In a ground-breaking settlement, Lahey Hospital and Medical Center agreed to pay $850,000 to settle a suit alleging violations of the Federal Health Insurance Portability and Accountability Act (HIPAA). The cause of the incident? Weak security controls over medical devices used in a Boston area medical facility.
The settlement marks a milestone, of sorts. As this article notes, it is believed to be the first case of an Office of Civil Rights (OCR) settlement concerning the security of a medical device in a hospital setting. Most HIPAA cases to date have been linked to either stolen (or lost) employee laptops or patient data stored in electronic health record (EHR) systems.
According to a November 25 statement from the Department of Health and Human Services (HHS), Lahey notified HHS’s Office of Civil Rights in August that a laptop was stolen from an unlocked treatment room in the organization’s Burlington, Massachusetts facility. It was on a stand that accompanied a portable CT scanner, operating the scanner and producing images for viewing. At the time the laptop was stolen, it contained the protected health information (PHI) of 599 patients.
A subsequent investigation by OCR noted a wide range of violations of HIPAA rules at Lahey, including a failure by the hospital to conduct a thorough risk analysis of all its electronic patient health information (ePHI). There was an absence of both physical and logical safeguards for the CT scanner workstation. Among other things, the laptop was accessed using a common user name and password, making it impossible to track user identity with respect to the workstation. OCR also noted a failure by the hospital to implement and maintain policies and procedures for safeguarding ePHI on workstations used with diagnostic and laboratory equipment.
Those kinds of lapses are all too common. What is unusual in the case of Lahey is the amount of the fine - $850,000 for just under 600 exposed records – or more than $1,400 per record. By comparison, in September, HHS announced an agreement for Cancer Care Group P.C. for a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The information on 55,000 current and former Cancer Care patients was exposed in that incident – the fine came out to around $13 per record.
Why the huge disparity? One theory is that HHS and OCR are sending a loud message to other hospitals about the need to pull their population of medical devices and related systems under the risk management umbrella: understanding what (if any) ePHI resides on those devices and making sure that adequate physical and logical controls are in place to protect that data.
OCR Director Joceyln Samuels said as much in the organization’s statement on the Lahey settlement.
“It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment. Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”
Stories about medical device insecurity often focus on the devices themselves and concerns about malicious attacks that could disable a life saving device, or cause it to malfunction. But the truth is that many modern medical devices are collections of specialized and general-purpose equipment – including consumer-grade laptops and desktops or mobile devices that are used to manage device operation and view output. While these devices are identical to other IT assets, their role as part of clinical or diagnostic systems means they are managed separately from other IT assets – often with loose access requirements and less frequent patching.
The Lahey case should send a message to hospitals that such disparate treatment for the IT assets attached to clinical systems could be a huge risk and exposure for any healthcare organization. That, in turn, may prompt healthcare providers to get serious about tracking and managing these critical IT assets.
Related ArticlesInsider Leaked 1.2K Patient Records for 20 Months
The employee accessed information, including names, addresses, and social security numbers, from Feb. 2017 to Oct. 2019.Friday Five: 9/20 Edition
A popular password manager fixes a bug, a 20 million person breach, and more - catch up on the week's infosec and privacy news with this week's Friday Five!Phishing Attacks at Hospice Expose PHI, PII
A hospice in Tennessee didn't realize until months after suffering a phishing attack that it may have resulted in the access of sensitive protected health information.