Catholic Health Care Services of the Archdiocese of Philadelphia was recently hit with a $650,000 HIPAA fine to settle violations stemming from the theft of a CHCS-issued, employee iPhone.
The Office for Civil Rights (OCR), which enforces HIPAA, began its investigation of CHCS when it was informed that an iPhone, lacking encryption or password protection, was stolen.
The HIPAA Fine is the result of stolen information including social security numbers, diagnosis and treatment, medical procedures, names of family members and legal guardians and medication information.
Unfortunately, the data contained within the iPhone was extensive and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians and medication information. The total number of individuals affected by the data breach was 412.
At the time of the incident, CHCS had no policies in place that addressed the removal of mobile devices containing PHI from its facility or what to do in the case of a security incident.
“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
Negligent Employees Are Often the Cause of a Data Breach
While hackers and external threats can certainly cause destruction, a recent study from Forrester shows that most data breaches (61%) are actually caused by the internal threat of negligent or malicious employees.
Forrester reports that negligent employees account for 36% of all data breaches. In the case of CHCS, this includes an employee having a mobile device stolen. Malicious employees account for another 25% of all data breaches. This could include a disgruntled employee who intentionally steals or destroys data.
Because the CHCS employee’s iPhone was not encrypted and not password protected all the data contained within was vulnerable.
Protecting Mobile Devices Is Critical
In order to avoid a future HIPAA fine resulting from mobile device theft, CHCS needs to implement a security system that includes data encryption, multi-factor authentication and the ability to lock a stolen mobile device.
At Global Enterprise Strategies, we provide all three:
DATA ENCRYPTION AT THE DATA LEVEL
Data must be secured at the data level. Instead of focusing on perimeter defense, what’s needed is 256 bit AES encryption to protect each and every individual file. By encrypting data at the data level, organizations benefit from constant data security wherever that data goes, even when it is sent across domains.
MULTI-FACTOR AUTHENTICATION
Passwords can be hacked. Multi-factor authentication creates a layered identity management defense. In order for a user to access data, two or more credentials must always be entered. These credentials could include a password along with biometric verification or a security token.
MOBILE DEVICE SECURITY
A secure, enterprise space must be created on BYOD/non-enterprise devices (smartphones, tablets, laptops). If a mobile device is lost or stolen, remote logout can be used to mitigate data theft.
Contact us to learn more about how Global Enterprise Strategies can help your organization protect its valuable data and prevent a HIPAA fine.