The Incident and the Investigation
In May 2015, the NYPD informed Montefiore Medical Center that there was evidence that patient information had been stolen from the hospital’s database. It turns out, the culprit was an employee.
For six months, the employee in question stole patient protected health information (PHI) and sold it to an identity theft ring. What’s worse is, the incident occurred two years prior to the NYPD informing them, putting into question the data security practices of Montefiore.
Upon learning of the incident, Montefiore Medical Center filed a breach report with OCR, which triggered an investigation into their HIPAA compliance.
The HHS investigation uncovered several potential HIPAA Security Rule violations, including failure to:
- Analyze and identify potential risks and vulnerabilities to protected health information
- Monitor and safeguard its health information systems’ activity
- Implement policies and procedures that record and examine activity in information systems containing or using protected health information
OCR Director Melanie Fontes Rainer commented, “Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls.
This likely will not be the only HHS settlement resulting from a cyber attack this year.
“Cyber-attacks that are carried out by insiders are one of the many ways that can lead to a security breach, leaving patients vulnerable,” said HHS Deputy Secretary Andrea Palm. “Our priority is and always has been improving the quality of health care patients receive. Part of this health care is establishing a trust that medical records will not be exposed. HHS will continue to remind health care systems of their responsibility as providers, which is to have policies and procedures in place to keep patients’ medical information secure.”
To prevent a similar incident from occurring in the future, Montefiore must implement a corrective action plan that includes:
- Conducting an accurate and thorough security risk assessment of the potential security risks and vulnerabilities to ePHI
- Developing a written risk management plan to address and mitigate security risks
- Developing a plan to implement hardware, software, and/or other procedural mechanisms that record and examine activity in all information systems that contain or use ePHI
- Reviewing and revising written policies and procedures to comply with the HIPAA Privacy and Security Rules
- Providing training to its workforce on HIPAA policies and procedures
HHS Recommendations for Preventing Cyber Attacks
With the rise in cyberattacks targeting healthcare organizations, the HHS recommends that organizations:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident reporting obligations
- Integrate risk analysis and risk management into business processes; and ensure that they are conducted regularly
- Ensure audit controls are in place to record and examine information system activity and regularly review activity
- Utilize multi-factor authentication to ensure only authorized users are accessing protected health information
- Encrypt protected health information to guard against unauthorized access
- Incorporate lessons learned from previous incidents into the overall security management process
- Provide training specific to the organization and job responsibilities on a regular basis
Ensuring Effective Compliance
Tracking and managing all that goes into HIPAA compliance can be daunting. Compliancy Group’s healthcare compliance tracking software provides you with the tools you need to execute an effective compliance program. The software includes risk assessments, corrective action plans, policies and procedures, and workforce training. Administrators can easily view their overall compliance status right from the dashboard and download reports on their program’s effectiveness. Don’t leave compliance up to chance. Use Compliancy Group’s healthcare compliance software to manage your program today!