An ex-employee of UPMC Shadyside Hospital in Pittsburgh was charged in a 14 count indictment.  According to United States Attorney’s Office Western District of Pennsylvania:

According to the indictment, in February 2008, Pepala, then employed at UPMC Shadyside Hospital,  disclosed to others names, birth dates and Social Security numbers of patients for personal gain, in violation of federal HIPAA laws, and disclosed Social Security numbers to other persons without their authorization. This information was used to file false tax returns in 2008. Pepala was also charged with violating the Social Security Act by disclosing Social Security numbers in violation of federal law.

The law provides for a maximum total sentence of 80 years in prison, a fine of $4,730,000, or both. Under the Federal Sentencing Guidelines, the actual sentence imposed would be based upon the seriousness of the offenses and the prior criminal history, if any, of the defendant.

There have been very few case of HIPAA violations that have resulted in prison terms.  If he is found guilty and does receive a prison term, it will send a powerful message.  HIPAA violations are serious offenses. Accessing and selling Electronic Protected Health Information (EPHI) for personal gains should be prosecuted.  With the changes to HIPAA as a result of the HITECH Act, we may see more enforcement, higher penalties and more prison terms for offenders.  All would be good steps in the right direction to protecting patient information.

There is a lot of talk surrounding HIPAA security especially as more and more practices implement EMRs.  I have attempted to shed some light on the steps you need to perform to ensure your network and patient information are protected.  So when I read a story in the Vancouver Sun, I figured I would point out how NOT to implement security.  This is a classic example of a how a medical institution totally ignored security.

The Vancouver Sun sheds light on the lax security at the Vancouver Coastal Health Authority.  Here are some highlights (low-lights) of the story.

“In every key area we examined, we found serious weaknesses,” wrote Doyle. “Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information without the authority even being aware of it.”

“No intrusion prevention and detection systems exist to prevent or detect certain types of [online] attacks. Open network connections in common business areas. Dial-in remote access servers that bypass security. Open accounts existing, allowing health care data to be copied even outside the Vancouver Coastal Health Care authority at any time.”

“Almost all users have some access to confidential information about all clients in the database. Many clients’ full health information is accessible to a large number of users. Team memberships are not up to date, meaning that many unauthorized users could have access to client records that they should not have.”

“Former client records and irrelevant records for current clients are still accessible to system users. Hundreds of former users, both employees and contractors, still have access to resources through active accounts, network accounts, and virtual private network accounts.”

Those are some pretty serious security risks.  Basically they had no way of knowing if someone hacked into their network or what they may have accessed.  Almost all users had access to the EMR no matter what their job function.  They never disabled user accounts after employees or contractors stopped working.  In addition, the terminated employees or contractors still had remote access to the network and could still access patient information even after they stopped working for Vancouver Coastal.

The security was so weak that the auditor of the Vancouver Coastal network delayed publishing his report for 6 months to give Vancouver Coastal time to correct the security problems.  In all, the auditor made 127 recommendations for changes to the security procedures.

So if you are thinking about implementing the correct procedures to ensure that your network is secure; make sure you don’t follow Vancouver Coastal’s methodologies!

Today USB drives (also known as flash drives and thumb drives), are common place.  They can store a lot of data, they are cheap and very easily transported.  A 2GB flash drive can be bought for $7.00 or less.  These drives give you the ability to carry documents, spreadsheets, pdf files and other data from one computer to another.  Unfortunately along with convenience comes security risks. 

An employee working on a document could copy it to a flash drive, bring it home and make modifications to the document.  The employee could then copy the document back to the flash drive and bring it to work in the morning and copy the revised document back to their computer or network drive.  Just as easy as it is to copy a document; an employee may copy a series of reports extracted out of an EMR,  a spreadsheet with a list of patient’s financial information, or a schedule of patients and demographics for the next week.   The employee may have all the best intentions of working on the information at home.  Now suppose that the employee misplaces the flash drive on the way home.  In addition, the data on USB drives are usually not encrypted.  The size of a flash drive is about the size of a house key and some drives attach right to a key chain.  We have all lost or misplaced keys and losing a flash drive is equally likely.  If the employee loses the flash drive then a practice is looking at a HIPAA security breach.  Along with the security breach may come fines, the cost and expense of breach notifications and the negative press that a practice may incur. 

Another security risk that may occur centers around viruses and spyware / malware.  The employee may bring home data to work on at night.  The employee’s home computer may be infected with a virus or have malware loaded on it.  When the employee saves the modified data it may also transfer a virus or malware back to the flash drive. The virus can then be transferred to a practice’s network when it is copied to the employee’s computer or network drive.

One way to prevent these type of security risks is to create a policy that prohibits the use of USB drives.  Unfortunately a USB drive is so small and easily concealed that an employee may ignore the policy.  Employees may ignore the policy not because they are intentionally stealing data but simply to bring work home in an effort to “catch-up” or finish a task. 

According to an article by Ars Technica, the National Security Agency (NSA) has developed a tool that will detect USB drives on internal computer networks. 

Although having strong IT security policies can help reduce the risks, it’s not always easy to enforce such policies. The NSA built a tool, called USBDetect, that is designed to help government agencies track the usage of USB storage devices on their internal networks. The tool is not publicly available, but is briefly described in a section of the NSA’s 2011 budget proposal, which was highlighted yesterday by NextGov defense technology blogger Bob Brewin.

“A Computer Network Defense Tool developed by NSA, USBDetect 3.0, is available to U.S. Government (USG) users free of charge. USBDetect gathers data (locally or on a network) from personal computers running Microsoft Windows 2000 or later operating systems, and reports unauthorized usage of Universal Serial Bus (USB) thumb (a.k.a. flash) drives, external hard drives, compact disk drives, and other storage devices,” the budget proposal says. “The USBDetect tool provides USG network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks.”

As noted in the article the NSA tool is only available to government agencies and not commercially available.

There are commercial programs that will disable the use of USB drives.  The program makes a USB drive inaccessible and therefore prevents data from being copied to and from the USB drive.  Unfortunately this adds administrative overhead because some employees have legitimate needs to use USB drives including copying non-patient information data, presentations, etc. 

The purpose of this post is to highlight the security risks associated with USB drives.  The need for policies preventing the copying of patient information are required.  In addition there is a need for employee training and alerts to potential dangers associated with USB drives.  There are technologies that can help guard against the security risks but they present a different set of issues and administrative overhead.

A break-in at a Mall has cost BlueCross BlueShield of Tennessee $7 million and counting. As noted in this Newsweek article:

On Oct. 2, someone stole 57 hard drives from a closet at the health insurance company’s training center in Chattanooga’s Eastgate Town Center mall. The drives contained recordings of more than 1 million customer support calls, totalling 50,000 hours of conversation. There were also 300,000 screen shots, showing what BlueCross representatives had on their computer monitors at the time some of the calls were made.

In most of the calls, subscribers provided their BlueCross ID number, name and date of birth — not enough information for criminals to pull off an identity theft scam. But in some calls, Medicare subscribers provided what’s known as a Health Insurance Claim (HIC) number, which contains the subscriber’s Social Security number. Many of the screen shots also include Social Security numbers, and that information can be used in identity theft.

An attorney from BlueCross said in a letter to the Maryland attorney general that the data on the hard drives were encoded but not encrypted.  Encrypted data would need the passcode or key to decrypt /unencrypt and read the data.

Over the past five months, the company has employed a small army of workers to sort through the aftermath of what has proved to be a large and complex breach. Late last year, BlueCross and forensics company Kroll OnTrack employed 500 full-time workers and 300 part-time employees, working in two shifts, six days a week, to piece together what happened

So for the past five months, BlueCross has been sorting out which of its 3 million customers to notify of the breach. “Unfortunately, after checking with numerous vendors throughout the country, an electronic solution could not be formulated, and a largely manual review of audio and video files has been necessary,” BlueCross said in the letter, dated Dec. 16.

