State of Alaska fined $1.7 million for lax security protecting health records

Filed Under: Data loss, Featured, Law & order, Privacy

Stethoscope on a keyboard image courtesy of ShutterstockThe US government have been busy, busy bees this week. The US Department of Health and Human Services (HHS) has announced a settlement with the State of Alaska's Department of Health and Social Services (DHSS) for $1.7 million resulting from HIPAA violations.

The Health Insurance Portability and Accountability Act (HIPAA) is a large piece of legislation, but the part I care about the most are the requirements for training and protection of ePHI (electronic protected health information).

It all began when a USB hard disk was stolen from the car of a DHSS IT worker. Considering the device was not encrypted and the state was unsure if it contained ePHI they had to file a report with HHS to comply with the HITECH Act (Health Information Technology for Economic and Clinical Health).

That is when everything started to unravel. HHS began an investigation looking into the incident and discovered that DHSS didn't have adequate policies and procedures in place to protect ePHI.

More damning was the fact that DHSS had not completed a risk analysis, implemented risk management procedures, required security training for its employees, implemented device and media controls or encrypted all media and devices that might contain ePHI.

Unfortunately this goes to show that our governments are similarly inept at data protection as the private sector.

The good news is no fraud has been reported related to the loss of this hard drive and this was an opportunity for HHS to discover the lack of compliance before another incident occurs.

In addition to the fine, DHSS has agreed to a corrective action plan that includes training for employees, monitoring and some specific data protection procedures. The state will be required to:

  1. Implement procedures for tracking devices containing ePHI.
  2. Implement procedures for safeguarding devices containing ePHI.
  3. Implement procedures for encrypting devices containing ePHI.
  4. Implement procedures for securely disposing of or reusing devices that contain ePHI.
  5. Implement procedures for responding to security incidents.
  6. Implement procedures for applying sanctions to employees who violate any of these policies and procedures

All of this amazing technology and data storage capacity have enabled amazing improvements in efficiency for businesses and governments alike. But like all great things, it comes at a cost.

USB Stick image courtesy of ShutterstockWe must not just collect massive quantities of information, but protect that information while it is useful and have a plan to securely delete that information when it is no longer needed.

Whatever type of sensitive information your organization gathers, the easiest way to ensure it isn't stolen, leaked by hackers or accidentally discovered on an old USB key is to protect the information from the beginning.

Rather than worry about whether something is a mobile device or removable drive, encrypt it anyway. Base your decisions of what the information is, rather than where it is.

You never know where the data may end up in the end and the job is a lot easier if you protect it based on what, not where.

Photo of a stethoscope on a keyboard and USB stick courtesy of Shutterstock.

, , , ,

You might like

2 Responses to State of Alaska fined $1.7 million for lax security protecting health records

  1. a wigfield · 765 days ago

    What is going to happen when the federal government is hacked and looses ePHI? Can the states or the people sue them?

    • jessi slaughter · 765 days ago

      if so , this would seem like an incentive to hack them-- steal the data (which is probably worthless in and of itself. who knows?) - dump the data, wait a year and join the class action lawsuit... The same thing we do every night, Pinky—try to take over the world!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.