$150K HIPAA Fine for Unpatched SoftwareOCR Imposes Penalty on Alaska Mental Health Provider
Federal regulators are sending a powerful message about the importance of applying software patches by slapping an Alaska mental health services providers with a $150,000 HIPAA sanction.
The Department of Health and Human Services' Office for Civil Rights says Anchorage Community Mental Health Services' failure to apply software patches contributed to a 2012 malware-related breach affecting more than 2,700 individuals.
ACMHS is a five-facility, non-for-profit organization providing behavioral healthcare services to children, adults and families.
The HIPAA settlement in the Alaska case marks the first time OCR has levied a penalty tied to unpatched software, which is not specifically addressed in the HIPAA Security Rule.
"Most of the previous [OCR] corrective action plans that I reviewed focused on policies, procedures and other forms of documentation," says security adviser Tom Walsh, president of Tom Walsh Consulting. "Many times, people are surprised to discover that there is nothing specifically written in the HIPAA Security Rule regarding vulnerability or patch management, firewalls, and monitoring of inbound and outbound traffic. However, it is difficult to manage risk appropriately without these prevailing security practices."
A meaningful risk analysis must include "looking beyond the minimum requirements in the HIPAA Security Rule and exercising proper due diligence to properly evaluate any risk factors that could affect patient information," Walsh stresses.
Independent HIPAA and healthcare attorney Susan A. Miller notes: "This is a wake-up call that people should be looking very closely at the security risk assessment tools available from ONC and OCR, as well as NIST [National Institute of Standards and Technology].
"The lesson here is that when a software patch or update is sent by a vendor, they should be applied immediately," Miller adds. "That includes operating systems, electronic health records, practice management - and any electronic tool containing PHI."
OCR says it opened an investigation after receiving notification in June 2012 from ACMHS regarding a March 2012 incident involving malware compromising the security of the mental health provider's information technology resources.
OCR's investigation revealed that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these were not followed. The security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating software with available patches and running outdated, unsupported software, OCR says.
"ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches," says the OCR resolution agreement with ACMHS.
In addition, OCR says that contributing to the incident was ACMHS' failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI.
"Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis," says OCR Director Jocelyn Samuels. "This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks."
The corrective action plan with ACMHS calls for the mental health services provider to revise and distribute to all members of its workforce the organization's HIPAA Security Rule policies and procedures.
The plan also requires that ACMHS obtain a signed initial compliance certification from all members of its workforce, stating that they have read and agree to abide by the security rule policies and procedures. In addition, the plan requires ACMHS' workforce to attend HIPAA security training.
Also, the plan requires the organization to annually conduct a thorough risk assessment and document the security measures it implements to address the issues identified.
The settlement with the Alaska provider is the third HIPAA resolution agreement issued by OCR in 2014. OCR announced a record $4.8 million settlement in May with New York-Presbyterian Hospital and Columbia University. That case involved a breach of unsecured patient data on a network, affecting about 6,800 patients. In that settlement, OCR cited, among other factors, the lack of a risk analysis and failure to implement appropriate security policies.
The other 2014 OCR resolution agreement was an $800,000 settlement with Parkview Health System, a not-for-profit organization serving northeast Indiana and northwest Ohio. The provider agreed to the settlement involving "potential violations" of the HIPAA Privacy Rule as a result of an incident in June 2009 involving the dumping of paper medical records of 5,000 to 8,000 patients.