Head In the Sand Leads to HIPAA Fine

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

Continuing a hot streak in the fall of 2020, the Office for Civil Rights announced another HIPAA settlement with a business associate on September 23, 2020. The $2,300,000 fine was imposed on a business associate following a months long cyberattack that resulted in the exfiltration of data for more than 6 million patients.

The facts of the settlement are particularly troubling and offer targeted lessons or warnings depending on the point of view. As laid out in the Resolution Agreement, CHSPSC, LLC was attacked by an outside attacker on April 10, 2014. On April 18, 2014 (within 8 days), CHSPSC received notification of the intrusion from the FBI. While it can be understandable why CHSPSC did not find the intrusion within 8 days, the response to the FBI’s notification is where the wheels were shown to fall off. Instead of taking immediate (or impactful) action, it was subsequently determined that intrusion activity continued until August 18, 2014. The continued access by the attacker does strongly suggest that no response was implemented by CHSPSC.

The problems only compounded once the breach was finally cut off. As typically happens, an investigation by OCR ensued and, also as happens often, widespread non-compliance was found. The findings by OCR included:

  1. No requirements around preventing unauthorized access;
  2. Failure to mitigate the impact of a known security incident;
  3. Failure to have technical policies and procedures to only allow access to individuals or programs that have been granted access rights;
  4. Failure to regularly review system activity; and
  5. Failure to conduct a risk analysis (the finding that shows up in almost every settlement).

Reading between the lines of the settlement, it is arguably apparent that CHSPSC tried to take an approach of hiding its head in the sand and desperately hoping that the problem would go away. Unfortunately, hiding one’s head in the sand is not a valid approach because the world continues to spin and problems continue to mount.

Since hoping a problem will go away is not a valid approach, what can be done? One hint is contained in the finding of CHSPSC’s failures. Specifically, the required element of HIPAA Security Rule compliance of regularly reviewing information system activity including audit logs and access reports. The regular review of those aspects of a system can help find irregularities, whether caused externally or internally, and better protect the private information entrusted to entities.

Monitoring systems is not historically an easy task, especially as the size and scope of systems has continued to grow. However, the rise of technology also means improved tools to automate the monitoring of systems. The tools also enable more comprehensive review because the automated tools can scan the entire system whereas previous manual efforts relied upon random sampling. Regardless of the approach, the mandate to monitor and respond cannot be ignored.

Malicious attacks will never stop and it will never be possible to stop all of those attacks. However, it is possible to be nimble, quickly find issues, and cut off negative impacts as soon as possible. Healthcare organizations, as stewards of vast quantities of sensitive private information, must take the role seriously and explore utilization of all helpful tools.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.