New OCR Settlement Highlights Need for Endpoint Security

By: Arieanna Schweber | 9/17/2015

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced a new HIPAA settlement with a small health care provider, which re-enforces the importance of securing electronic health information (ePHI) on the endpoint.

On September 2, 2015, the OCR released a statement about its $750,000 settlement with Cancer Care Group, P.C. for HIPAA-related violations. The settlement relates to a 2012 breach of unsecured ePHI after a laptop bag was stolen from an employee’s car. The bag contained both a laptop as well as unencrypted backup media. The breach affected 55,000 current and former Cancer Care patients in Indiana. During its investigation, the OCR found widespread non-compliance issues related to risk analysis as well as a lack of policies related to ePHI.

In the statement, the OCR has re-iterated the importance of protecting the endpoint, which includes both technologies as well as comprehensive device and data policies and related education for employees.

“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

There has been a recent push into the importance of protecting data on the endpoint in healthcare. The US National Institute of Standards and Technology (NIST) also recently released a draft of its first cybersecurity practice guide, Securing Electronic Health Records on Mobile Devices.” The endpoint has become one of the top risks for healthcare data, with strong indications that the OCR is expecting compliance to extend to the endpoint.

Absolute gives you the confidence to enable mobility so your organization can deliver the highest levels of patient care while protecting and securing patient information. Absolute DDS for Healthcare is a critical part of an effective layered security model, providing lifecycle security, risk assessment and risk response to help organizations prevent costly data breaches. With Absolute DDS, it’s all about the connection. By maintaining a two-way connection with each device, you have the insight you need to assess risk and apply remote security measures so you can protect each endpoint and the sensitive data it contains. Learn more about Absolute's security solutions for healthcare here.

Financial Services