05-01-13 | Blog Post
Last March, the Utah Department of Technology Services (DTS) was hacked and 280,000 individuals had their Social Security numbers compromised. A year later, a report is released revealing that the state has spent about $9 million total on remediation – including security audits, upgrades and credit monitoring for victims, in addition to $770/20 hours in resolution for each of the 122,000 victims. Total fraud could amount to $406 million (Javelin Strategy & Research).
This data breach exemplifies the major financial consequences of a misconfigured server, as I wrote about last April in Server Hack Leads to HIPAA Violation by Utah Department of Health. The Salt Lake Tribune reports that a server containing Medicaid data was compromised after it was placed online without changing the vendor-supplied password.
The data was unencrypted; a best practice particularly when it comes to abiding by the Health Insurance Portability and Accountability Act (HIPAA), the laws created to protect patient data. Read more about encryption in Encrypting Data to Meet HIPAA Compliance.
Changing vendor passwords is another general best practice when it comes to security, particularly with servers containing protected health information (PHI). This is a basic security practice that all IT staff should be aware of – particularly in the healthcare industry, but also for any company that is security-conscious.
To meet HIPAA compliance, the standard for Security Awareness and Training (164.308(a)(5)) is part of implementing the Administrative Safeguards required by the HIPAA Security Rule. Acknowledging that many security risks and vulnerabilities are internal, the standard requires:
Implement a security awareness and training program for all members of its workforce (including management).
The rule requires training of the entire workforce by the compliance date of the Security Rule, with additional periodic retraining whenever any environmental or operational changes occur that may affect the security of sensitive data. With any new policies and procedures, upgraded software or hardware, new security technology, etc., security retraining is required. Read more on Staff Training as part of the Administrative Security tools required to keep data secure.
These security practices apply even if you decide to outsource your IT operations to a hosting company – if you’re seeking a HIPAA compliant hosting provider to maintain your servers, choose one that has undergone an independent audit to verify they can provide the optimal level of security needed in their data centers and throughout their company.
Read more in our HIPAA Compliant Hosting white paper for a complete guide to the technical, physical and administrative security required to meet compliance.
Read more about data breaches and resolutions in:
Healthcare Data Breach Leads to Prison Time; Class Action Lawsuit
For two years, a former emergency department worker of Florida Hospital Celebration gained unauthorized access to more than 763,000 electronic patient health records and sold 12,000 of them to a co-conspirator (and operator of two chiropractic centers) to solicit patients … Continue reading →
2013 State of HIPAA Encryption & Authentication for Healthcare
According to the Healthcare Information Security Today report, 2013 Outlook: Survey Offers Update on Safeguarding Patient Information, most healthcare organizations believe that encryption would greatly improve their data security. Forty-one percent plan to encrypt all mobile devices and removable media, … Continue reading →
HHS Wall of Shame: Forty Percent of 2013 HIPAA Breaches Involved Business Associates
Of the HIPAA data breaches reported in 2013 so far, nearly 40 percent have involved a business associate. A look at the overall percentage of business associate involvement with data breaches dating back to 2009 reveals that almost 30 percent … Continue reading →
References:
Financial Pain Ensues When Custodians of Health Fail to be Good Stewards of Privacy
Report: Utah’s Health Data Breach Was a Costly Mistake