Case Study: Carrying Out a HIPAA Corrective Action PlanWhat the University of Rochester Medical Center Learned From the Process
Mark Ballister, CISO of the University of Rochester Medical Center and Jon Moore, chief risk officer of consulting firm Clearwater discuss how the medical center's security risk management program has evolved since carrying out a HIPAA corrective action plan after two data breaches.
In 2019, federal regulators slapped the healthcare organization with a $3 million HIPAA settlement and mandated a corrective action plan following breaches involving missing unencrypted mobile devices.
The Department of Health and Human Services' Office for Civil Rights, in its resolution agreement with URMC, cited the New York-based healthcare organization for a familiar finding: failure to conduct an enterprisewide risk analysis.
"Typically, in 90% of OCR's HIPAA settlement cases, you'll see that the organization will have been found to have not completed a satisfactory risk analysis," says Jon Moore, chief risk officer at privacy and security consulting firm Clearwater, which is working with URMC in implementing the organization's corrective action plan.
"For larger organizations, conducting a HIPAA security risk analysis is often challenging. We're talking about large complex infrastructures with a lot of systems and components processing electronic protected health information on a regular basis," Moore says in a video interview with Information Security Media Group. "And one of the most difficult things for many organizations is to identify all the reasonably anticipated threats and vulnerabilities to that infrastructure."
Dealing with BYOD Risk
Much has changed at URMC since the 2013 and 2017 breaches at the center of OCR's investigation, which involved the losses of two BYOD devices, an unencrypted flash drive and an unencrypted laptop, says Mark Ballister, the organization's CISO.
For instance, at the time of the incidents, URMC lacked a BYOD policy, Ballister says.
"Just having the policy in place, to be able to state that it is unacceptable to have ePHI on the devices and to just plug them into the network - that is something we [implemented] shortly after the incident. But it really is about trying to control that data … and ensuring that it's encrypted," he says.
"We're making sure that if someone is bringing in BYOD media, it has to have a certain security threshold, and we're working through having them go on a separate network."
In this joint interview, Ballister and Moore, who were speakers at the Healthcare Information and Management Systems Society 2021 conference in Las Vegas, also discuss:
- How the OCR corrective action plan has changed URMC as an organization, including helping to improve the medical center's security posture;
- Tips for dealing with HHS OCR HIPAA compliance reviews and breach investigations;
- Other top security priorities and projects underway at URMC.
As CISO of the University of Rochester, Ballister is responsible for security across the organization's enterprise, including its medical center and its affiliates. That includes security operations - data and network security, incident response and vulnerability management, systems management and threat management - business continuity and risk management, and identity and access management. Previously, Ballister was the security intelligence and response manager for Paychex Inc.
Moore joined security and privacy risk management consulting firm Clearwater in 2018 as senior vice president and chief risk officer. He previously worked at PricewaterhouseCoopers, where he led the firm's federal healthcare practice.