In 2003, the University of Massachusetts - Amherst (UMass Amherst) was embroiled in a health data security breach. A workstation computer was infected with malware, leading to a HIPAA violation involving patient data for 1,670 people. Skip to three years later, and UMass Amherst has settled legal actions related to the breach, brought by the US Department of Health and Human Services (HHS).
According to the terms, the teaching hospital will cough up $650,000 and will implement a corrective action that will hopefully prevent similar and other future incidences.
Malware. Just like you never know when some guy's going to stick a computer down his pants in order to boost it, malware can attack you in the most unexpected ways, in the most unexpected of times. (Incidentally, people have been caught sticking desktop computers down their pants, not just laptops. And not just from Walmart, either. There's video footage floating around of a man doing so at a hospital).
Combating malware is not easy, but it is made easier by following certain rules. Install a good antivirus software. Ensure that it receives updates regularly. Make sure your firewall is up and running correctly. Don't visit sites that have a high probability of hosting malware. Don't download and install untrustworthy apps and software.
It looks like UMass Amherst had all of this in place, which is de rigueur for covered entities. However, they had decided – incorrectly in hindsight – that their Center for Language, Speech, and Hearing (CLSH) was not a "health care component," and hence not included under HIPAA compliance rules.
In turn, this probably led them to be more relaxed when it comes to data security. And the rest, as they say, is history. A three year-long, half-a-million dollars' worth of history.
About, say, 5 years ago, the big thing when it came to medical data security was the loss and theft of devices that held patient data: laptops, desktops, external and portable data storage devices, paper files, smartphones, etc.
As businesses and organizations made greater incursions into the cloud, public and private, we've seen less (at least, there's been less reports) of the old-time data security breach and more of the "new" type: your average malware, your specialized malware (like ransomware which uses encryption), DDoS, accidental leaking of files, and so on. In the past month, St. Joseph Health also settled with the HHS (for $2.14 million) because their internal files were accessible to search engines.
It feels like things have changed. And in a sense, it has. But not really.
The need to properly protect patient data (not computers; the focus has always been on the data) has existed forever, and in the US it was made into law twenty years ago under Bill Clinton's presidency. We must assume that the law arose because there was a need at the time. Regardless, the government, it can be safely said, gave it a low priority and businesses proceeded to pay little to no attention to medical data security for the next 15 years or so.
With the passage of HITECH, the government gave data security more attention. Businesses started taking notice. And then, Boston's Massachusetts General Hospital got fined $1 million in 2011 for a data breach. Businesses started doing more than taking notice.
Because, if MGH can be fined a million bucks for less than 30 pages of patient print outs, it certainly won't hesitate in fining the loss of a computer or USB stick with information on thousands of patients. People started encrypting their laptops.
Why? Because the loss and theft of laptops was trending in the news. Then USB stick losses started trending. External drives and USB sticks got encrypted. Basically, HIPAA covered entities have been playing catch-up ever since HITECH.
And, in that sense, not much has changed.
For a while, security experts were suggesting that covered entities encrypt anything that allowed digital storage. With people emailing, FTP-ing, uploading, downloading, backing up, and copying and pasting sensitive files, it was impossible to tell where a file would end up – so, just encrypt everything you possible can.
Others suggested that a more thought-out method was necessary. It was the more realistic approach in terms of money and time. If a company has 1,000 laptops but only 10 need encrypting, why spend the time and money to protect the remaining 990? Furthermore, a company would be more likely to encrypt if faced with a less financially arduous assignment.
In the end, the more precision-oriented approach won out. But as events show, the flip side of it is the increased need for constant vigilance and proper understanding of what organizations are doing, a feat that is near impossible once you reach a certain size.
Related Articles and Sites: