06-04-13 | Blog Post
The latest HIPAA data breach case resulting in Dept. of Health and Human Services fines involves disabled server firewall protections that left the ePHI (electronic protected health information) of 17,500 patients vulnerable for at least 10 months.
According to the HHS, Idaho State University had never conducted a risk analysis of the confidentiality of their ePHI over a five-year period. They also didn’t regularly review logs of system activity in order to track how ePHI was used or disclosed for five years, according to the resolution agreement.
To avoid a similar fate, a web application firewall (WAF) could be implemented to protect your web servers and databases. A WAF is a physical device that sits behind your virtual or dedicated firewall and scans incoming traffic to web servers for any malicious attacks that may affect the web application server. A WAF uses dynamic profiling to learn what kind of traffic and users are normal, and what could potentially be malicious traffic.
The technical safeguards of the HIPAA Security Rule dictate that covered entities and business associates that collect, store or transmit ePHI must:
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (Standard 164.312(e)(1)).
Daily log review is another best practice for data security since it allows you to track, analyze and archive user activity on your systems to determine who is accessing what and if there is any unauthorized activity.
HIPAA requires the ability to monitor log-in attempts and reporting discrepancies (§164.308(a)(5)(ii)(C) of the HIPAA Security Standards Administrative Safeguards). As a subset of the Security Awareness and Training Standard (§164.308(a)(5)), log-in monitoring requires tracking failed log-in attempts to make workforce members aware of password management and system use.
A HIPAA risk analysis is the foundation of achieving compliance and securing ePHI. Here’s a list of what the HHS HIPAA Security Standards Guide requires:
For details on each component, read What’s in a HIPAA Risk Analysis?
For a complete guide to HIPAA hosting, read our HIPAA Compliant Hosting white paper. This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.
References:
Resolution Agreement: HHS and ISU (PDF)
Idaho State University Settles HIPAA Security Case for $400,000
Related Links:
Utah Healthcare Data Breach Costs the State $9 Million
Last March, the Utah Department of Technology Services (DTS) was hacked and 280,000 individuals had their Social Security numbers compromised. A year later, a report is released revealing that the state has spent about $9 million total on remediation – …Continue reading →
Healthcare Data Breach Leads to Prison Time; Class Action Lawsuit
For two years, a former emergency department worker of Florida Hospital Celebration gained unauthorized access to more than 763,000 electronic patient health records and sold 12,000 of them to a co-conspirator (and operator of two chiropractic centers) to solicit patients … Continue reading →
Stanford Children’s Hospital Data Breach
A laptop was stolen from a Stanford University affiliated hospital on Jan. 9th. The computer contained medical information, and was unencrypted, although password protected. The breach has affected around 57,000 patients from the Lucile Packard Children’s Hospital, as per an … Continue reading →