We frequently see headlines involving insurance companies, large practices, and health systems assessed with multi-million dollar fines for Electronic Protected Health Information (ePHI) breaches. Small groups may think that large fines and breaches only happen to large organizations with huge data systems and that a small organization is not on the radar for enforcement of the Health Insurance Portability and Accountability Act (HIPAA). There is a fallacy, however, in thinking that “it could never happen to me”. In December 2014, The Department of Health and Human Services (HHS) announced a $150,000 settlement with Anchorage Community Mental Health Services (ACMHS), a small nonprofit organization providing behavioral health services to children, adults, and families in Anchorage, Alaska. The ACMHS breach involved the leak of 2,743 records containing ePHI from their office systems. ACMHS made three very common errors, resulting in malware (viruses) compromising the security of its systems and causing the breach.
First, ACMHS utilized outdated systems that no longer had routine security patching. For example, many practices are still utilizing Microsoft Windows XP and Microsoft Windows Server 2003. The last and final security patch for Windows XP was released on April 8, 2014. Since Microsoft has stopped making security patches for it and criminals have not stopped exposing vulnerabilities, it is nearly impossible to use Windows XP with ePHI in a HIPAA-compliant manner. Similarly, Windows Server 2003 will receive its last patch on July 14, 2015. After the final security patch is made, it will become virtually impossible to use Windows Server 2003 for ePHI without violating HIPAA rules and regulations.
The second error made by ACMHS was that it failed to implement a system of routine patching for security vulnerabilities on its more current software. Having a current software is only half of the battle. Without a system in place to implement and monitor routine patching, your ePHI data is vulnerable to a data breach.
Finally, ACMHS failed to perform a security risk assessment, which is a requirement of the HIPAA Security Rule. A properly performed risk assessment would have identified the hazards associated with using outdated or unpatched software. Creating an action plan from the risk assessment would have significantly reduced the probability of the malware causing a breach of that magnitude.
The HHS investigation found that ACMHS formally adopted the HIPAA Security Rule in 2005, but failed to implement its requirements. Adopted policies and risk assessments are not useful on paper alone. They must be implemented in order to be effective. Fines and penalties rest, not only on the breach itself, but also on the organization’s knowledge of the law and of the vulnerabilities that the practice had prior to the breach. In the case of ACMHS, where the practice had full knowledge of the risks and chose not to do anything about it, they were categorized as being in willful neglect of the law. The penalties for willful neglect are substantially higher – up to $50,000 per record breached. By adopting the security rule without implementing it, ACMHS substantially increased their risk for higher monetary forfeitures. The case of ACMHS serves as a reminder to small organizations to stay on top of protecting their ePHI.
Tim Annable, CMPE, MCSE is EMP’s Chief Executive Officer.