09-23-13 | Blog Post
Online Tech is exhibiting at the HIMSS Privacy & Security Forum here in Boston. Leon Rodriguez, Director of OCR for HHS, has completed the opening keynote with some really informative points.
Leon went through many different case reviews, explaining the reason the breach occurred. The first instance was with a Covered Entity (CE) that leased their photocopiers. When the copiers were returned the patient information wasn’t deleted by either the CE or the leasor. The reason this happened was the failure of the CE to do a thorough risk assessment to properly determine where patient information is stored. If this would have been properly assessed, a plan could have been made to address the risk.
The second issue was a series of breaches by WellPoint Inc. that left upwards of 600,000 patients with their data exposed. These were exposed from security weaknesses in the online database. The issue here is the failure to implement adequate procedures to ensure the only people accessing the data are the people authorized to do so. In this case there weren’t any technical safeguards in place to verify the legitimacy of the people accessing the database.
The last case review was about a patient that accused a hospital of fraud. The hospital, in turn, went to the media and discussed the issue, divulging the patient’s information in the process. Leon explained that while in some legal matters one party’s sharing of information can lead to the other party also sharing information, HIPAA does not work that way.
Of these topics, Leon stressed that the most important one is the issue of risk analysis. He stated that while our intuition would make us believe that small healthcare providers who have a more limited access to security resources would be the more problematic group, they’re finding that it’s happening at every level of care. As we create more technology, we create more places for ePHI to hide, causing a breach.
Leon also spent some time talking about mitigation costs as well:
Q:In the WellPoint example, do you have any insight into the costs?
A:I couldn’t speak to WellPoint, but generally, mitigation costs can be quite substantial. The importance is in encryption. The small investment in encryption often saves on breach mitigation costs. The costs in one case were $1.17 million- mostly in legal fees and the process of responding to the breach.
Leon also spoke about the addressable encryption requirement. He explained that there was a large gap between organizations that completed a thorough risk assessment and implemented encryption, compared to Covered Entities that did not do a risk assessment and did not implement encryption. He believes the cost of implementing encryption is overestimated.
If you’re at the HIMSS Privacy & Security Forum, come say hello to Online Tech in booth #106, or keep an eye on our twitter feed, @OnlineTech, as we’ll be keeping you up to date throughout the forum.