A costly failure to encrypt for University of Rochester Medical Center

The health system will pay $3 million to settle with OCR and take corrective action after protected health information was left unencrypted on lost and stolen mobile devices.
By Mike Miliard
11:06 AM

A HIPAA violation is costing University of Rochester Medical Center, one of the biggest health systems in New York, $3 million as it settles with the U.S. Department of Health and Human Services for not encrypting its data.

WHY IT MATTERS
The flash drive was lost. The laptop was stolen. Both contained protected health information that was unencrypted, according to the HHS Office for Civil Rights, which in addition to the monetary settlement is requiring URMC to undertake a corrective action plan that includes two years of monitoring its HIPAA compliance.

URMC notified OCR of the two breaches in 2013 and 2017 – after finding out about the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. 

Upon performing its audit, OCR found that URMC hadn't conducted an enterprise-wide risk analysis. Nor had it implemented security measures robust enough to reduce risks and vulnerabilities "to a reasonable and appropriate level," according to the agency. 

The health system had also neglected to put device and media controls in place, or use mechanisms to encrypt and decrypt ePHI as reasonable and appropriate to do so, officials said.

THE LARGER TREND
OCR also noted that it had investigated URMC back in 2010 about a similar breach involving a lost unencrypted flash drive. Even though it had provided technical assistance at that time, and URMC recognized the risks associated with not encrypting, the health system continued to allow use of unencrypted mobile devices.

Next month in Boston, at the HIMSS Healthcare Security Forum, IT and infosec leaders will be focused on basics like encryption and mobile device management – but also on more advanced strategies for meeting compliance and mitigating risk.

But even the basics should not be overlooked. They're more complex, and require more attention to people and process, than many realize.

"When you see (security breaches) in the news and think, 'What should we do?' it’s not that you need to have the most advanced new technology that doesn’t exist," said Michael Coates, former CISO at Twitter and Mozilla, who will keynote the event. 

"You need to go back to basics and say ‘We know what we need to do. It’s strong passwords. It’s hashing. It’s good security practices. But how do we do that at scale everywhere all the time? And that’s where things get tricky."

ON THE RECORD
As OCR sees it, those basic security practices are a fundamental must-have for HIPAA covered entities charged with protecting their patients data. 

"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," said OCR Director Roger Severino, announcing the URMC settlement. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a publication of HIMSS Media.

 Prepare for next-gen cybersecurity threats and join the #HITsecurity discussion at the HIMSS Healthcare Security Forum this Dec. 9-10 in Boston.