Violations of the Health Insurance Portability & Accountability Act (HIPAA) make excellent news stories for three reasons. First, they are scandalous and affect the status of a firm whose reputation is built on trust; second, they resonate with every individual who could be at risk of identity fraud; and finally, they usually carry a big price tag.
HIPAA was established in 1996 to govern how medical organizations and their associates treat protected health information (PHI). Penalties for violations can range from fines to criminal prosecution and imprisonment.
[Trojans take to the cloud. Read: Dyre Straits: Why This Cloud Attack's Different.]
However, while HIPAA actions are frequent and varied, one outcome is always the same: Every HIPAA violation has been settled out of court. This is an interesting phenomenon and there are several reasons behind it.
Money, money, money
It costs a lot of money to defend against a HIPAA action, and court hearings can last for months, costing hundreds of thousands of dollars in legal fees. In the case of a recent healthcare breach, the HIPAA action was taken by the Minnesota Attorney General and lasted for six months before a settlement was reached. This was followed by a class action suit. By settling both suits, the healthcare organization ended the court hearings, thereby reducing legal fees and maintaining some control over the cost of the penalty.
Better the devil you know
HIPAA statutes and regulations are untested in the legal system, which makes discretion seem the better part of valor. Organizations want to avoid being the test case for a HIPAA verdict in the courts. They fear that a full-blown defense would result in a penalty or civil assessment that would cost significantly more than a settlement. With no precedent, organizations prefer to err on the side of caution.
Crisis management: Be proactive, then move on
The damage to reputation from a HIPAA violation is often as indirectly costly as a penalty. Once a violation occurs, healthcare organizations adopt a crisis management mode and work to mitigate the harm their reputations might suffer.
PR 101 recommends that an organization own a high-profile mistake, apologize, pay a hefty compensation, and move on quietly. Lengthy court cases prolong the media attention for months, possibly even years. And if an organization becomes the first to see a HIPAA action through to verdict, its brand will inextricably be tied to HIPAA forever. By opting to avoid court and pay the settlement, organizations can reduce the duration of the scandal and minimize reputation damage.
Steps to take in the event of a data breach
Once a HIPAA violation has been discovered internally, it is important that an organization take the following steps.
-- Prepare a crisis management team. A HIPAA breach will affect most departments in an organization so it is important to establish a crisis management team composed of department heads including public relations, human resources, IT, legal, and finance. Each participant should provide relevant information pertaining to the incident. For example, IT can provide an audit log highlighting a device's security posture at the time of the breach. It is important to ensure that a detailed communications plan is in place and that employees are aware of how they should respond to questions about the breach.
-- Notify the appropriate parties. In the case of an unsecured breach of protected health information involving more than 500 individuals, the US Department of Health & Human Services (HHS) mandates that the offending organization notify the affected individuals, the HHS, and prominent media outlets within 60 days of the breach.
If the breach involves fewer than 500 people, the organization must notify the affected individuals and maintain a log of the breaches to submit to the HHS before the end of the calendar year that the breach occurred.
-- Respond to the civil money penalty (CMP). The HHS determines the CMP based on some general factors, including the nature and extent of the violation, the nature and extent of the harm resulting from the violation, the history of prior compliance including violations by business associates, the financial condition of the organization, and any other extenuating factors. Once this penalty is served, the healthcare organization must respond by paying the penalty or by filing an appeal.
How to avoid a HIPAA violation
- Review and update HIPAA privacy and security policies and procedures and stay up-to-date with regulatory compliance requirements.
- Educate employees about data security protocols involving physical records and mobile devices and data.
- Encrypt protected health information that is stored on portable devices including laptops, tablets, and smartphones.
- Deploy a persistent security and management software agent that will allow you to maintain a connection with a device regardless of user or location.
- Prove device and data security compliance with encryption status reports and anti-virus and anti-malware reports to show these solutions were in place and working properly. (This is an important step to satisfy the rules set by the HHS Office for Civil Rights.)
- Ensure your security software lets you perform remote actions on the device such as data delete, data retrieval, device freeze, and forensic investigations in the case of a security incident.
You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).