Healthcare Security Case Studies & Forensics Analysis

The IT organization of healthcare (original name withheld) was facing a great deal of challenges with day-to-day IT service delivery. While critical activities, such as end-of-day, backup and restore functions, and scheduled server reboot for certain critical servers were documented on paper for regulatory compliance reasons, most processes were at best documented in individual employees’ heads.

There was poor change control; something broke every other day and it was perfectly acceptable to have unplanned downtime of Healthcare services for a few hours every month. Often, the unplanned downtime was due to, for example, failed system upgrades or security configuration modifications by the security administrators without proper impact assessments. Fortunately, the enterprise’s internal control department had some oversight over the critical banking infrastructure; otherwise, medical operations could have suffered a total systemic failure.

Healthcare Medical Center, has agreed to pay a $218,400 settlement to federal authorities for what the government is calling “potential violations” of data privacy and security breach notifications rules under HIPAA, including in a relatively rare enforcement area, Internet-based file-sharing services.

The Office for Civil Rights at HHS, which has federal HIPAA privacy and security rule enforcement authority, first received a complaint in November 2012 that members of organization’s workforce used an Internet-based document-sharing application “to store documents containing electronic protected health information (ePHI) of at least 498 individuals without having analyzed the risks associated with such a practice.”

In a separate incident, in August 2014, the hospital reported to HHS that a former workforce member had stored patient-identifiable health records of 595 individuals on a stolen personal laptop and USB flash drive.

According to a recent report on employee Internet usage by the Campbell, Calif.-based security firm Skyhigh Networks, employees at an average healthcare organization use a total of 928 cloud services, many without the knowledge of their IT departments. File-sharing services were among the top five uses of cloud services by healthcare workers in the report.

“Organizations must pay particular attention to HIPAA’s requirements when using Internet-based document-sharing applications,” said Office for Civil Rights Director Jocelyn Samuels. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

In addition to the payment, the settlement includes a corrective action plan “to cure gaps in the organization’s HIPAA compliance program raised by both the complaint and the breach.” organization has also reported to the civil rights office a breach of 6,831 lost patients’ identifiable records on paper or film, according to the “wall of shame” list kept by the office for breaches involving 500 or more individuals.

In April, 2012, a five-physician medical practice, Phoenix Cardiac Surgery, agreed to a $100,000 settlement for failing to have HIPAA-required business associate agreements with providers of their Internet-based calendar and e-mail service.

“Between these two cases,”, “what it stands for is OCR’s expectation you’re going to have to have a business associate agreement with any cloud-based (service) providers. And you need a risk analysis.”

“So, there appears to be a whistle-blower,”  “It shows the importance of having a process for hearing concerns from your employees about addressing HIPAA, or they might go to the government instead.”

Since September 2009, when the civil rights office started keeping a public list of breaches involving 500 or more individuals, 1,265 breaches have been reported exposing the records of nearly 135 million people, equal to the populations of California, Florida, Illinois, New Jersey, New York, Pennsylvania and Texas combined.


Cyber Security CISO Services