Idaho State University fined $400,000 for skipping HIPAA Security Risk Analysis

HIPAA Security Risk Analysis

Skipped HIPAA Security Risk Analysis costs ISU $400,000

IT consultants and Managed IT service providers have been warning their clients that the HIPAA Security Risk Analysis is a very necessary component in their efforts to comply with the HIPAA rule. Some of our medical clients and prospects agree, while others are skeptical about the need for in-depth scans.

As is often the case, the Health and Human Services (HHS) Office of Civil Rights (OCR) started their investigation as a result of a reported breach of electronic Protected Health Information (ePHI). The health records of approximately 17,500 patients were left unsecured for up to ten months as a result of disabled rules in firewalls maintained by the university.

According to the HHS press release, “the ePHI of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities.  ISU also failed to assess the likelihood of potential risks occurring”.

The take-home message for every healthcare provide is this – you must not disregard the HIPAA security rule. It’s there for a reason and you will face stiff fines for willful neglect. Not knowing is a bad excuse – and reason for even higher fines. West Chicago-area IT provider Thom Infotech advises their clients to do the following:

  • Perform a thorough Security Risk Analysis annually – This is critical for smaller practices that lack the necessary technical expertise to grasp the nuances of network security.
  • Perform Ongoing Risk Management – Network security is not a one-time, “set it and forget it” proposition. The threat landscape is constantly evolving, requiring diligence and constant attention.
  • Perform Routine Information System Reviews – Information systems are subject to frequent updates, patches, and security bulletins. Engage a knowledgeable IT expert to set up, maintain, and provide reports about your network.
  • Deploy high quality firewall hardware – The difference between an electronics-store router and a quality Unified Threat Management (UTM) appliance cannot be overstated. Don’t cut corners on security!

The HIPAA rule may seem onerous and burdensome but healthcare providers and their IT service providers need to wake up and take HIPAA compliance serious. Patients deserve the privacy that only competent application of the privacy and security rules can provide. If you are looking for a Healthcare-focused provider of IT services, please contact Thom Infotech today by calling 630-937-1500 or using this contact form. We’ll happily provide a no-risk basic assessment of your technology needs.