“We made the decision that there is really no substitute for actually manually going through it and looking at the video screens or listening to the audio,” said Roy Vaughn, a BlueCross BlueShield of Tennessee spokesman. “It has to be reviewed.”

The costs keep tallying up:

The process has cost more than US$7 million so far, and it will be several months more before the notification effort is concluded, Vaughn said.

The HITECH Act requires media and regulatory notifications.  In the letter to the Maryland attorney general they mention:

The HITECH Act requires that we provide media notice to any jurisdiction where over 500 members may reside; therefore, we are also notifying all Attorneys General in these states so they may also be aware of our activities and could address questions they may receive from our members who reside in their states

A few points to think about regarding this incident are:

1. This did not occur at the BlueCross headquarters but at a rented location.  So no matter how much they secured their offices and network, a HIPAA security breach still occurred.
2. Data that leaves your headquarters, office or building that is on a laptop, desktop, USB drive, smartphone, etc and that is not encrypted is a liability waiting to happen. 
3. HIPAA and HITECH data breaches can be extremely costly not only from a HIPAA fine perspective but from the manpower and wasted productivity required to react to the data breach.

There is a very good article over at AIS’s Health Business Daily that discusses HIPAA and HITECH violations.  With the signing of the HITECH Act as part of the ARRA stimulus bill, the penalties for HIPAA violations have increased dramatically.  The HITECH Act has also increased the enforcement of HIPAA regulations.

A privacy breach due to “willful neglect” that was corrected within 30 days and affected 100 individuals, which would have cost an organization $10,000 in prior years, will now cost a minimum of $1 million

Covered entities (CEs) — and also business associates, who are now subject to civil and criminal penalties as of this month — need to know what actions (or lack thereof) can push them into the “willful neglect” category, which carries the most severe fines. They may be surprised to learn that routine inaction or procrastination by busy organizations could be categorized as enormously costly willful neglect.

The interim final rule regarding enforcement, published in the Oct. 30, 2009, Federal Register, uses the same language as the previous enforcement rule, stating: “Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”

Where it gets really interesting is the description of “Willful Neglect”

The most obvious demonstration of willful neglect would be when a covered entity has no preventative policies and procedures in place and a breach occurs. Annulis notes that seven years into HIPAA compliance, it’s unlikely that a CE or BA would have no formal protocol.

Greg Young, the privacy officer at Mammoth Hospital in California, however, believes that many small doctors’ offices and clinics still lack policies and procedures because they “don’t feel it’s necessary or don’t want to spend the money. They just want to take care of their patients, not realizing that part of taking care of patients is taking care of their information.”

If you think that just writing policies and procedures will help avoid willful neglect then read on.

“The greatest danger” for an organization, according to former director of OCR Richard Campanelli, now an attorney with Baker & Daniels LLP, is having policies and procedures that no one is enforcing and that employees are not educated about. “A policy on a shelf is not going to be very helpful — it won’t be helpful in protecting privacy and security, and it won’t be helpful in responding to an investigation,” he says. Once a violation occurs, the fact that the policy exists signals to OCR that the organization knows what it should be doing and has chosen not to comply.

The take away from this article is that you need to have policies and procedures in place for both the HIPAA Privacy and Security rules.  These policies and procedures need to be enforced and communicated to all employees.  I would tend to guess that a lot of practices have policies and procedures in place for the Privacy rule.  Practices will need to develop policies and procedures that comply with the Security rule as well.  This is especially true as practices start to create electronic patient health information (ePHI) through the implementation of an EMR, digital x-rays, electronic lab results, billing information, scanned consent forms, etc. The increased use of technology such as laptops, remote access, email, portable disks and smartphones will also require the appropriate policies and procedures. 

Here is a final thought that might keep you up at night.  Imagine a spreadsheet with financial and demographic information of 250 patients that was saved unencrypted on a laptop.  The laptop was taken home by the billing manager and was stolen out of her car.  Did you have a policy and procedure which prevented her from taking the information?  Was it enforced?  Was it communicated to all employees?  Is this an unfortunate HIPAA violation or is this willful neglect?