Beginning in March of 2016, Oklahoma State University’s Center for Health Sciences (OSU-CHS) was subject to a data breach impacting the personal health information (PHI) of almost 280 thousand individuals. The initial breach, along with a later unauthorized access occurring in November of 2017, was not reported to the Office of Civil Rights at the Department of Health and Human Services (HHS-OCR) in a timely manner, resulting in a HIPAA violation penalty of $875,000 being levied against the university.
What Happened
OSU-CHS reported to OCR in January 2018 that one of their servers had been breached in November of 2017, causing the PHI of almost 280,000 individuals to be exposed. The breach was due to malware being uploaded to the server by an unauthorized third party, who was not named.
Further complicating the situation, CHS then reported an earlier breach to this, beginning in March of 2016. At that time, CHS also reported that they were not aware there was PHI on the affected server.
During the OCR investigation, evidence was obtained that showed noncompliance with HIPAA regulations and rules, including notification standards, evaluation of security requirements, and risk analysis of data storage and types. Essentially, CHS was not accomplishing the basic requirements of cybersecurity: due diligence and due care.
For reference, due diligence describes acting in a manner that continually supports due care and all that implies. Due care is using reasonable and effective measures to secure the data that you are charged with protecting. In other words, your organization must use at least a minimum level of planning and implementation of cybersecurity measures to guard against misuse or loss of data, and it must do this all the time. Of course, it is always better to use best practices rather than just the minimum, but that is for another conversation.
How will this Affect You?
There is no doubt that as medical providers, or business associates to them, we try to understand the value of the data we collect and use on a daily basis. This data allows us to ensure that we provide the best possible care, in a timely manner, that we can. Sometimes, however, the lack of understanding that can come from ever-changing laws and regulations makes it possible to err in how we protect that data.
In the case of cybersecurity and HIPAA, it is our responsibility to always look ahead, to explore what upcoming legislation and regulations might mean to our business and our patients and associates. To make sure our legal representatives are informing us as to how these new items will change our cybersecurity needs and requirements.
It is an effort that pays off in the end, in large part because we avoid situations like the CHS breach and subsequent financial debt related to penalties or legal findings. It also pays off in that social dividends arise when your clients realize how much care we take in protecting not only their health but their information.
What should you do
So what can we do to reduce the likelihood of errors cropping up? Crafting an appropriate and complete plan of action is important. Look at each type of data you own or handle on a daily, weekly, or even yearly, basis and understand how it must be protected. This is part of data definition and classification. If you design your plans and implementation efforts around this, it will mean you have the broadest coverage of requirements possible.
If you are dealing with health data, use HIPAA regulations and security recommendations to better cater the plan to what you need to put together. Personal credit information, personally identifiable information, or other types of sensitive data all have specific federal, state, and regulatory protections that are required or recommended as best practices.
Three more items of importance are:
- Policies and procedures
- These help your organization to garner buy-in from upper management and ensures that you are properly tracking how your organization acquires, uses, and stores information
- Cybersecurity awareness training
- Training your management, staff and business associates in what information you use, how it is secured, and what to do when a potential breach occurs will help you to avoid the types of problems and penalties that CHS has seen from their breach.
- Make cybersecurity an environmental component of your business every day and in every way
- “Living and breathing” cybersecurity at all levels reduces the risk of breaches (intentional or unintentional) by simply making it part of your everyday life.
Remember in the end that cybersecurity isn’t ever the end of potential breaches or loss of data. It is what is required to protect your organization from most of them, and also gives you the ability to avoid greater financial loss due to regulatory penalties or legal actions. You can’t stop everything, it just isn’t possible. So stop what you can and continue to improve as you learn the lessons obtained during your recovery efforts.
Northstarr Recommendations
Your organization is a busy place, likely filled with busy staff, management, and customers. Even so, you want to ensure that everyone is protected and that the data you manage is safe from loss, corruption, or theft, but this takes time. Time is a valuable commodity that you need to make sure you foster the most return on by being efficient and effective in how you use it. Northstarr System Solutions is a managed service provider (MSP) with decades of experience in the field of cybersecurity and IT-related fields, fully capable of leveraging that experience and expertise to your benefit. Let us do the work for you!
To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!