On December 28, 2017, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) entered into an agreement with 21st Century Oncology (21CO), a Florida-based oncology services provider, for a data breach which 2.2 million patients in 2015 in violation of HIPAA rules, under 45 C.F.R. Part 160. 21CO has 143 centers in 17 US states and 36 centers located in Latin America. Under terms of the agreement, 21CO will pay civil penalties to OCR of $2.3 million and will enter into a “voluntary” Corrective Action Plan (CAP), a significant set of severe federal oversight obligations that every Healthcare organization looks to avoid.
On two separate occasions in 2015, the Federal Bureau of Investigation (FBI) notified 21CO that patient information was illegally obtained by an unauthorized third party and 21CO patient files were purchased by an FBI informant. As part of its internal investigation, 21CO determined that the attacker accessed a 21CO SQL database as early as October 3, 2015, through the remote desktop protocol from an Exchange server within 21CO’s network.
The Office of Civil Rights determined that 21CO:
Impermissibly disclosed the protected health information (PHI), including names, social security numbers, and diagnoses, and treatments, of 2,213,597 of its patients.
Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI).
Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Disclosed protected health information to third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement.
As part of its Corrective Action Plan with the HHS, 21CO will:
Appoint a compliance officer.
Complete a risk analysis and risk management plan.
Revise and adopt policies and procedures.
Provide HHS with an accounting and copies of its business associate agreements.
Conduct internal and external monitoring.
Create an internal reporting mechanism for workforce members to report violations of 21CO’s policies and procedures.
Submit to HHS an annual report for the duration of the CAP that summarizes its compliance with the aforementioned requirements.
Maintain for inspection, all documents and records with this CAP for six (6) years from the effective date of the CAP.
What does this ruling mean for Healthcare and Life Sciences organizations?
In one ruling, the Department of Health and Human Services (HHS), which not only manages the Centers for Medicare and Medicaid Services but the Food and Drug Administration (FDA), has indicated that it will no longer tolerate weak security controls and substandard policies and procedures. The link between federal quality standards and privacy and security risk is now officially drawn. While neither the HHS nor the FDA have official security standards defined, this ruling suggests the Department of HHS is keenly aware of what “good” practices look like. Any organization operating without sufficient standards, policies and procedures is subject to penalties and strict federal oversight controls. Any organization caught with a data breach is now subject to civil fines and penance projects that will detract from a predefined business mission. These penance projects can easily exceed the cost of the civil fines, doubling the overall cost to an organization.
This is a wake-up call for Healthcare and Life Sciences organizations. HHS and the FDA will no longer tolerate the loss of personal information or the loss of health records. Healthcare and Life Sciences market leaders will take this as an opportunity to refine their security standards, review policies and procedures and issue pertinent guidance. Market followers will fall prey to the turmoil of cyber warfare.
What should I do?
If you are an executive, director or information services member of a Healthcare or Life Sciences organization, we advise that you take the opportunity to ensure your privacy and security risk programs are sound and will sustain the rigor of federal scrutiny. More importantly, your privacy and risk programs will need to sustain the rigor of being exploited by a rogue participant — and, in today’s world, that simply means that any failure to perform common security tasks puts your organization at great risk. It is simply way too easy to exploit a system that has not been patched, or a system that has not had simple application security controls applied or a system that has a weak security footprint. If you think that this is uncommon and highly unlikely for your organization, think again. Over 57% of all systems on the internet suffer at least one common, yet significant security risk that can put an organization’s data at risk.
Convergency LLC is an IT consulting and advisory firm that specializes in cloud architecture, cloud migration, cloud audit and security risk management services.
More Information on this Article
21CO’s HHS Resolution Agreement: https://www.hhs.gov/sites/default/files/21co-ra_cap.pdf
HHS December 28, 2017, Press Release: