The MD Anderson Cancer Center has been cited for keeping their devices unencrypted.
The lack of device encryption will cost a Texas-based cancer treatment center 4.3 million dollars by the Department of Health and Human Services (HHS).
In a statement released on Monday, the HHS Civil Rights Office said it received a summary judgment of a HHS administrative law judge who ruled that the University of Texas MD Anderson Cancer Center violated the information security and safety standards established in the HIPAA. The International Institute of Cyber Security reports that the HIPAA establishes the obligation of hospital organizations to keep private the patient’s information.
The judge approved the penalty, imposing a fee of 4.3 million following its investigations into three infractions involving unencrypted devices.
In a statement provided to Information Security Media Group, the MD Anderson Cancer Center says they plan to appeal the ruling.
“We are disappointed by the judge’s decision, and we are concerned that the evidence and key arguments have not been considered. MD Anderson is planning to appeal the decision, which will result in a full review of all arguments and evidence. Regardless of the decision, we hope that this process will provide transparency, responsibility and consistency to the process of compliance with the Civil Rights Office.
A rare ruling
This ruling is just the second summary judgment in the history of the HIPA enforcement agency. The economic penalty is the fourth largest amount that has been imposed for the Office of Civil Rights by an administrative authority, highlights the OCR.
The Civil Rights Office says it investigated MD Anderson after three separate data-violation reports in 2012 and 2013. One involved the theft of a non-encrypted laptop from the residence of an MD Anderson employee; the others involved the loss of unencrypted USB devices containing non-encrypted electronic health information of more than 33.500 people, data exposed to experts in information security training and information protection.
“The investigation found that MD Anderson had established encryption policies since 2006, and that MD Anderson’s own risk analyses had found that lack of device-level encryption posed a high risk for the receipt of information”, says the Civil Rights Office in a statement.
“Despite encryption policies and the findings of security failures, MD Anderson did not begin to adopt a solution in information security training to implement encryption up to 2011, and even then, did not encrypt its inventory of electronic devices”, adds the Statement.
“The Office of Civil Rights is serious about protecting the privacy of health information and will pursue litigation, if necessary, to make entities responsible for HIPAA-compliant failures”, says Office Director Roger Severino.
The MD Anderson Center argued that penalties are an inappropriate measure, further stating that “substantial measures are being taken to ensure the patient’s private information. In the three cases involving the loss or theft of the devices reviewed by the administrative authority, no evidence was found that the information was seen by third parties or any harm was caused to the patients”.
A lesson for all
What other businesses and organizations might learn about information security training from the MD Anderson Center case?
According to specialists in computer security information, this is another example of how to take an antagonistic approach to a Civil Rights Office compliance review is a losing bet. The MD Anderson Center had different opportunities to collaborate with the regulatory officers voluntarily to establish security and information protection protocols; instead, they chose to spend money on expensive lawyers to defend themselves against the consequences of these flaws.