.st0{fill:#FFFFFF;}

Podcast

OLD Attack NEW Settlement – Ep 394 

 February 17, 2023

By  Donna Grindle

Share0
Tweet0
Share0

Today, we are talking about a new OCR settlement that was released from a 2016 hacking attack on Banner Health’s network, causing a data breach of over 2.81 million individuals. We’ll review the OCR CAP. But suffice it to say… until we have more engagement from every person connecting to the internet, we will never make real progress in the battle against cyber criminals.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

OLD Attack NEW Settlement – Ep 394

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Mar 12, 13, 14 and 15, 2023

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

OLD Attack NEW Settlement

[05:15] Banner Health is the largest employer in Arizona, and one of the largest in northern Colorado. They had a data breach resulting from a hacking incident by a threat actor in 2016 which disclosed the PHI of 2.81 million consumers. OCR just announced a settlement with them that includes a whopping $1.25 million payment and a 2 Year CAP.

HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking

Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals. It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. The Office for Civil Rights provides help and support to health care organizations to protect against cyber security threats and comply with their obligations under the HIPAA Security Rule. Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.OCR Director Melanie Fontes Rainer
[15:40] Happy to see the message in there “cyber security is on all of us”. I have started making that a point brought up as part of every presentation. Until we have more engagement from every person connecting to the internet, we will never make real progress in the battle against cyber criminals.

The “potential” violations specifically include:

  • “Lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization” Lack of an SRA. Shocking – I know.
  • “Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information” No monitoring – Check the box and wait until next year’s compliance approach.
  • “Failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.” Failure to encrypt in transit.

Usually the press release ends with standard language. But the language has now changed to include the following statement:

Cybersecurity incidents and data breaches continue to increase across all industries. Seventy-four percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. The Biden-Harris Administration has brought a relentless focus to improving the United States’ cyber defenses, building a comprehensive approach to “lock our digital doors” and taking aggressive action to strengthen and safeguard our nation’s cybersecurity. OCR supports this call to action by offering an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules, available at: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.htmlOCR Standard Language

What’s in the CAP?

[28:41] Banner Health Resolution Agreement and Corrective Action Plan | HHS.gov

In the press release it includes a summary of the CAP requirements. I personally am excited to see this because the CAP was so often hidden and not discussed other than the fact it existed. Here is the bullet list of steps Banner agreed to follow:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
  • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
  • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
  • Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.
[39:52] The CAPS have started using specific language about SRA requirements which should be used by everyone who does one for HIPAA as their definition. Here is the one for Banner:

Banner shall conduct and complete an accurate, thorough, enterprise-wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by Banner or its affiliates that are owned, controlled or managed by Banner that contain, store, transmit or receive Banner ePHI. As part of this process, Banner shall develop a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI which will then be incorporated in its Risk Analysis.

Let’s break that out to bullets shall we…

Incorporate All:

  • Electronic equipment
  • Data systems
  • Programs
  • Applications

That are

  • controlled,
  • administered,
  • owned,
  • shared

By Banner or its affiliates that Banner

  • owns
  • controls
  • manages

That

  • contain,
  • store,
  • transmit
  • or receive Banner ePHI

Banner will then include a complete inventory of all

  • electronic equipment,
  • data systems,
  • off-site data storage facilities,
  • and applications
  • contain or store ePHI

A paragraph looks like a bunch of words but when you break it down like this, you see just what is expected in an SRA by OCR.

Go to top

So, go take a look at the information in this settlement. Share it with others. Use it in meetings or discussions or presentations. OCR’s CAPs always have good information explaining what’s important and what you should be doing and what to document.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: