Health and Human Services (HHS) recently release the results of the settle agreement with Massachusetts Eye and Ear Infirmary (MEEI). MEEI has agreed to pay HHS $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The next step is for MEEI to implement new security controls and policies to remedy the problems. (www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement.html)
The key findings by HHS are probably prevelant in organizations that have not gone through a HIPAA Security and Privacy audit. The resuts in summary are:
1)A risk analysis was not conducted to understand dangers to EPHI
2)Data created, transmitted and maintained was not secure
3)Security incident managament did not have apprpriate policies and procedures in place
4)Portable device security was not in place
5) Portable device management was not in place
6)Access to portable devices with EPHI was not fully restricted
As with so many government settlements, it wasn’t an admission of wrongdoing. That always seems strange when they findings were there, but that’s the agreement. Each of the findings is dangerous when it comes to protecting patient data and collectively the problem is compounded. It would have been much cheaper to conduct the HIPAA Security and Privacy review, pay to implement new policies, procedures and software. It would been way under the $1.5 million in fines and ongoing audits and oversight.
HIPAA’s Privacy provisions became effective 04/14/2003 and 04/14/2004 for Large Plans and Small Plans respectively. For these purposes the same definitions as those used by the SBA apply. The Privacy provisions, when integrated with HIPAA’s Security provisions, require operational, document and educational performance. Adherence to Best Practice generally minimizes the possible considerable personal exposure of clients’ employees. HHS audit are now ongoing and companies need to understand the risks they now face.
The initial key reasons we see this pressing need for HIPAA audits include:
1) There is an ongoing national pilot HIPAA compliance audit project through the Office of Civil Rights (“OCR”) that could present a high level of risk. Audits by mail are also occurring and the industry expects all types of audits to increase. An unsuccessful audit can reflect negatively on a business brand and client confidence.
2) Covered Entities and Business Associates must stop doing business with an entity in Breach until such time as it can document that the Breach has been fixed. Although important all-around, this is especially important to those providing medical care and insurance-type services.
3) Corrective measures and business costs in the event of a Breach ranges from $90 to $305 per record with an average of $200 per record.
4) Individuals can be personally responsible.
5) There is a significantly increased level of risk and probability of failure in the absence of adequate compliance measures.
6) A Breach that impacts 500 or more individuals MUST be posted on a government website. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
7) Civil monetary penalties (“CMP”) may apply to a Breach. The amounts are related to the severity of the Breach with categories of “Did not know” (a) through (d); “reasonable cause but not willful neglect” (b) through (d); and “willful neglect”(c) through (d).
a) $100 per violation not to exceed $25,000 per calendar year,
b) $1,000 per violation not to exceed $100,000 per calendar year,
c) $10,000 per violation not to exceed $250,000 per calendar year, and
d) $50,000 per violation not to exceed $1,500,000 per calendar year.
8) Criminal actions
a) Knowing violations of up to $50,000 and/or a year in prison
b) Misrepresentations (false pretenses) of up to $100,000 and/or five (5) years in prison
c) Intent to sell, distribute, etc. Up to $250,000 and/or 10 years in prison
A couple of stories have come out about Trapwire after it was was that there were documents on it in a Wikileaks release. Wikileaks is undergoing a Denial of Service attacks that couple be related to the release of this information. Wikeleaks also publised information on another surveillance intelligence company Stratfor. As Trapwire says on their website “TrapWire is a unique, predictive software system designed to detect patterns indicative of terrorist attacks or criminal operations. Utilizing a proprietary, rules-based engine, TrapWire detects, analyzes and alerts on suspicious events as they are collected over periods of time and across multiple locations.”
Well the technology to monitor everything we do on the Internet has been available for a long time. How companies put that technology together is probably more secret sauce that any kind of patents they may have. The bxt execution of a product will usually win the day. So who should be concerned abut Trapwire? We are already being monitored by close circuit TV everywhere you go. That info can be imprted into facial recognition software easily enough. Facebook recently acquired Face.com, the facial recognition software company. How much more invasive do you think Facebook will be going forward? Should you be more concerned with Facebook or Trapwire? Who knows. The whole thing is probably being overhyped; its just another in a long line of surveillance solutions we have to live with at this point.
That’s a depressing thought. If the government isnt actively monitoring as much activity as they can, you would probably call then incompetent. I think the government should outsource their monitoring needs to Facebook and “The Google”. Save the US tax payers some money. A Cloud model for invasion of privacy is probably more cost effective for the gobvernment!