Jocelyn Samuels was named the Director of the Office for Civil Rights (OCR) in Jun 2014. In December of 2014, the OCR issued its first HIPAA-related settlement under its new Director, against Anchorage Community Mental Health Services (ACMHS) for a data breach affecting 2,743 individuals. The breach was tied to improper following of Security Rule policies and failure to address basic security principles such as patching and updating software.
Although this case was related to insecure software that allowed for malware to enter the system, the bulletin issued by the Director underscores the need to perform, and act upon, regular risk assessments. “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,” notes OCR Director Jocelyn Samuels.
This advice applies to all industries, but particularly so to healthcare organizations who face the highest increase in data breaches in the past few years. Given that a single healthcare record can sell for $20 on the black market, with a whole dossier worth up to $500, healthcare is increasingly becoming a target by cybercriminals.
78% of data breaches in the healthcare sector are due to lost or stolen devices, a far greater proportion than in other industries, though healthcare organizations are also facing an increase in cyber attack. The growing rate of attack, coupled with inconsistent data security and employee negligence, could mean that healthcare organizations are poised for a spike in data breach frequency. Policies are worthless if not maintained and enforced. Software is useless if not patched. These are basic oversights that the Director has emphasized in this settlement.
As the lawyers at Davis Wright Tremaine LLP noted in their own observation of this news, “Considering the costs associated with breach investigations and notifications, government investigations that may span years, and defending class action lawsuits, addressing data security and compliance gaps before a breach happens is more critical now than ever before.”
For more on healthcare security, read our recent post on the “Top Tips for Keeping Patients’ Healthcare Data Protected.”