Unsecured Server Results in $75k HHS Settlement

Press Release from BlueOrange Compliance

Recently HHS released a statement saying they had settled a $75,000 dollar investigation into an organization’s reported unauthorized exfiltration of PHI from an unsecured server. The organization is a business associate (BA) that offers “coding, billing and onsite information technology services to health care providers.”

Many health care organizations work with BAs for the exact purpose listed above. While their breach, in some ways, is out of your control there are things you and your organization can do to limit the risk of third-party breaches. Here are some NIST based steps you can take to mitigate the risk:

  • Before executing a Business Associate Agreement (BAA) and giving access to a third-party dive deep into their security practices:
    • Send a vendor questionnaire that asks direct and specific questions regarding the BA’s security practices and configurations
    • Follow-up annually/regularly with this questionnaire to ensure the security practices are being maintained
    • An important note: If the potential BA answers the initial questionnaire with unsatisfactory responses your organization must be prepared to not move forward with that BA. Additionally, if the BA is not keeping up on the expected security practices when following up, the organization must be prepared to no longer use the BA’s services
  • Apply the principle of least privilege
    • Ensure that the BA is only receiving the data that is absolutely necessary and nothing more
  • Create a process for information system connectivity
    • All external connections to systems should go through an approval process and should be documented
    • An inventory should be kept and maintained of all external connections
    • This inventory should be reviewed very regularly
      • When reviewing the external connections inventory, you should be looking for:
        • Any connections that did not go through the approval process and investigate how/why/when they received access
        • Any connections that are no longer needed and remove them

Allowing BA’s access to your organization’s sensitive data is always a risk. However, the above steps will help keep BAs accountable and mitigate some of the risk involved.

Companies Mentioned in this Press Release:
Business Categories Mentioned in this Press Release: