250,000 financial settlement.
Ruptures including robberies of decoded PCs obviously demonstrate that absence of encryption stays one of the top purposes behind information breaks. Susan McAndrew, OCR’s agent executive of wellbeing data security, stresses that encryption is your best barrier against these episodes. Each secured element and business relate requirements to comprehend that cell phone security is a vital commitment. In any case, stolen or lost decoded cell phones continue representing a huge risk to human services elements. Take the case of QCA Health Plan, Inc. of Arkansas. OCR got a rupture notice in February 2012 reporting the robbery of a decoded portable PC phone the ePHI of 148 people from a workforce part’s auto. Further OCR’s examination uncovered that QCA neglected to conform to numerous prerequisites of the HIPAA Privacy and Security Rules, along these lines bringing about a $250,000 money related settlement.
What these occurrences over and over remind us is that securing quiet wellbeing data, genuine nonstop exertion is pivotal. Firstly, human services elements ought to realize that encryption is an unquestionable requirement, and that one justifiable reason motivation to kick the encryption program off soon is the HIPAA Omnibus Rule, which requires encryption. Secured substances ought to recall that resistance under the HIPAA Omnibus tenet can pull in punishments.
Far reaching security arrangements, for example, Aegify Security Posture Management and Aegify SecureGRC can encourage meeting this progressing prerequisite. With inherent strategies, methods, and structures for HIPAA consistence, these security arrangements can incredibly disentangle the procedure of consistence and drastically enhance the security stance of medicinal services substances.
Ruptures including burglaries of decoded PCs plainly show that absence of encryption stays one of the top explanations behind information breaks. Susan McAndrew, OCR’s representative executive of wellbeing data protection, underscores that encryption is your best resistance against these episodes. Each secured element and business relate necessities to comprehend that cell phone security is a vital commitment. In any case, stolen or lost decoded cell phones continue representing a noteworthy risk to social insurance substances. Take the case of QCA Health Plan, Inc. of Arkansas. OCR got a break notice in February 2012 reporting the burglary of a decoded portable PC phone the ePHI of 148 people from a workforce part’s auto. Further OCR’s examination uncovered that QCA neglected to conform to numerous prerequisites of the HIPAA Privacy and Security Rules, accordingly bringing about a $250,000 fiscal settlement.
What these occurrences over and again remind us is that securing understanding wellbeing data, genuine constant exertion is significant. Firstly, social insurance elements ought to realize that encryption is an absolute necessity, and that one justifiable reason motivation to kick the encryption program off soon is the HIPAA Omnibus Rule, which requires encryption. Secured elements ought to recollect that resistance under the HIPAA Omnibus guideline can draw in punishments.
Thanks for the thought provoking comment. In my experience the real issue is the less that adequate way we manage credential logins. Expecting everyone to have the organization skills to keep up with the dozens of password/passcodes modern life demands is crazy. IMHO the reason people won’t deploy encryption is they are afraid of locking themselves out of their own systems. Most enterprises need to invest in password management resources to reduce the burden of the fragmented infrastructure (cloud services) they expect employees to access. While there is no silver bullet solution today an organization must deal with credentials management to enable the effective deployment of enterprise security. I believe the current trend of moving to two & three factor authentication is a band-aid that ultimately makes the problem even more unmanageable for the average user. What is your favorite method of credentials management?
What these episodes over and over remind us is that ensuring persistent wellbeing data, genuine ceaseless exertion is pivotal. Firstly, medicinal services elements ought to realize that encryption is an unquestionable requirement, and that one justifiable reason motivation to kick the encryption program off soon is the HIPAA Omnibus Rule, which requires encryption. Secured elements ought to recall that rebelliousness under the HIPAA Omnibus administer can draw in punishments.
Thorough security arrangements, for example, Aegify Security Posture Management and Aegify Secure GRC can encourage meeting this progressing necessity. With implicit strategies, methodology, and structures for HIPAA consistence, these security arrangements can extraordinarily rearrange the procedure of consistence and drastically enhance the security stance of human services elements.