Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions

The Increasing Importance of Cyber Coverage for Medical Facilities


The Increasing Importance of Cyber Coverage for Medical FacilitiesThe U.S. Department of Health & Human Services (HHS) recently reached an agreement with two health care organizations over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. New York and Presbyterian Hospital (NYP) and Columbia University (CU) agreed to pay $4.8 million due to failure in securing thousands of patients’ electronic protected health information (ePHI) held on their network. This was the largest HIPAA settlement to date.

The HHS investigated the medical facilities following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the electronic protected health information of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.

NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI. The HHS investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally owned computer server on the network containing NYP patient ePHI. Due to a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on Internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on-line.

The investigation also found that neither NYP nor CU made efforts before the breach to ensure that the server was secure and that it contained appropriate software protections. What’s more, it was determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. Also, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

In addition to the fines paid by both hospitals, they agreed to implement a substantive corrective action plan that includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.

The security breach of patient information, investigation and subsequent fines all highlight the importance of cyber security protocols and the protection of data. In fact, in March in our blog we addressed the fact that the healthcare sector suffered the highest rate of cyber attacks last year. According to according to a study by non-profit organization, Identity Theft Recourse Center, health-care organizations suffered 267 breaches or 43% of all cyber attacks in 2013. Moreover, data breaches are costing healthcare organizations an estimated $5.6 billion annually, according to the Ponemon Institute.

Equally important as having robust security measures is a sound Cyber Liability insurance solution customized for healthcare facilities. At Axis Insurance Services, we offer Privacy & Network Security insurance programs for the healthcare sector. We understand the importance of this coverage to protect an organization’s assets and in assisting with reputational management. Our professional staff also understands the increased exposures medical providers face with tougher regulation and greater obligations to protect patient data. Give us a call at: (877) 787-5258 to help your organization with your cyber security protection.

 

Source: HHS

Comments

comments

Blogged on: May 23, 2014 by Mike Smith
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions