In the healthcare industry, securing patients’ electronic Protected Health Information (ePHI) is paramount for HIPAA compliance. Nothing hammers this home quite as much as the real-world consequences that organizations face for even inadvertent lapses in data protection, as demonstrated by the $4.8 million settlement New York-Presbyterian Hospital and Columbia University just paid the government.
As reported on the Wall Street Journal‘s CIO Journal, the $4.8 million settlement is the largest paid to date and the result of the “accidental exposure of 6,800 patient records.” A physician at Columbia University had been using a personally owned server connected to the shared network to store patient information. When the physician attempted to deactivate the server, the patient records were leaked publicly enough for patient data to be found via public Internet search engines.
Since New York-Presbyterian Hospital and Columbia University share their data network for research purposes, both organizations were implicated during the four-year investigation. The WSJ reports that New York-Presbyterian paid the Office for Civil Rights (OCR) $3.3 million; Columbia University ponied up $1.5 million. That’s very costly fallout for the seemingly innocuous decision to use a personal server on the hospital network.
Why Data Discovery Matters
What this incident shows is the importance of data discovery when it comes to HIPAA compliance. HIPAA compliance demands that ePHI be protected, and you can’t fully protect data if you aren’t aware of every place it resides and everywhere it could leak. Apparently neither Columbia University nor New York-Presbyterian were aware of the personally owned server accessing and storing ePHI on their shared network. Without that awareness, neither entity was able to put the proper protections in place to secure the data. They fell out of HIPAA compliance, and when that failure was discovered, they paid the price.
The WSJ reports that the OCR has “logged close to 1,000 breach reports involving medical records of 500 or more persons.” Make sure you organization avoids a similar fate. The consequences—not just in terms of monetary penalties, but in terms of damage to your reputation and your patients’ trust—can be catastrophic.
How can your organization avoid a similar fate? Data discovery is key. You must know where your data resides and where it might be destined before you can apply comprehensive protections to ensure HIPAA compliance.
This is especially critical in the cloud, where you must be proactive in scanning stored data in all locations to prevent HIPAA compliance violations. Whichever cloud data protection solution you chose, make sure you’re starting from a base of total visibility so that you can achieve total control over your HIPAA compliance efforts.
How has data discovery helped your organization strengthen its HIPAA compliance strategy? Tell us your thoughts in the comments.