1 Way Your Healthcare IT (or lack of) Can Cost You Millions of Dollars
OCR (Office for Civil Rights) is the group responsible for enforcing the privacy and security rules as it relates to HIPAA compliance.
2018 was a record-setting year for the OCR with enforcement cases. The last two settlements in 2018 were the result of IT mistakes. These were not the only cases that were the result of IT mistakes but I am using them to highlight a problem.
These cases date back to 2013 and 2015. Cottage Health had two different breaches that caused tens of thousands of ePHI (electronic protected health information) records to be accessible. The cases impacted approximately 33,349 and 11,608 individuals respectively.
In each case, the breach was the result of an error or oversight on the part of IT staff.
In 2013, the breach was the result of the removal of electronic security protection from one of Cottage Health’s servers. This caused patient names, addresses, dates of birth and medical information to be available to anyone outside of Cottage Health with access to the server. Anyone with the server info was able to download the PHI.
In 2015, the breach was caused by the activation of the wrong website on a SQL server. This exposed patient names, address, dates of birth, social security numbers and healthcare information to the internet.
The patient information was accessed hundreds of times by Google, meaning anyone who searched for something related to the PII (Personally Identifiable Information) could have had the patient information returned in the results. For example, if someone John Smith, and he was one of the 51,000 individuals whose information was exposed, his records were potentially returned by Google.
It’s alleged that records were available on Google from 2011 to 2013.
It wasn’t until December 2013 that a man in Arizona discovered the records while doing research on Google notified Cottage Health.
Cottage was running outdated software and failed to apply software patches. It was also discovered that they failed to remove default configurations, failed to use strong passwords and failed to limit access to PII.
Cottage Health also failed to run risk assessment audits.
These are glaring holes in the IT infrastructure. While two individuals were identified as causing the breaches, a failure to have processes and routine audits in place is the real reason these breaches occurred. An audit likely would have discovered the vulnerability and addressed it much sooner.
In total, nearly 51,000 patients had their information exposed because of mistakes by IT. But was it the IT personnel’s fault? That question will probably not get answered but these breaches highlight the need for processes and audits to be in place.
What Did This Cost Cottage Health?
The California Attorney General could have fined Cottage Health $275 million. In the end, it was settled for $2,000,000. While $2,000,000 does not seem like a lot to an insurance carrier it’s also likely there were a lot of new practices, policies and procedures (including audits) put into place along with new personnel.
It’s also likely that there were/are lawsuits from patients who had their PHI exposed.
Finally, the damage to Cottage Health’s reputation might prove to be the costliest penalty of all. This is not easy to measure in dollars but there’s little doubt that they lost customers after these breaches were announced.
Why Am I Writing About This?
It’s true our clients are not huge healthcare providers. We work with smaller practices who aren’t likely to have fines in the millions (though it is possible).
I write about this because all too often I see healthcare practices who have their IT serviced by an IT Service Provider who is not HIPAA compliant and likely has no idea what is or isn’t a HIPAA violation. One mistake by this IT Service Provider could cost a small practice 10s of thousands of dollars, lost income, damaged reputation and possibly business closure.
A few years back we serviced a dental practice in Manhattan. The office had 7 Windows PCs. Every one of the PCs needed Windows updates (some dating back to over a year). 5 of the 7 did not have active malware protection running.
The office network was connected to a wireless router that had an open wireless network running, and still had the default logins on the router. Anyone near the dentist could potentially access patient information because the internal network with the unpatched Windows computers was connected to the same router without a firewall.
Two of us applied updates, performed routine maintenance, and updated/installed malware software but they did not want to update the wireless router, the network or continue with a maintenance plan.
And two of their computers were found to have malicious content. Numerous HIPAA violations and potential vulnerabilities exist at this dentist’s office. I wonder if they’re still in business.
Another practice I see often is a sign in sheet being left in the lobby of a general practitioner. The idea is you place your name and the reason for your visit. This is a clear HIPAA violation. This seems to happen so that the office manager’s job is easier, or they don’t have to talk to patients.
How often have you stood behind another patient checking in and were able to hear the conversation between them and the receptionist? Name, Address, Reason for the visit, etc…
The point I am trying to make is HIPAA violations are still rampant across all medical practices. These violations can be detrimental to the Healthcare Providers existence, and to their patient’s privacy. If you’re taking shortcuts on your Healthcare IT by hiring the cheapest or least experienced IT support you can find you’re doing your Healthcare business, and your patients, a huge disservice. Saving a few dollars now might cost you a lot more down the road. You should do everything possible to ensure your patient’s privacy is protected and your Healthcare business’ reputation remains intact.