Anchorage Community Mental Health Services (ACMHS) operates a small chain of 5 mental health clinics in and around the Anchorage, Alaska area. Like other medical facilities, they use computers for the collection, storage and dissemination of information – including patient information. Typical.
Like other facilities of its size it probably had an IT department but may or may not have had a CISO. Typical.
Like most institutions, ACMHS was hit by malware. Typical. And ACMHS had anti-malware software. Typical. And like most institutions, ACMHS did not always keep its anti-malware software updated and patched. And as a result, they suffered a data breach that revealed Protected Health Information(PHI) related to about 2,700 patients. Typical.
Enter the United States Government. The Department of Health and Human Services Office of Civil Rights (OCR) found out about the breach. Not too hard since they are required to report data breaches to the government.
So did the government step in and offer to help this entity, which was, after all, the victim of a crime? Did the FBI swoop in with a team of forensic investigators and cyber-sleuths and find the dastardly perpetrators of this criminal hacking offense? Not so much.
Nope, rather than going after and prosecuting the criminals, the U.S. government went after the mental health facility, and levied a $150,000 civil fine for failing to prevent the crime from occurring. The government contended that the mental health facility failed to apply software patches to their anti-malware program that facilitated the attack.
While OCR has imposed fines for HIPAA privacy and security violations in the past this represents the first time they have imposed fines for an institution for failure to have a software update program.
Now medical providers have a duty to protect the privacy and security of medical records. This is particularly true of records relating to mental health – the release of which can cause great harm to those impacted by the unauthorized release.
But one can reasonably question whether the imposition of fines – particularly after the fact – to small and medium sized health providers is the best way to incentivize companies to do the right thing. I don’t mean to imply that it isn’t. I mean that one can reasonably question whether it is. And compliance and security is the goal – not punishment – right?
The settlement also required the mental health clinic to create and have approved a comprehensive information security program – subject to review by HHS. Something they were pretty much already required to do. HHS, in the resolution agreement noted:
“ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”
Of course, the devil is in the details. Did ACMHS not have firewalls? Did the firewalls not have IDS/IPS systems on them? Did they fail to have Data Loss Prevention systems on the network? Did they fail to adequately monitor outbound traffic for data exfiltration? Did they fail to ensure that the IT security staff was “adequately supported?” Or was the issue that the software was not adequately patched?
It’s not that ACMHS wasn’t doing something for security. In fact, they had adopted the OCR model information security program. They just weren’t doing everything – or doing it well enough. And that lead to a breach. Do I hear the sound of a barn door being closed?
This case illustrates one of the problems with the Health Insurance Portability and Accountability Act (HIPAA). Let’s say you are a covered entity and you hire an outside assessor to test your security. The assessment finds a bunch of vulnerabilities and process violations, and you take steps to address them in an orderly manner. You prioritize your resources based on risk.
So are you now “compliant” with HIPAA or not? The vulnerabilities still exist. So if one of them is exploited and PHI disclosed, are you compliant? Does compliant mean invulnerable? IS HHS OCR an entity’s partner in security – there to help disseminate more information and lessons learned to help covered entities be more secure, or the privacy cops trying to play gotcha and impose burdensome and punitive fines. Do these fines really make entities more secure?
Who knows.
But HHS should know. They should research what helps make entities more compliant. What motivates entities to do the right thing for themselves and their patients. Clearly the current regime is not working – or not working well. The money paid by the Anchorage entity to the federal government could clearly be better spent on security. Or heaven forbid on healthcare.
We can expect much more of this. Whether it will work or not depends on how we define “works.” Until then, let’s be careful out there.