After a bit of a lull, meaning pretty much a full calendar quarter, the Office for Civil Rights is back with another HIPAA settlement. The newest settlement involves Oklahoma State University – Center for Health Sciences (OSU-CHS) and a malware incident.
The Reported Background
As laid out in the Resolution Agreement and the OCR Press Release, OSU-CHS reported the data breach, as required by the Breach Notification Rule, on January 5, 2018. The report disclosed a malware incident that enabled the cyber attacker to obtain access to a web server maintained by OSU-CHS. The malware first impacted the system on November 7, 2017. In its investigation of the attack, OSU-CHS determined that files containing protected health information were uploaded to the web server.
At some point following the initial breach disclosure, OSU-CHS determined that the same web server had previously suffered from unauthorized access on March 9, 2016. That unauthorized access was apparently discovered on September 25, 2016. OSU-CHS asserted that it was unaware of any PHI being present on the web server during the 2016 incident. OCR’s press release seems to suggest that it views the first breach happening with the 2016 incident.
Once the facts were laid out, the alleged violations were laid out. Specifically, OCR faulted OSU-CHS for not complying with the following elements of HIPAA:
- Use and disclosures of PHI;
- Security incident response and reporting;
- Risk analysis (a standard for pretty much every settlement);
- Evaluation (this means periodically doing a technical and non-technical evaluation based on the changing environment);
- Audit controls;
- Breach notification to individuals; and
- Breach notification to HHS.
Based on all of those alleged deficiencies, OSU-CHS and OCR reached a resolution for the implementation of a Corrective Action Plan (the usual outcome) and a monetary payment of $875,000. As is so often the case with a HIPAA settlement, it is not very clear how the settlement amount was determined other than it can be fairly safely assumed that OSU-CHS has sufficient funds to pay a larger settlement.
One fairly clear point from the OSU-CHS settlement is that every malware incident needs to be fully investigated and no stone should be left unturned. While it is likely impossible to be able to stop every cyberattack, when the successful one does occur make sure that the potential impact can be determined. Reading between the lines of the Resolution Agreement, OCR seemed irked that OSU-CHS initially asserted that the 2016 incident did not impact PHI. However, the bare recitation of facts also does not reveal that the initial assessment turned out to be wrong. Instead, it almost seems as though OCR assumed that PHI must have been present in 2016 because it was in 2017. While the timeframes are close together, it is also not necessarily unreasonable to believe that use changed over time.
Going back to the takeaway though, when an incident does occur, a thorough investigation is necessary. Not only does the investigation help inform how to respond, but it may also help uncover unexpected impacts or operational deficiencies. An investigation that is not perceived to be in-depth enough leaves an organization open to questioning.
On the topic of investigations, it is also necessary to acknowledge that a thorough forensic investigation takes time and likely more time than the 60 day period to provide the breach notification as set out in the Breach Notification Rule. Worrying about timing on the notification front should not influence an organization to not conduct as thorough and comprehensive of an investigation as possible. At the same time, the timeframes of the Breach Notification Rule do need to be respected.
When looking at those potentially competing interests, it is essential to remember that a breach notification can be updated. Additional information can be provided over time as it is learned. A breach notification does not need to be a one-and-done communication. Arguably, individuals impacted by a breach will want to be kept up to speed and not left wondering what might have happened to their data.
Every time OCR announces a HIPAA settlement, each organization should review its own policies and procedures to ensure that they are current and being followed. Also, do the risk analysis required by the Security Rule every year. It is essential to good compliance and its absence is a sure way to undermine any dialogue with OCR about following all of HIPAA’s requirements.
This article was originally published on The Pulse blog and is republished here with permission.