Why you need to prioritize HIPAA risk analysis?

Last week, the Office of Civil Rights at the Human and Health Services imposed two of the largest penalties of the year. Two healthcare providers were fined for violating the Health Insurance Portability and Accountability Act. Both providers hadn’t conducted the risk analysis required by HIPAA

Here are the two penalties – 

  • The $2.30 million penalties on CHSPSC, a provider of business associate services
  • The $6.85 million fine on Premera Blue Cross, the largest health plan in the Pacific Northwest

All providers covered by HIPAA need to follow the Security rule. And, risk analysis is a basic requirement of the security rule. Providers found non-compliant with this HIPAA provision can face severe penalties from the OCR.  But, it’s not just the HIPAA penalties that should worry you. 

Let’s look at the details of the two HIPAA settlements.

The $2.3 million penalties on CHSPSC

CHSPSC provides business associate services to hospitals and clinics in Franklin, Tennessee. In 2014, the FBI notified them that hackers have compromised their network. Despite the FBI notice, the provider did not respond to the incident. The breach continued for another four months. 

The cyberattack affected 237 covered entities served by CHSPSC, and it resulted in the breach of protected health information of over 6 million people. The OCR investigators uncovered long-standing systemic non-compliance with the HIPAA rules at CHSPCS.

The $6.85 million penalties on Premera Blue Cross

Premera Blue Cross is the largest health plan in the Pacific Northeast. It operates in Washington and Alaska and has 2 million customers. Hackers breached their networks in 2014 and started stealing patient information. The breach continued undetected for the next nine months. By the time PBC stopped the breach, hackers had stolen the PHI of more than 10.4 million people. 

The investigators have noted systemic non-compliance with the HIPAA rules. PBC failed to conduct risk analysis and did not have risk-management and audit controls in place. The PBC penalty is also the second-largest fine imposed by the OCR.

The two incidents, the cyberattack on CHSPSC and Premera Blue Cross, were cases of an advanced persistent threat. The attacks remained undetected for a long time. 

In case of CHSPSC, the attackers were in their systems for about four months; and in the case of PBC, the attackers remained undetected for about nine months. 

Why you need to prioritize HIPAA risk analysis

In both cases, the OCR discovered that the covered entity hadn’t conducted a proper risk analysis of their information systems, nor had they created a risk-management plan. Even the other major HIPAA cases of 2020, including the $1.5 million penalties on Athens Orthopedic, and $1 million fine on Lifespan, carried a similar note. No risk assessment. No risk-management plan.  

Under the HIPAA Security Rule, it’s necessary to carry out a risk analysis of your systems. You also need to develop a risk-management plan to address the identified risks and vulnerabilities. 

Risk analysis and risk management plan 

The Security Rule expects you to protect PHI from all reasonably anticipated threats. 

For this purpose, you need to –

  • Carry out a thorough and accurate risk analysis of all your information systems
  • Put in place a risk-management plan to address the risks identified by the assessment

The risk analysis should look at all possible risks and vulnerabilities that could pose a threat to the confidentiality, integrity, and availability of ePHI. Failing to do so can lead to a security system that is poorly equipped to protect the PHI. 

Let’s look at the Corrective Action Plans of the two providers. As per the CAP of CHSPSC, the provider failed to respond to a known cyberattack. It had been notified of the ongoing cyberattack by the FBI, and yet, could not respond to the attack. CHSPSC did not have technical access control policies and procedures. And, it did not have procedures to review the records of information system activity of systems that used or disclosed ePHI. 

The inadequacies in their security system lead to a four-month-long intrusion. The OCR charged CHSPSC for failing to respond to a known security incident.

Premera Blue Cross, too, did not have enough security measures for protecting PHI. No software, hardware, and procedural mechanisms were put in place to record and examine the systems that handled ePHI. 

As per the two corrective action plans, the two providers will 

  • Conduct regular risk assessments
  • Put in place a risk management plan  
  • Revise policies and procedures to meet the HIPAA standards 

CHSPCS must revise its policies and procedures for managing passwords, responding to security incidents, reporting and documenting security incidents, reviewing system activity.

PBC needs to update the policies and procedures for risk analysis, risk management, information system activity review, access control, audit control, PHI integrity, user authentication, and PHI transmission.

Along with the action points listed above, CHSPSC would also 

  • Conduct HIPAA training for its workforce 
  • Train all new workers within 14 days of joining 
  • Review its training annually 
  • Conduct retraining as required. 

In Conclusion

Conducting risk analysis and implementing a risk-management plan are two basic HIPAA requirements. They are critical for complying with HIPAA. You cannot deal with potential threats to ePHI without the two steps. 

CHSPSC was hacked by compromising the administrator login credentials. These were then used to access the network through their virtual private network (VPN). The attack on PBC was carried out by installing a malware through an email phishing campaign. 

The damage done by the two cyberattacks could have been prevented if the two providers had followed the HIPAA rules.

Unfortunately, the failure to follow these two steps remains a disturbing trend across the industry. 

Lack of proper HIPAA training is another reason why such attacks continue to reoccur. Strong password practices, access control and minimum necessary disclosure are very important practices. Most malware and ransomware attacks succeed only because of weak passwords and bad email practices. 

Criminals use tools such as phishing and credential stuffing to compromise such employees. It’s a risk that can be mitigated only with proper employee training. 

What are your views about risk-management? Have you read our blog on risk analysis? Do share your views on these HIPAA settlements in the comments below. 

Jessica Holland

Jessica Holland

Like this post? Subscribe to receive updates directly in your inbox.