$418,000 Fine Issued for Poor Network Management
Virtua Medical Group (VMG), based in New Jersey, compromised the PHI of 1,650 individuals as the result of a misconfigured server. A vendor of Virtua updated software on a website that stored documents. The website was password-protected, however, during updates the vendor misconfigured the server, allowing access to the site without a password. As a result, patient information such as names, medical diagnoses, and prescriptions were exposed.
Several of the cited reasons for the fine are part of an effective network management system. Although the breach was caused by a vendor of Virtua, Virtua is being held responsible. Acting Director of the Division of Consumer Affairs, Sharon M. Joyce stated, “VMG is being held accountable because it was their patient data and it was their responsibility to protect it. This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”
What is Network Management?
Network management encompasses several measures that are implemented to secure and maintain a network. In regards to HIPAA, network management means that an organization is doing all that they can to safeguard electronic protected health information (ePHI). The HIPAA Security Rule mandates that healthcare organizations protect ePHI with administrative, physical, and technical safeguards.
Virtua was fined by the state of New Jersey for:
- Failing to create and maintain retrievable exact copies of electronic protected health information
- Improperly disclosing protected health information
- Failing to maintain a log of the number of times the site was accessed
- Failing to implement a security awareness and training program
- Delaying identifying and responding to the security incident
In network management safeguards include:
- Authentication: HIPAA requires organizations to have the ability to track user access to their network. The best way to accomplish this is by providing each user a unique user ID to access the organization’s network. Wifi Protected Access 2 (WPA2)-Enterprise is a network setting organizations can use to set up login credentials for each employee. WPA2-Enterprise is the easiest and most secure method to manage user access.
- Audit controls: monitors user activity on an organization’s network. Monitoring systems alert administrators to suspicious activity on a network such as multiple failed login attempts or a user accessing a network from a suspicious location. Additionally, monitoring systems create log reports, proving an organization’s due diligence in the event of a HIPAA audit.
- Physical site security: to prevent device tampering, organization’s should secure equipment that contains ePHI using a Kensington lock. A Kensington lock is a security device that attaches a cable from a computer to a stationary object such as a table.
- Storage site security: many organizations use off-site data storage facilities to store their data. Storage and server equipment must be protected from unauthorized access. Old equipment must also be properly destroyed to prevent ePHI from unauthorized access.
- Encryption: although not explicitly mandated by HIPAA, encryption is the only way to protect ePHI. Data should be encrypted to prevent unauthorized access. Encryption encodes data ensuring that unauthorized entities are unable to read the information, protecting organizations in the event of a data breach.
- Data backup and recovery: as part of HIPAA law, exact copies of ePHI must be properly backed up. In addition, organizations must have a disaster recovery plan as well as a way to access data in the case of an emergency. As such, keeping backed up data in an off-site location will allow for both. In accordance with HIPAA, data must be backed up frequently to ensure that patient information isn’t lost in the event of a breach or disaster.
Implementing an effective network management system protects organizations and their patients. It may be difficult to accomplish this without a dedicated IT staff. Organizations without an IT staff should consult an expert to assist in their efforts. Before choosing a vendor to work with, it is important that organizations vet their vendors to ensure that vendor security practices are adequate in accordance with HIPAA.
This is Part VII of the XI-part blog series. You can also read Parts I to VI below:
Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the seventh of which is network management. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience).
- Phishing Emails and Why Encryption Software is Warranted
- Using Clinical Email (Part II): Secured Email Protection Systems
- Securing your Network (Part III): Endpoint Protection Systems
- Limiting PHI Exposure (Part IV): Access Management
- Data Protection (Part V): Data Loss Prevention
- HIPAA Asset Management (Part VI)