MD Anderson Fined $4.3 Million for Data Breach

MD Anderson was accused of violating HIPAA by the Office for Civil Rights (OCR) for failing to encrypt devices that held electronic protected health information (ePHI). The failure exposed the ePHI of over 33,500 people when a laptop and two thumb drives were lost in 2012-2013.

MD Anderson’s legal team made several arguments, all of which were rejected by the judge, with the final argument stating that the fines were unreasonably high based upon the fines for previous breaches.  While the fine was noticeably higher than those levied for previous violations of HIPAA, it is well within the amounts authorized by the law, and in keeping with the current trend in the OCR.  According to the 2018 Beazley Breach Briefing, the average settlement with the OCR has quadrupled over the last several years, coinciding with an increase in both cyber security resources and public and institutional understanding of the risks of poor cyber security.

The OCR investigation showed MD Anderson completed cyber security assessments as early as 2006 listing lack of mobile asset encryption as a high risk.  Mobile device encryption can be expensive in both licensing costs and implementation time, and companies with limited resources must factor in return on investment for all resource intensive decisions.  However, looking at the poor state of cyber security in the healthcare industry as a whole, other possibilities arise.

According to the 2018 HIMSS Cyber Security Survey, 9% of healthcare organizations perform a cyber security risk assessment monthly and 9.6% perform one daily.  This is unlikely.  But if true, it indicates a large waste of resources.  Cyber security risk assessments are vital to cyber security and regulatory compliance, providing a holistic understanding of your cyber security risk posture.  But the process takes time, and traditional assessments of this type require highly skilled individuals.  These assessments are only useful if the time between them is utilized to resolve the issues identified.

Running a traditional, on-site risk assessment can be very expensive.  First, hire outside auditors who, after about $40,000 and 72 hours, will produce a long, dense technical report.  The next challenge is communicating this collected data to upper management and seeking approval to formulate a plan to address the issues revealed.  SecurityGate has developed a better process, creating a SaaS platform to automate the cyber security risk assessment process. This quickly provides any-size organization a robust view of their current cyber risks.  In addition, the automatically generated Roadmap Report uses a score-card style view which summarizes your Top Missing Controls, your In-Progress Controls as well as your Successfully Implemented Controls. It allows upper management to understand and remediate security failures in an extremely user friendly and cost-effective manner.  Click here for a free demonstration.

References:

https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html

https://www.scmagazine.com/university-of-texas-md-anderson-cancer-center-was-fined-43m-for-data-breaches/article/774949/