Failed Firewall the Latest HIPAA Penalty

Mike Semel

400,000 reasons to check your network security.

Mike Semel
Semel Consulting

Want to avoid a HIPAA penalty? Do you know…

  • what a firewall is?
  • the difference between a firewall and the simple network routers most of us use at home?
  • how to properly set up network perimeter security, monitor it, and understand its reports?
  • how to monitor your Information System to identify risky behavior?
  • how to conduct a HIPAA Risk Analysis in a way that would sustain a HIPAA audit or data breach investigation?

If you answered no any of these, keep reading for 400,000 reasons to consider getting help so you know what is going on under the skin on your network.

On May 21 the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled with Idaho State University (ISU) for a $ 400,000 HIPAA penalty because a firewall failed at a university health clinic and the breach of 17,500 patient records was not detected for at least 10 months. As with other large HIPAA penalties, the triggering event—the firewall failing— resulted in an investigation that OCR said proved ISU had failed to complete fundamental HIPAA requirements.

Every day doctors order X-rays, MRIs, CTs, ultrasounds, biopsies, blood tests, and other tests and procedures to find out what is going on under a patient’s skin. A network vulnerability assessment can determine the level of security on your network and quickly identify deficiencies that need attention.

Idaho State University HIPAA Penalty

The first four HIPAA Security Rule requirements are a Risk AnalysisRisk ManagementSanction Policy, and an Information Systems Activity Review.  OCR said the $ 400,000 HIPAA penalty for ISU was for not conducting a risk analysis for over 5 years, not implementing security measures to reduce the risks and vulnerabilities for over 5 years, and not regularly reviewing records of information system activity for over 5 years. In human terms, it took longer to detect the firewall problem than it takes to have a baby, and the university did not comply with even the first requirements of HIPAA for so long the baby would already be in kindergarten. It sounds like a HIPAA penalty was appropriate, considering that 5 years of ignoring HIPAA is a good sign of the Willful Neglect so frowned upon by OCR.

Many of the HIPAA penalties have referenced a failure to conduct a regular risk analysis. This is the most fundamental tool required to identify where electronic Protected Health Information (ePHI) is stored, and how it enters and leaves your system. The risk analysis identifies what vulnerabilities exist, the threats that may act on them, the likelihood of a threat acting on a vulnerability, and the resulting impact. This document must be reviewed at least annually and updated whenever there is a significant change to your computing environment. The risk analysis is the very first HIPAA Security Rule requirement, and a HIPAA penalty of $ 400,000 sends a serious message to those who think they can ignore it.

Once you have done your risk analysis you need to create a risk management process to address the risks with the highest likelihood or the highest impact. ISU did not have one.

The University not only ignored HIPAA but failed to monitor access to its patient data, which may have detected the firewall failure much sooner.

You probably can’t be compliant without professional help.

A risk analysis requires experience with HIPAA and a deep understanding of technology. The federal government says “doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

Firewalls are not even mentioned in HIPAA, but ISU paid a $ 400,000 HIPAA penalty because one of theirs failed. How can you penalize someone for violating a rule that doesn’t exist? In fact, the rule does exist. Even without mentioning firewalls or other specific technologies, HIPAA requires that ePHI be protected from loss or unauthorized access, and that endpoints be protected from malicious software. Information System Activity Reviews need to occur regularly to identify who is accessing patient data. Guidance from the National Institute of Standards and Technology (NIST) includes information about protecting networks and specifically mentions firewalls.

Many health care organizations cannot afford full-time IT staff.  Some choose a ‘break-fix’ relationship with an IT professional where they only call when they feel a problem. Like many serious health conditions including cancer, problems can occur silently without letting you know, and, like cancer, can have serious consequences if you aren’t tested.

In today’s hi-tech environment with patient care relying on so many electronic systems, you need a technology relationship with a Managed Service Provider (MSP) who understands HIPAA. MSP’s will not just properly set up a device; they can monitor and maintain it at a fraction of the cost of employing a full time staff. They can conduct periodic Information System Activity Reviews, and bring in compliance specialists certified and experienced in risk analysis and risk management. Most charge affordable monthly subscription-type fees and can help you feel safe that you won’t be on the health care news wire because of a $ 400,000 penalty.

Mike Semel is certified in HIPAA and has been the CIO for a hospital (Covered Entity) and has provided IT support for healthcare providers (as a Business Associate.) Mike is certified in Business Continuity planning and helped develop the CompTIA Security Trustmark. Semel Consulting offers a managed compliance service called HIPAA SOS, compliance audits, Meaningful Use Security Risk Analysis, continuity planning. Visit for more information.