Last week the Department of Health and Human Services announced a $218,400 settlement with St. Elizabeth’s Medical Center in Brighton, MA relating to a HIPAA compliance violation.
This enormous fine wasn’t the result of employees deliberately leaking information. It didn’t come as a result of a major data breach caused by criminal hackers. It came about because hospital administrators didn’t have adequate controls in place around their IT.
From the Boston Globe:
“The settlement… comes after federal regulators investigated a 2012 complaint that employees at St. Elizabeth’s used an Internet-based document sharing program to store health information of at least 498 patients.”
Employees who likely meant well started putting sensitive data into the cloud. That’s a major shadow IT headache for any organization. For those businesses that are subject to HIPAA or other compliance requirements, it’s also a very expensive headache.
Back to the Globe:
“Organizations must pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications,” Jocelyn Samuels, director of the HHS’s Office for Civil Rights, said in a statement. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
Think this can’t happen to your organization? Wrong. According to the AMA, even if you’re in the dark about the rules you can be fined up to $50,000. That’s a lot of money for an honest mistake.
If you’re handling any kind of sensitive patient data on your network, now is the time to take notice. Here’s where you should be focusing your efforts:
Training, Training, and More Training: Compliance issues are a people problem, not a technology problem. Having organization-wide understanding of compliance obligations is non-negotiable. Eradicating shadow IT and making sure that all of your employees understand why they can’t use the latest fad cloud application without permission is vital. Stop letting users make mistakes out of ignorance.
Policies and procedures and tools to share them matter. Doctors may take an oath to do no harm but if they or other staffers don’t know the rules, how could they know if they’re hurting patients through noncompliance?
User Proofing Wherever Possible: Having active control around where sensitive data is stored and how it is transmitted is crucial. That means you need a technical solution in place to enforce control obligations. Systems that don’t enforce the standards by default will burn you. This could be anything from automated filters to watch for particular content in emails, to encryption software that secures data at rest.
Robust IT Governance Processes: Is your IT department disconnected from the strategic direction of the business? How well aligned are IT’s priorities when compared with the end users? Fixing gaps like these discourages users from trying to implement shadow IT. If stakeholders are engaged through an IT Steering Committee or other governance structure they have the power to keep IT aligned with their needs. There’s no reason to go it alone if you’ve got organizational partners who are focused on enabling the business.
Not sure where to get started? SAI can help.