Cybercrime is rising in the healthcare industry, and so are the penalties for HIPAA violations. HIPAA’s early history is known for its surprising leniency, with no fines resulting from more than 33,000 privacy complaints between 2003 and 2008. But since the passing of the HITECH Act of 2009 and HITECH-HIPAA Omnibus of 2013, HIPAA’s adult teeth have come in. Six and seven figure settlements continue to turn heads, and sometimes leave devastation in its wake.
HIPAA’s Assertive New Look
Advocate Health Care Network, Illinois’s largest hospital chain, recently agreed to a record $5.5 million settlement for three breaches reported in 2013. After several years of gathering and sifting through evidence, the official report from the Office for Civil Rights’ (OCR) investigation cites “extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances)” for the fee – a staggering $700,000 more than the New York-Presbyterian and Columbia University (New York City) $4.8 million settlement in 2014.
In consideration of your organization’s risk management posture, it’s worth considering what is fueling steeper HIPAA penalties: could it be high profile data breaches hitting the news with greater frequency, or lower tolerance from standards and compliance enforcement? This statement from OCR Director Jocelyn Samuels on the Advocate settlement suggests the latter, or possibly both:
[custom_blockquote style=”eg. green, yellow, purple, blue, red, black, grey”]“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI (electronic Protected Health Information) is secure,” Samuels said. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.” [/custom_blockquote]
It’s an unsettling warning, but it’s neither surprising nor excessive. Healthcare groups have continued to struggle with frequent network breaches, and with each investigation taking several years to conduct, raised penalties from the most recent HITECH Omnibus revisions in 2013 are coming to the fore. It begs the question of whether IT budgets are adding funds for future HIPAA penalties.
Enterprise Mobility: Achilles Heel for Healthcare InfoSec
The healthcare industry has endured ePHI leaks due to lost or stolen mobile devices and laptops lacking appropriate encryption for years. Today, BYOD devices are accounting for more healthcare access points than ever: the GSMA Mobile Economy Report of 2016 found that 75% of smartphones and tablets shipped in the second quarter of this year were targeted for workplace use, anticipates mobile broadband will account for 92% of the world’s connections by 2020, and Gartner predicts that roughly half the world’s companies will shift to BYOD-only policies by 2017.
If these predictions materialize, enterprises will find themselves in a labyrinth of mobile IT complexity that will be difficult to monitor and manage, and healthcare organizations in particular will face more unsecured endpoints capable of accessing – and leaking – ePHI than ever before. Healthcare productivity applications will function alongside employees’ personal lifestyle applications on the same device – and that’s a problem. According to Gartner, more than 75% of mobile applications fail the most basic security tests, and this article from Secure List documents mobile malware’s alarming growth-rate in 2015, detecting nearly 3 million malicious installations over the course of 12 months. These malwares do everything from steal banking information to installing Trojans like ransomware and other phishing schemes. Imagine malicious malware probing in the background of devices containing healthcare applications and it becomes clear why HIPAA regulations (summed up for mobility requirements here) are designed to be so thorough with penalties so steep.
How can healthcare organizations deal with mobile endpoint sprawl and remain compliant?
BYOD devices typically allow all the personal apps users care to download, but the risk of malicious malware they carry highlights the need for a device-level layer of protection for enterprise apps. The transfer of data between enterprise apps and the enterprise network must be protected with appropriate encryption and monitoring, as well. Some use VPNs (Virtual Private Networks) to secure the data and connection, but VPNs come with high resource utilization, restricted functionality, and added cost per connection – all of which subtract greatly from the bottom-line benefits mobility offered your enterprise in the first place.
Without these inherent VPN burdens, SyncDog offers SentinelSecureTM, a software-only mobile security solution employing a FIPS 140-2 certified* “wrapper” to secure enterprise applications on mobile devices, and AES 256-bit encryption to secure data transferred between devices and their enterprise networks. Healthcare organizations will find military-grade, HIPAA compliant security in SentinelSecureTM with complete mobile monitoring and the following benefits:
- Segmented containerized workspace for a wide range of app capabilities including Office Suite, Office 365, Gmail, File Manager, Secure Texting, DropBox, File Sync, SharePoint, Instant Messaging, Camera, and a host of others. See the full list here.
- FIPS 140-2 certified,* AES 256-bit encryption for data both at rest and in transit
- Flexible mobility architecture with capability to monitor IoT connections
- Event log management for security correlation and an audit trail for compliance
- Extensive third-party mobility monitoring that includes ActiveSync, BlackBerry/Good Technology (Good Secure), and others
- Lightweight API for fast integration with any name-brand EMM or MDM, including certified integration with MobileIron, Notify Technology, Inc., and Snow Software.
There can be no doubt that hackers will take advantage of newly-implemented technologies like enterprise mobility to access the data you and your customers value most. And you can rest assured that standards enforcement will be certain to add another layer of financial woe and PR nightmares should you be found to be outside compliance. You can protect your organization from insecurities inherent in this still-nascent stage of mobility now, but only if the right tools are in place.
*FIPS 140-2 Certificate #2687 | See listing on NIST.gov.
 Chris Kanaracus, “Half of companies will require BYOD by 2017, Gartner says,” http://www.pcworld.com/article/2036980/half-of-companies-will-require-byod-by-2017-gartner-says.html (May 1, 2013)