The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services stayed busy last year. In 2018, OCR settlements totaled $28.7 million, 22% higher than 2017. In addition, the OCR also settled with Anthem, Inc. for $16 million, a nearly three-fold increase over the previous record settlement of $5.5 million.
While looking at these numbers at a high level may inspire healthcare entities to focus on strengthening their IT security defenses, they don’t say much about what they should do. For that, we need to look at the details of individual settlements.
Cottage Health Commits the Cardinal Sins of HIPAA Non-Compliance
The recent settlement with Cottage Health represents a classic example. This organization committed several of the most common mistakes healthcare entities of all sizes make.
As described in the OCR’s statement regarding the settlement, Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital, and Cottage Rehabilitation Hospital. The OCR received two notifications from Cottage Health regarding breaches of unsecured electronic protected health information (ePHI) affecting over 62,500 individuals, one in December 2013 and another in December 2015.
It should be noted that Cottage Health is not a particularly high-profile organization. On its website, the organization describes itself as a private, not-for-profit community organization. Nor does it appear to be a poorly run entity. In 2016, two of its facilities earned 5-Star ratings for overall quality and safety from the federal Centers for Medicare & Medicaid Services.
But HIPAA fines aren’t levied based on the size of the organization or its annual revenues. The penalty structure is tiered, with higher fines based on factors such as the covered entity’s knowledge of the violations, the seriousness of the violation, and their attempts at remediation.
So where did Cottage Health go wrong? Let’s take a closer look.
The two breaches of data were the result of user error, not cyberattack. The first breach happened when ePHI on a Cottage Health server was exposed due to improperly configured security settings in the Windows operating system. These settings allowed anyone with a user name and password to access patient names, addresses, dates of birth, diagnoses, conditions, lab results, and other treatment information over the internet.
The second breach occurred when a server was misconfigured following an IT response to a troubleshooting ticket. This ePHI included patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information.
As they say, to err is human, but the OCR also found that Cottage Health didn’t do enough to prevent and prepare for these incidents. Specifically, the investigation revealed that Cottage Health failed to:
- conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI
- implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
- perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI
Finally, Cottage Health failed to obtain a written business associate agreement with a contractor that maintained ePHI on its behalf. While this may sound minor, the OCR has fined organizations for this violation alone and in the absence of an actual breach.
Healthcare entities can take several lessons away from the Cottage Health settlement. First, they need to worry about more than just malicious intent. In fact, in the Ponemon Institute’s 2018 Cost of a Data Breach study, human error caused 27% of all data breaches and system glitches another 25%. The Cottage Health example is a perfect illustration of what can happen when a covered entity manages IT in-house with less than adequate resources or contracts with an unqualified service provider.
Second, the OCR doesn’t care how well run the hospital is. They focus on how well run the entity’s IT security program is. It’s safe to say that Cottage Health fell down in this area. Working with a qualified managed security provider could have helped them address the preparedness aspect of the OCR complaint.
Finally, the OCR continues to demonstrate that the covered entity’s responsibility extends to their business associates as well. This would include any managed service providers that have access to ePHI or who are housing your covered workloads in the cloud.