Wednesday, February 22, 2017

Memorial Healthcare pays $5.5 million HIPAA settlement

Well, at this point hopefully those in the infosec field, especially in the healthcare arena, are aware of the recent settlement by Memorial Healthcare (Hollywood, Florida) for $5.5 million.  This was for violations of HIPAA that resulted in the protected health information (PHI) of over 100,000 individuals being potentially exposed.  While not the highest penalty, certainly up there.

You can read the whole press release HERE.  As well as the settlement agreement HERE which includes the corrective measures they must take.

For me, this is notable as Memorial Healthcare is one of the local hospital groups in my area.  Now, I have no connection with Memorial, I do NOT have any inside information on them.  All I know is what I have read in the above articles.

But it is interesting reading what happened, as it points to some issues I've seen at other locations as well as general issues I see in information security.

So the big issues here were: 1) failing to manage login credentials and 2) failing to audit & monitor their environment.

With the first, we are told that the login credentials (user account) of a former employee was used for a year and nobody noticed.  Now, sadly, this is an issue I've seen at many places.  There is often a disconnect between HR and IT when it comes to an employee leaving.  Many times an employee leaves and HR doesn't tell IT about it, or not immediately, and their account is left active.  This more often happens when the employee leaves rather then if their are fired, because often if someone is fired there is a rush to lock out access.  If they leave on good terms, there is seldom a sense of urgency.

Now, if you look at all the security frameworks out there (ISO27001, NIST CSF, etc), "HR Security" including a termination process, is part of what we look for.  And yes, even the HIPAA regulations ask for a termination process or checklist.  So if anyone is working with these standards, they should have something in place.

Thus, to deal with this issue of HR not telling IT (ie basically someone forgetting to follow a termination process/checklist), many good IT orgs take some steps to address this on their end.  Usually by requesting from HR on a regular basis a list of all current employees, and checking this against all active accounts.  Some will do this monthly or quarterly, depending on the size of the organization.  This helps to lock down or close out open accounts that get missed.

With contractor accounts, most orgs will have such accounts expire, based on the date of their contract.  If their contract is extended, then that expiration date will be extended. This addresses the issue of not being told that a contractor has left at the end of their contract.  (something I also see happen in many orgs.)

More difficult is dealing with third parties accessing the organizations information or infrastructure (remember Target?).  In this case, the potential issue is with employees at doctor's offices accessing the hospital's EHR system.  Unless the organization implements a system similar with contractors, with accounts expiring on an annual basis and requiring re-authorization to extend the account, the potential problem is with someone leaving a doctor's office and the doctor's office not telling the hospital to close out that account.

Then you have the second issue of auditing/monitoring.  The HIPAA regulations expect organizations to be auditing and monitoring their environment.  Now, the regulations don't get into details as to what should be audited, which is good and bad.  The good is it allows flexibility of organizations to audit and monitor what is relevant.  The bad is some organizations, due to the lack of knowledge when it comes to generally accepted IT practices, don't really know what should be relevant.

OCR even issued this recent (Jan 2017) guidance on the important of audit controls HERE.  But, again, this doesn't get into the level of details that some groups are looking for.

The regulations do point out a few areas that should be audited.  Failed logins.  Logging of changes to the information in the EHR system (hopefully so someone can do random audits to ensure nothing improper was done).  But that's about it.

What should be audited/monitored?  Failed logins, certainly.  Updates and changes to firewall rules.  Unusual activities on the network (tho this requires that one has worked out what the baseline should be).   User access rights should be audited (too often people change positions without old access being removed).  Updates, changes to PHI (to make sure nothing improper has been done, and that people accessing it should be doing so).  And so on.

I'd love to see someone (ideally HHS) come out with a list of some sort of all the possible things that could be audited/monitored, so that organizations can then pick and choose what is relevant for them.  Sadly, some would be misuse this and think everything on the list had to be audited/monitored, and not think there are additional things to monitor.

Will be interesting to see how things shake out with this.  Will this lead to organizations doing a better job at auditing and monitoring?  Who knows?

No comments:

Post a Comment