The Health and Human Service (HHS) Department’s Office for Civil Rights (OCR) recently settled with two organizations for a combined $1,975,220 penalty after their unencrypted computers were stolen. As the two most recent data breach settlements, this sends a strong message about the importance of endpoint security in healthcare.
Concentra Health Services (Concentra) has agreed to pay OCR $1,725,220 to settle potential violations following the theft of an unencrypted laptop from a physical therapy centre in 2011. HHS deemed that Concentra failed to adequately remediate and manage its lack of encryption or other protections and that Concerta did not sufficiently implement policies and procedures to prevent, detect, contain and correct security violations, despite a number of risk assessments identifying ePHI was at risk.
QCA Health Plan has agreed to pay OCR $250,000 to settle potential violations following a breach of ePHI from an unencrypted laptop stolen from an employee’s car in 2012. HHS deemed that QCA did not implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held. Additionally it was found that QCA did not implement physical safeguards for all workstations that access ePHI to restrict unauthorized users.
“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
It would seem that the OCR is sending a strong message about the importance of endpoint security, particularly for organizations who have identified, but not corrected, their own device and data weaknesses. Although, as the OCR suggests, encryption is an important element in endpoint security and ePHI protection, encryption is not enough.
We recently released a webinar on the shift in the regulatory landscape of compliance penalties that put healthcare organizations at greater risk. View that webinar here.