University of Washington Medicine has agreed to an OCR HIPAA settlement for a phishing attack suffered in 2013. A financial penalty of $750,000 must be paid to Office for Civil Rights, and a corrective action plan (CAP) must be adopted to address areas of non-compliance with the HIPAA Security Rule.
First OCR HIPAA Settlement for a Phishing Attack
Data breaches are investigated by Office for Civil Rights and financial penalties are sometimes issued when data breach investigations reveal failures to comply with HIPAA Privacy, Security, and Breach Notification Rules. This is the sixth time this year that a financial penalty has been issued to a covered entity by Office for Civil Rights for a failure to comply with HIPAA Rules.
Oftentimes, OCR is content with issuing a robust CAP to a covered entity to ensure that action is promptly taken to address any non-compliance issued discovered during a data breach investigation.
Organizations have been investigated and received a CAP in the past, even though numerous violations of HIPAA Rules have been suffered. It could be argued that a HIPAA settlement for a phishing attack is somewhat severe, especially when the financial penalty is as high as $750,000. The latest settlement involved only one potential HIPAA violation after all: The failure to conduct a comprehensive risk analysis.
That failure potentially contributed to the exposure of Protected Health Information of 90,000 individuals. It could be argued that even a comprehensive risk assessment would not have prevented the phishing attack from being suffered, although that will never be known.
However, the provision of training to staff members to help them identify phishing emails is a fundamental security measure that all HIPAA-covered entities must conduct. Phishing is a technique commonly used by cybercriminals to bypass multi-million-dollar security defenses.
Healthcare employees are seen as a weak link in the security chain. If a single employee can be convinced to provide login credentials to a hacker, or in the case of University of Washington Medical Center, install malware onto a networked computer, full access to ePHI could potentially be obtained by cybercriminals. Covered entities must make it harder for hackers to obtain epHI than simply sending an email to a member of the hospital staff.
A Comprehensive Risk Analysis is a Fundamental Element of the HIPAA Security Rule
A full risk analysis is a fundamental element of the HIPAA Security Rule. If a comprehensive risk analysis is not conducted, a covered entity will not be able to determine with any degree of certainty whether all risks to ePHI security have been identified and addressed.
In the case of University of Washington Medicine, the risk assessment did not include all affiliates. University of Washington Medical Center was required to also be included in the risk assessment.
The Provision of Email Security Training to Employees is Essential
Given the frequency of data breaches suffered as a result of phishing emails in recent years, the provision of basic security training to staff members is essential, especially when a response to a phishing campaign could prove catastrophic.
It would be hard for a covered entity to argue that phishing emails were not a major security risk. Any member of staff with an email account is at risk of being sent a phishing email. Consequently, email security training should be provided to all members of staff. Susceptibility to phishing attacks should be highlighted by a risk analysis and should feature high up in a healthcare providers’ risk management plan.
With the HIPAA compliance audits just around the corner, and a high risk of a HIPAA settlement for a phishing attack being warranted, covered entities that have not yet issued all staff members with training on email security must devise a training plan as a matter of urgency.
Training may be sufficient to prevent a sizable data breach from being suffered. It is worth bearing in mind that the largest two healthcare data breaches ever reported were both caused by phishing attacks. Those breaches exposed 78.8 million and 11-million records respectively, and were both discovered this year by Anthem Inc., and Premera Blue Cross.