Data breach at BlueCross BlueShield of Tennessee and subsequent penalty stands an example of the financial fallout from poor healthcare IT security practices
But Nav Ranajee, director of healthcare vertical for CoreLink Data Centers, believes that starting to hit the big organizations in the pocketbook and making a spectacle out of the process should have the desired effect. Many of these organizations have been deprioritizing security because there just hasn’t been enough financial incentive to push it up the stack on the IT to-do list, he says. The HHS making the risk of pecuniary damage a real risk of failing to comply with Health Insurance Portability and Accountability Act (HIPAA Training) security requirements changes that financial equation for these organizations, he says.
“What I’m seeing now when we talk to our clients, say a hospital or a business associate like a software company that services a hospital, is that when it comes to HIPAA, the first priority of a CIO has historically to allocate funds to get that new EMR in house or that new clinical system, because that’s going to pay off in revenue,” he says. “But when it comes to making sure HIPAA requirements are up to date, that’s usually the last line item on the budget because it’s really a sunk cost. Now they’re going to have to look at the risk involved and wonder ‘Do I risk having a million dollar lawsuit if I don’t put the right security protocols in place?'”
The settlement BlueCross BlueShield of Tennessee paid to HHS was a penalty for failing to prevent a breach that saw the theft of 57 unencrypted hard drives containing recordings of customer service phone calls. The drives were left behind in a data closet after the company stopped using a leased facility.
“This settlement sends an important message that OCR expects health plans and healthcare providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said Leon Rodriguez, director of HHS OCR. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”
According to Nicholson, the breach is a good lesson to healthcare organizations on how compliance really could have helped the security of the organization and maybe even prevented a breach. “One of the things that HIPAA and HITECH require is that you go through an assessment of your policies and procedures whenever your operations significantly change. I don’t know for sure, but it seems like BlueCross BlueShield of Tenessee may not have done that evaluation. If they had done it, they might have said, ‘We’ve got these hard drives containing this unencrypted PHI and it’s in a locked closet but that’s not sufficient in this leased space,'” he says. “That’s probably a lesson to healthcare organizations. You really need to do those evaluations anytime a significant aspect of your operation changes that has implications on PHI.”
For his part, Ranajee says the BlueCross BlueShield of Tennessee incident stands as yet another testament of the importance of encryption for healthcare data protection.
“Really, it’s all about making sure that if you have data servers in your office or workplace, they need to be locked down–they need to locks on them–and they need to be encrypted,” he says. “Those are two of the main things that are not commonplace but they should be.” Health Care Compliance
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.