As cyberattacks targeting the healthcare industry continue to escalate, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has published its first-ever resolution agreement stemming from an incident involving malware, highlighting the importance of reviewing systems for unpatched and unsupported software that can leave patient information susceptible to malware and other risks.
On December 8, 2014, OCR announced that Anchorage Community Mental Health Services (ACMHS), a five-facility, nonprofit organization providing behavioral healthcare services to children, adults, and families in Anchorage, Alaska, had agreed to pay $150,000 and enter into a two-year corrective action plan (CAP) to settle potential Security Rule violations stemming from its March 1, 2012, report to OCR that malware had compromised the security of its information technology (IT) resources, affecting 2,743 individuals’ electronic protected health information (ePHI).
OCR initiated its investigation on June 1, 2012, and determined that from January 1, 2008, through March 29, 2012, ACMHS failed to implement technical security measures to guard against unauthorized access to the ePHI on its network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that IT resources were both supported and regularly updated with available patches. OCR also determined that ACMHS failed to conduct an accurate and thorough risk assessment, and although ACMHS adopted sample Security Rule policies and procedures in 2005, OCR determined that ACMHS failed to follow those policies and procedures or implement security measures sufficient to reduce risks and vulnerabilities to its ePHI to a reasonable and appropriate level.
In its bulletin, OCR emphasized that the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating its IT resources with available patches and running outdated, unsupported software. OCR also noted that ACMHS had cooperated with OCR throughout its investigation and had been responsive to technical assistance provided to date.
In addition to the $150,000 settlement payment, ACMHS also agreed to a two-year CAP under which it must update and distribute its Security Rule policies and procedures to workforce members and obtain a compliance certification acknowledging that each workforce member has read, understands, and will abide by the policies and procedures. ACMHS must also provide security awareness training, the content of which must be approved by OCR, to workforce members upon hire and annually thereafter; obtain signed certification from workforce members indicating that training has been conducted; conduct and document an annual risk assessment; and submit annual reports to OCR.
This first-of-its-kind resolution agreement serves as a shot across the bow to covered entities taking a passive approach to Security Rule compliance. As OCR’s next round of HIPAA audits looms on the horizon, covered entities should ensure not only that they have adopted appropriate Security Rule policies and procedures, but also that they are following those policies and procedures by regularly assessing risk and ensuring that their security measures are up to date to account for evolving threats.