Disabled Firewalls, Lack of Log Monitoring & Risk Analysis Lead to HIPAA Data Breach

Posted 6.4.13 by
wpadmin
Blog

The latest HIPAA data breach case resulting in Dept. of Health and Human Services fines involves disabled server firewall protections that left the ePHI (electronic protected health information) of 17,500 patients vulnerable for at least 10 months.

According to the HHS, Idaho State University had never conducted a risk analysis of the confidentiality of their ePHI over a five-year period. They also didn’t regularly review logs of system activity in order to track how ePHI was used or disclosed for five years, according to the resolution agreement.

To avoid a similar fate, a web application firewall (WAF) could be implemented to protect your web servers and databases. A WAF is a physical device that sits behind your virtual or dedicated firewall and scans incoming traffic to web servers for any malicious attacks that may affect the web application server. A WAF uses dynamic profiling to learn what kind of traffic and users are normal, and what could potentially be malicious traffic.

Web Application Firewall (WAF)

The technical safeguards of the HIPAA Security Rule dictate that covered entities and business associates that collect, store or transmit ePHI must:

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (Standard 164.312(e)(1)).

Daily log review is another best practice for data security since it allows you to track, analyze and archive user activity on your systems to determine who is accessing what and if there is any unauthorized activity.

Daily Log Review

HIPAA requires the ability to monitor log-in attempts and reporting discrepancies (§164.308(a)(5)(ii)(C) of the HIPAA Security Standards Administrative Safeguards). As a subset of the Security Awareness and Training Standard (§164.308(a)(5)), log-in monitoring requires tracking failed log-in attempts to make workforce members aware of password management and system use.

A HIPAA risk analysis is the foundation of achieving compliance and securing ePHI. Here’s a list of what the HHS HIPAA Security Standards Guide requires:

  • Scope of the Analysis
  • Data Collection
  • Identify and Document Potential Threats and Vulnerabilities
  • Assess Current Security Measures
  • Determine the Likelihood of Threat Occurrence
    Determine the Potential Impact of Threat Occurrence

For details on each component, read What’s in a HIPAA Risk Analysis?

HIPAA Compliant Hosting White PaperFor a complete guide to HIPAA hosting, read our HIPAA Compliant Hosting white paper. This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.

References:
Resolution Agreement: HHS and ISU (PDF)
Idaho State University Settles HIPAA Security Case for $400,000

Related Links:
Utah Healthcare Data Breach Costs the State $9 Million
Last March, the Utah Department of Technology Services (DTS) was hacked and 280,000 individuals had their Social Security numbers compromised. A year later, a report is released revealing that the state has spent about $9 million total on remediation – …Continue reading →

Healthcare Data Breach Leads to Prison Time; Class Action Lawsuit
For two years, a former emergency department worker of Florida Hospital Celebration gained unauthorized access to more than 763,000 electronic patient health records and sold 12,000 of them to a co-conspirator (and operator of two chiropractic centers) to solicit patients … Continue reading →

Stanford Children’s Hospital Data Breach
A laptop was stolen from a Stanford University affiliated hospital on Jan. 9th. The computer contained medical information, and was unencrypted, although password protected. The breach has affected around 57,000 patients from the Lucile Packard Children’s Hospital, as per an … Continue reading →

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get started with Otava now!

  • This field is for validation purposes and should be left unchanged.