For a long time the lament about HIPAA was that it was a dog with no bite. Well, the reality of HIPAA fines are changing that perception rather quickly. One of the latest victims to feel the bite of hefty HIPAA fines is Idaho State University, which agreed to pay $400,000 in HIPAA fines to the US Department of HHS and subject itself to increased scrutiny in the near future.
What did the university do to warrant such a hefty fine? Well it seems they suffered a breach of 17,500 patient's ePHI (electronic private health information) from its Pocatello Family Medicine Clinic. A breach can happen to just about any organization, but in this case how the breach occurred seems pretty obvious. Someone felt that that pesky firewall was just to much trouble to manage, so they did what anyone who thinks firewalls are too hard to manage would do. They disabled it! Not only that but they kept it turned off for 10 months.
To give Idaho State University some credit, once the breach and cause were discovered, they did disclose the facts to Health and Human Services. But that doesn't excuse the fact of what happened here (hence the fine). In the school's press release, HHS notes that it wasn't just the fact that firewall was disabled that they were using to justify this fine. The fact that Idaho State either didn't discover the fact that the firewall was disabled as part of its regular risk assessment and review of the IT security systems in place or worse yet did discover it and allowed it to continue. Either way someone was asleep at the wheel.
Not to overstate the obvious, but a firewall management program would have obviously turned up the fact that the firewall was turned off. Beyond that though, assuming your firewall is turned on (and let's hope it is), do you have a handle on its management? Are you confident that your firewall is locked down so you won't be the next health provider fined under HIPAA, or the next retailer under PCI?
I hate to say security for compliance sake alone, but with fines of this magnitude being tossed around, it is hard to ignore. One fine like this can pay for a whole lot of firewall management. Talk about an ounce of prevention being worth a pound of cure. Beyond the compliance though, think about security and why it is important for a moment.
Remember that this isn't just about the fine. The fine was levied because over 17,000 records containing the confidential medical and other personal information of over 17,000 people was breached and stolen. If you were one of the individuals affected by the breach, you may feel very differently as to whether or not such a large fine was justified.
This case along with other recent public announcements regarding large fines for HIPAA are sending message. Whether you are a large health care provider or a small one, failure to comply with the HIPAA rules on security confidential patient data is going to be an expensive proposition. They are serious about security and you should be too.Health care organizations with multiple locations like Idaho State University need systems in place to manage health information security systems. It all starts with turning your firewalls on. Don't be the next organization in the news for HIPAA fines, take charge of your health information technology infrastructure today.