Lessons Learned from the MD Anderson Breaches
The MD Anderson Cancer Center at the University of Texas was recently fined $4.3 million by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) concerning data breaches that resulted in the loss of the health information of 33,500 patients.
In this article, we called on one of our healthcare experts, Security Consultant Jeremy Bess, to explain what lessons can be learned from the MD Anderson Cancer Center breaches.
Learn from Information Security Mistakes
In 2012 and 2013, MD Anderson suffered three distinct breaches of protected health information (PHI). The incidents included the theft of a laptop from an employee’s home and the loss of two different USB thumb drives, all containing unencrypted personal health data.
Putting aside the question of if there was a legitimate business reason for the employees taking data home, the laptops and removable media should have been configured to be fully encrypted when not in use and to require a password for access.
“The first thing you should do is encrypt,” says Bess, who has more than 20 years’ experience as a healthcare IT/security professional. “There is no reason not to do it: It’s free, it comes built in to most laptops and it’s easy to use.”
Bess further explains that in the past encrypting was exorbitantly time consuming to implement. However, today installation is significantly quicker and easier and does not slow performance or hinder doctors’ ability to care for patients.
The nature of these incidents also underscores the importance of organizations carefully considering their remote work and mobile device management policies.
According to Bess, all devices, including thumb drives and other file-sharing tools, should come from the IT department and be encrypted.
Follow Your Own Data Security Policies
MD Anderson had formal data encryption policies starting in 2006 but did not implement a company-wide solution for encrypting electronic personal health information (ePHI) until 2011. At this point, the solution was not fully deployed across the enterprise, as indicated by the fact that devices containing ePHI were still unencrypted at the time of loss or theft in 2012 and 2013. Mandatory enforcement of the corporate encryption policy should have been implemented.
“Having a policy that states you’re doing something doesn’t constitute compliance,” says Bess. “You have to have the mechanisms in place and be doing what you say you’re doing. Cybersecurity policies must be followed to be meaningful.”
Listen to the Experts
OCR’s investigation into MD Anderson revealed the company had previously had a cybersecurity risk assessment that concluded the organization’s ePHI was not appropriately protected.
This is especially problematic because criminals have “caught on” regarding vulnerabilities for protecting healthcare data.
“Hackers have figured out physicians generally resist technology and security measures, thereby making themselves a target,” says Bess. “Doctors need to know this.”
Also, healthcare records are more valuable than other information such as credit card data because it contains permanent personally identifiable information (PII) such as name, birthdate, and social security number.
Healthcare providers must take the necessary steps to protect the personal health information that their patients place in their care.
Bess says this is akin to the physical care doctors take pride in providing their patients.
“Encrypting and protecting data is consistent with doctors’ main concern for doing what is best for their patients,” says Bess. “Doctors take great physical care of their patients. Protecting their patients’ personal information should be an extension of this.”
Bess adds it’s the physicians’ responsibility to support their IT and security experts’ efforts and to be sure devices are encrypted.
How to Start with Healthcare Information Security
Bess says there are six basic tasks all healthcare providers should do to get started with their cybersecurity program.
- Encrypt everything that contains PHI; laptops, thumb drives, servers, etc.
- Implement industry-standard password policies.
- Inventory all devices and keep track of which ones have PHI residing on them.
- Create and adhere to privacy policies. These are standard and require no guessing or creativity.
- Post Notice of Privacy Practices prominently in the lobby and on the web site.
- Regularly change Wi-Fi passwords.
MD Anderson Breaches Takeaway
The MD Anderson case serves as a warning to businesses to follow relevant regulations and certifications. From both a legal and brand image standpoint, it’s always better to go the extra mile to ensure you are in compliance with any regulation that may be applicable to your organization.
Sword & Shield partners with you to help make HIPAA compliance less “painful” through our HIPAA Compliance Program (HCP), HIPAA Risk Assessments, HIPAA Gap Analysis and our HITRUST Compliance Services. Request a consultation to get started today.