News of security breaches has become so commonplace that we hardly react with surprise or outrage any longer. The scenario plays out in an almost scripted fashion. Computer hackers located in Russia or China identify a system’s vulnerability, break in, and steal sensitive customer or patient (in the case of electronic medical records) information. Defending against these outsider attacks has become a high priority for any organization which possesses confidential records. The failures which make headlines are those where data thieves have looted the systems of large entities containing millions of records and huge infrastructures. We’ve all been impacted to some degree as consumers, but as business managers and owners we may harbor a false sense of immunity to data security breaches. A recent action brought by the Department of Health and Human Services Office of Civil Rights (OCR) brings the problem closer to home for smaller entities which manage more limited amounts of information.
The case involves Anchorage Community Mental Health Services, Inc. (ACMHS), a five-facility nonprofit provider of behavioral health care services to children, adults and families in Anchorage, Alaska. As required by the Health Insurance and Portability and Accountability Act (HIPAA), ACMHS notified OCR of a breach of 2,743 patient records caused by malware on one of its desktop computers. OCR conducted an investigation of the incident and found ACMHS had failed to protect sensitive patient information. On December 10, 2014, ACMHS agreed to pay a $150,000 fine and undertake a corrective action plan to address the deficiencies which caused the breach. Here is what OCR’s investigation revealed:
1) ACMHS had adopted HIPAA security policies and procedures, but they were not followed by the organization’s employees for a seven-year period, from 2005 to 2012.
The practices at ACMHS are not unique to health care providers. All too often organizations maintain a template of written policies and procedures which are not tailored to the organization’s actual method of operation. For health care providers, simply having in place template policies and procedures is insufficient to satisfy HIPAA requirements. Organizations outside the health care industry do not face monetary penalties for security breaches but nonetheless are exposed to data security risk for failure to evaluate compliance with written data security protocols.
2) ACMHS failed to update its software.
OCR found that the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software. The settlement agreement stated, ACHMS failed to “ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.” Once again, all organizations, not just health care businesses, can suffer losses for delaying or neglecting software updates. It’s not always an easy task, and the cost to implement an upgrade may push it down on the company’s priority list. But the downside to avoiding the upgrade process has potential for serious consequences, not to mention the eventual value impact on the organization caused by using old software.
C3 Advisors, LLC
December 15, 2014
C3 Advisors converges the three essential business elements—Process, People and Technology—to help businesses thrive, not just survive, by improving profitability and reducing risk. Our services help our clients improve process optimization, people integration and technology maximization.
Process Optimization focuses on establishing formalized operational functions that facilitate increased productivity, mitigate risk, and provide the foundation for optimal profitability.
People Integration addresses staffing and workforce issues that are critical to the success of continually cost efficient, low risk and productive processes.
Technology Maximization ensures the ROI on a technology investment is fully realized through complete use of systems functionality and business intelligence.
We have specific expertise in post-acute healthcare, technology and service companies. Please visit our website at http://www.c3advisors.com and for direct information about how C3 Advisors, LLC can assist your business, please call us at (630) 510-3181 or email us at debd@c3advisors.com.
Find us on Facebook and LinkedIn. Subscribe to our newsletter by emailing debd@c3advisors.com.
C3 Advisors 