Healthcare provider pays the price for having lackluster security

Hospitals and other healthcare providers: Be sure all of your data is encrypted, otherwise you may end up paying the price.

Hospitals and other healthcare providers: Be sure all of your data is encrypted, otherwise you may end up paying the price.

In September, the U.S. Department of Health and Human Services fined the Massachusetts Eye and Ear Infirmary (MEEI) $1.5 million for failing to adhere to the requisite layered security guidelines laid forth in the Health Insurance Portability and Accountability Act (HIPAA).

The fine stems from a 2010 incident in which a doctor’s laptop was stolen, InformationWeek reported. The computer stored unencrypted patient information such as clinical data and prescription information, and prescription data.

For healthcare providers and other organizations that deal with sensitive information, data encryption is key. Encrypting makes inputted data unreadable unless applied through a decoding filter, the American Medical Association reported. This way, even if a computer or other device is taken from a hospital, none of the information it contained could be accessed by unauthorized persons.

“In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices,” Leon Rodriguez, director of the HHS Office for Civil Rights, said in a statement. “This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

Using proper planning to protect patients
In addition to the fine, HHS charged MEEI with the task of developing a plan for how it will implement more comprehensive security practices in the future. InformationWeek reported that MEEI had failed to maintain due diligence in regard to security measures prior to the laptop theft.

In response to the HHS, MEEI said they have already begun to implement requested changes, and have started more extensively training its staff about cybersecurity and data breach issues. However, the healthcare provider said  that the size of the fine did not accurately reflect the amount of harm actually posed by the loss of the computer.

“The rapid advancement of mobile technology has been both a boon and a bane for healthcare providers,” MEEI said in a release. “In the case of Mass. Eye and Ear, it has tremendous benefit for our doctors and our researchers, enabling them to collaborate and pursue their work while they are on the move. It has also created new challenges for the entire healthcare community in the area of security safeguards.”

Do you think the punishment is fitting in this instance? Should all healthcare providers be required to use system restore and recovery software to safeguard patient information? Leave your comments below to let us know what you think about this issue!

Kate Beckham

Kate has been lighting up the blogosphere for over 5 years, with a keen interest in social media and new malware threats. When not sitting at a café behind her Mac, you’ll usually find her scouring the racks for vintage finds or playing guitar.