Lessons from the UMass Resolution Agreement

The University of Massachusetts Amherst (UMass) is the latest healthcare organization to agree to a settlement and resolution agreement related to potential violations of the HIPAA Privacy and Security regulations. UMass has agreed to pay a fine of $650,000 and to abide by a two-year corrective action plan. You can read the resolution and action plan here.

What Happened?

In June, 2013, UMass reported to the Office for Civil Rights (OCR) of the Department of Health and Human Services that a malware program had infected a workstation in its Center for Language, Speech, and Hearing resulting in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals. Data that was compromised included:

• Names
• Addresses
• Social security numbers
• Dates of birth
• Health insurance information
• Diagnoses and procedure codes.  

According to UMass, the malware was a generic remote access Trojan that provided impermissible access to ePHI because UMass did not have a firewall in place.

Here are four key takeaways from the UMass Breach:

1. Get Your hybrid on. Correctly. The HIPAA rules allow for the creation of what are called Hybrid organization. A “Hybrid” is a legal designation that allows organizations to split its functions into two parts, one of which is considered a covered entity and the other which engages in “non-covered” functions and is not a covered entity. It can make sense for some organizations to create hybrid organizations to relieve the non-covered part of the organization of the burdens of regulatory requirements. Hybridizing is quite common, especially among academic medical centers like UMass. However, according to the resolution agreement, UMass failed to identify all the departments within the organization that engaged in HIPAA transactions and which, therefore, made them a covered entity.

Solution: If you are a hybrid, make sure you have included all your components, departments and functions covered under the HIPAA rules when specifying and designating the hybrid covered entity.

2. Install And Enable Your Friggin’ Firewall. This is at least the second resolution agreement related to firewall failure. In 2013, the University of Idaho had to pay $400,000 and agree to a correction action plan due to a breach of over 17,000 records caused by the disabling of a firewall at one of its clinics. The firewall was disabled for at least 10 months allowing nearly unfettered access to the servers at the clinic.

Solution: Install and enable a network firewall or firewalls at the organization. In addition, make sure it is configured with the appropriate security settings. For example, make sure that the username and passwords are changed from the default settings. Most firewall appliances such as Sonicwall and Cisco, have configuration guides available to ensure that the settings are appropriate and secure. Make sure that the firewalls are configured to protect all assets that store ePHI at the edge of the network.

3. Conduct a comprehensive risk analysis. The HIPAA regulations require organizations to discover and document “potential risks and vulnerabilities to the confidentiality, integrity and availability” of ePHI. Every resolution agreement with the OCR lists the failure to conduct a risk analysis as part of the “conduct” that leads to a fine. Not knowing is not an acceptable excuse. Covered entities are required to know. And the lack of a firewall is such a basic failure that even a perfunctory risk analysis would have uncovered the problem.

Solution: Conduct a comprehensive risk analysis. The risk analysis should include an inventory of all IT assets that view, process, transmit or store ePHI. Seriously, it’s important.

4. Your risk analysis should include a vulnerability scan at a minimum or, even better, a penetration test. The breach at UMass was caused by a malware infection. One of the procedures that entities need to implement to help prevent this kind of infection is periodic vulnerability scans. Vulnerability scans can search the computers on a network for malware, viruses, misconfigurations, and other problems on the network that can lead to a compromised network. Organizations should put vulnerability management procedures into place to remediate and mitigate problems discovered by scans. Scans can produce many false positives so the procedures should include methods for identifying the high-risk vulnerabilities from the low. Penetration testing should also be strongly considered. One of the key goals of penetration testing is to identify the degree that identified vulnerabilities can actually be exploited. You can read more about vulnerability scanning and pen testing here.

Solution: Implement a vulnerability management plan and consider conducting a penetration test to test the strength of your network and find hidden weaknesses.

The University of Massachusetts Amherst (UMass) is the latest healthcare organization to agree to a settlement and resolution agreement related to potential violations of the HIPAA Privacy and Security regulations.