Printed from: SecurityGate
  https://www.securitygate.io/

Print Page
Print

Banner Image

Categories

2Education
Education (2)
6General
General (2)
4In The News
In The News (1)
3Press Release
Press Release (2)
1Regulation
Regulation (4)
5Thought Leadership
Thought Leadership (2)

Archives

201811November3
November 2018 (3)
201808August2
August 2018 (2)
201807July1
July 2018 (1)
201805May1
May 2018 (1)
201804April1
April 2018 (1)
201803March3
March 2018 (3)
201802February1
February 2018 (1)
8https://www.securitygate.io/blog/2018/07/md-anderson-fined-data-breach
MD Anderson Fined $4.3 Million for Data Breach
Posted by: Poster Avatar Brent Gage   |    07/09/2018 08:00 AM    |    Categorized under:  Regulation

 

MD Anderson fined $4.3 Million for Cyber Security Breach

MD Anderson was accused of violating HIPAA by the Office for Civil Rights (OCR) for failing to encrypt devices that held electronic protected health information (ePHI).  The failure exposed the ePHI of over 33,500 people when a laptop and two thumb drives were lost in 2012-2013. 

MD Anderson’s legal team made several arguments, all of which were rejected by the judge, with the final argument stating that the fines were unreasonably high based upon the fines for previous breaches.  While the fine was noticeably higher than those levied for previous violations of HIPAA, it is well within the amounts authorized by the law, and in keeping with the current trend in the OCR.  According to the 2018 Beazley Breach Briefing, the average settlement with the OCR has quadrupled over the last several years, coinciding with an increase in both cyber security resources and public and institutional understanding of the risks of poor cyber security.

The OCR investigation showed MD Anderson completed cyber security assessments as early as 2006 listing lack of mobile asset encryption as a high risk.  Mobile device encryption can be expensive in both licensing costs and implementation time, and companies with limited resources must factor in return on investment for all resource intensive decisions.  However, looking at the poor state of cyber security in the healthcare industry as a whole, other possibilities arise.

According to the 2018 HIMSS Cyber Security Survey, 9% of healthcare organizations perform a cyber security risk assessment monthly and 9.6% perform one daily.  This is unlikely.  But if true, it indicates a large waste of resources.  Cyber security risk assessments are vital to cyber security and regulatory compliance, providing a holistic understanding of your cyber security risk posture.  But the process takes time, and traditional assessments of this type require highly skilled individuals.  These assessments are only useful if the time between them is utilized to resolve the issues identified.

Running a traditional, on-site risk assessment can be very expensive.  First, hire outside auditors who, after about $40,000 and 72 hours, will produce a long, dense technical report.  The next challenge is communicating this collected data to upper management and seeking approval to formulate a plan to address the issues revealed.  SecurityGate has developed a better process, creating a SaaS platform to automate the cyber security risk assessment process. This quickly provides any-size organization a robust view of their current cyber risks.  In addition, the automatically generated Roadmap Report uses a score-card style view which summarizes your Top Missing Controls, your In-Progress Controls as well as your Successfully Implemented Controls. It allows upper management to understand and remediate security failures in an extremely user friendly and cost-effective manner.  Click here for a free demonstration.


REF

https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html

https://www.scmagazine.com/university-of-texas-md-anderson-cancer-center-was-fined-43m-for-data-breaches/article/774949/


Author Image

Author

Brent Gage

MORE POSTS BY Brent Gage

Featured Image

Next Post

GDPR and its Lack of Precise Standards


All Content Rights Reserved , SecurityGate
Captavi - SaaS CMS Platform ©