Covered entities and business associates can learn many important lessons from recent HIPAA settlements, says privacy attorney Iliana Peters. She recently joined a Washington law practice after serving more than a decade as a HIPAA enforcer at the Department of Health and Human Services' Office for Civil Rights.
Among the most recent OCR settlements was a $2.3 million resolution agreement with Florida-based 21st Century Oncology related to a breach involving a 2015 cyberattack on the now-bankrupt cancer clinic.
Another recent OCR settlement was a $3.5 million resolution agreement with Massachusetts-based Fresenius Medical Care North America after five small 2012 data breaches.
"When we're looking at 21st Century Oncology, that was a persistent cyberattack that was ongoing for many months that was identified by the FBI," Peters says in an interview with Information Security Media Group. OCR's investigation into that breach discovered that 21st Century Oncology not only did a poor job with basics - including risk analysis and risk management - but also with how the clinic reviewed its information systems activity records.
"The HIPAA Security Rule requires that business associates and covered entities do a good job looking at their audit trails and access records," she says. "The rule requires they have this function enabled for their electronic protected health information. Many times, that feature is available on their applications and other systems controls, and they just have to turn them on. It's really important to monitor and review those systems logs ... because you can see over time when these attacks occur."
OCR argues in the 21st Century Oncology case that had the clinic been looking regularly at these reports, "it could've seen these persistent attacks over time ... and prevented them much earlier," she notes.
Meanwhile, OCR's settlement with Fresenius centered around five separate breaches that involved a variety of security weaknesses, including "a deficiency in physical access controls ... and the lack of encryption," she says.
"So, depending on the kind of breach you're looking at, there may be specific fixes over time, but in terms of a good baseline security program, all of the elements are there in the security rule and put entities in a better position to deal with things like advanced persistent threats, but also mobile security."
In the interview (see audio link below photo), Peters also discusses:
- Other lessons emerging from recent breaches reported to OCR;
- Ransomware breach reporting trends, and whether those incidents are being underreported to OCR;
- Steps for potentially improving the state of medical device cybersecurity.
Peters is a Polsinelli law firm shareholder and an attorney in its national healthcare operations practice. Before joining Polsinelli in February, Peters spent more than a decade at the Department of Health and Human Services' Office for Civil Rights, most recently as the acting deputy director of health information privacy and as the senior adviser for HIPAA compliance and enforcement. In these roles, Peters played a key role shaping OCR's enforcement agenda, as well as working with covered entities and business associates to address privacy and security issues. Before joining the OCR team in Washington, Peters worked as an investigator in OCR's Dallas regional office.