Why HIPAA fines are on the rise—and getting heavier
As I’m writing this article in late August, there are already 10 HIPAA settlements issued this year to healthcare providers or their business associates, with more expected to come by the year’s end. This demonstrates that the number fines imposed by the Department of Health and Human Services is on the rise.
These fines have been noteworthy, gaining the attention of both hospitals and business associates, which are persons or (more commonly) entities that perform certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Whether or not HHS should be issuing more fines is up for debate, but keep in mind a few things:
- There is a clear upward trend in the number of HIPAA settlements.
- HIPAA settlement amounts always accompany a resolution agreement between HHS and the covered entity or business associate and this process takes a long time, usually two to three years. The resolution agreement outlines certain obligations and reports that will be provided to HHS, generally for a period of three years. Any agreement you see posted publicly in 2016 has probably been in the works from at least 2013. There are certainly more in flight right now that will be posted in the upcoming months.
- The settlement amounts are quite high: the average HIPAA settlement amount for the 10 issued in 2016 is more than $2 million. HHS couldn’t be more clear about what they are trying to do with comments like this: “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”
In every statement announcing a new HIPAA settlement, HHS encourages hospitals and business associates to return to security fundamentals and perform a comprehensive risk analysis and manage risks. Speaking from my experience as a former hospital SecOps lead—10 HIPAA settlements in a year (and climbing) is certainly sufficient to get hospitals’ attention.
Federal penalties get hospitals’ attention, but do they call attention to the right thing? When you examine the causes of the lost patient data in each of the 39 HIPAA settlements, the vast majority are not related to cyber breaches. Almost all of the penalties were issued for incidents involving lost or stolen unencrypted laptops that stored PHI. I guess that is to be expected, considering any penalties published this year were violations in 2013 (since the legal process takes about three years), and at that time, hospitals were primarily running Windows XP, which doesn’t offer native encryption like Windows 7.
HHS made a smart move to keep highlighting the importance of having comprehensive risk analysis and risk management rather than just focusing on the importance of performing self-audits to ensure full disk encryption of all hospital PCs. Full disk encryption monitoring is really important to get right, and it will get easier as more hospitals retire their last Windows XPs for Windows 7 with native Bitlocker.
However, just looking at that one problem would be too narrow of a focus. Full disk encryption monitoring is only one of the many best practices for a hospital’s security team.
The top best practices to prevent medical facilities from being the target of an upcoming wave of HHS penalties include:
Produce a monthly encryption compliance report. The CISO must receive this monthly. Include all assets in the asset inventory in the review, both Windows and Mac-based laptops and workstations. Consider black holing non-compliant unencrypted PCs on the network.
Maintain proof of encryption for all assets. Here are suggested guidelines:
- Windows 7 PCs: Ensure that proof of encryption is available for all managed Win 7 assets in a centralized encryption console like Microsoft’s Bitlocker.
- Windows XP PCs: Ensure that proof of encryption is available for all managed Win XP assets. Third party (non-Microsoft) software is required.
- Macs: Third party software will be required for centralized management of Mac’s FileVault full disk encryption. If you don’t centrally manage your Macs yet and you don’t have too many deployed, you can build a database of screenshots. It is a highly manual process, but becomes useful if one is lost or stolen.
Ensure patches to systems are applied in a timely manner. Review patching processes for all managed systems and confirm that patches are applied within 30 days of patch release. Include third party software like Adobe Acrobat and Flash.
Document action plans to upgrade or decommission remaining Win XP systems. Windows XP systems are no longer supported and are prone to vulnerabilities. Either upgrade the systems or deploy advanced endpoint protection to prevent them from being compromised.
Review network documentation every six months. Confirm there is a single document showing the entire network architecture. Review the current VLANs, VRFs and Zones configured in the environment and any plans for upcoming improvements. Confirm Medical Devices and PCI devices are isolated from the internal network.