HIPAA violation survival techniques 101

The story of UCLA Medical Center’s HIPAA violations reminds me of an interview I did awhile back with the CSO of another medical institution with its own HIPAA baggage.

Since the interview, Providence Health CSO Eric Cowperthwaite has become a good friend. He shares his cigars with me at security cons and puts up with my constant needling. Just the kind of thing you would expect from an elder statesman.

Ribbing aside, the man has taught me a lot about the ups and downs of security compliance in the healthcare industry.

For the folks at UCLA Medical Center and others who may face a regulatory punch in the face at some point, the Cowperthwaite interview is as useful a survival guide as it was in 2008. So here it is, rerun in its entirety.

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

First, a review of the UCLA Medical Center story, as told by my colleague, Jaikumar Vijayan:

This week, HHS announced that the University of California at Los Angeles Health System has agreed to pay an $865,000 fine and commit to a multi-year corrective action plan to settle potential HIPAA violations.

The corrective plan requires the hospital to implement HHS-approved security and privacy procedures, as well as to conduct “regular and robust” training of all UCLA health system employees that use protected health information. The plan requires the hospital to sanction employees who violate rules and to appoint an independent assessor to audit compliance with the requirements over a three-year period.

The size of the fine is likely to be a drop in the bucket for UCLA, analysts said. Even so, it sends an important message, they said. “This is new behavior on the part of HHS and it stems from the new enforcement imperatives Congress put into HITECH because the feds had such an abysmal enforcement record,” said Deborah Peel founder and chairman of the Patient Privacy Rights Foundation.

“This is HHS finally starting to protect citizens,” from privacy violations by healthcare entities, she said. “Nearly a decade of no enforcement at all convinced the health care and health IT industries that there was no point in investing in state-if-the-art security.”

Today’s settlement follows an investigation by HHS’s Office of Civil Rights into complaints by two unidentified celebrity patients that UCLA hospital staff had inappropriately accessed their electronic protected health information.

Now, the Cowperthwaite interview:

CSO: Let’s start with a description, from your perspective, of what happened.

Eric Cowperthwaite: There’s a fair amount of information publically available, but other than that we’re being pretty cautious about what we’re willing to talk about [due to ongoing legal issues].

Do you feel the agreement with HHS is fair toward Providence Health?

Cowperthwaite: The agreement includes a corrective action plan that, in my opinion, recognizes that we have an ongoing security program that has been focused on improving and strengthening our security capabilities and our ability to protect patient information. The fact that HHS didn’t require us to have third-party oversight as we developed and implemented the plan is significant. With agreements like this you often see that sort of oversight included. I think it shows that HHS recognizes our focus to improve security.

What are the main problems your action plan seeks to address?

Cowperthwaite: Areas of significant risk include the mobility of data, the data access internal employees have and making sure it is appropriate based on their role, and having the ability to detect and react to an incident in a timely manner. These are among the main components of the corrective action plan.

Let’s look at this from the patient’s perspective. When they use your online system, is there anything they will notice in the user experience that’s a direct result of the security improvements you’ve put in place?

Cowperthwaite: There is no change to the user experience. The changes are really behind the scenes. In our security program one thing you see is the need to know who has access to health information and whether they should have that access. We have to know who has access to the patient’s data. If there’s an improper use of data it’s our responsibility to determine how it happened so it doesn’t happen in the future.

Which vendors have you brought in to help with the security improvements?

Cowperthwaite: I don’t want to specifically say which vendors are related to the HHS complaints. I can tell you which vendors we’ve engaged in the last few months as part of the security program.

OK …

Cowperthwaite: There are four fairly significant vendors we brought in: EDS was engaged to help us develop the current security strategy we’re working from. They helped us build a three-year strategic plan and an overarching security strategy. Verizon Business Services is our managed security services provider. They manage and monitor all of our firewalls and intrusion prevention systems. We feel these are commodity items and we would rather source that to a services provider than try to maintain a security operations staff that has to run 24-7. We reduced expenses and got consistent operation around these devices.

GuardianEdge Technologies provides all of our endpoint and mobile device encryption capabilities for laptops, thumb drives, removable CDs, DVDs, removable USB hard drives, all those sorts of things; and six months ago we entered into a relationship with Symantec over the Vontu data loss prevention tools.

This is all part of the long-term strategic plan we’re working from to first address the low-hanging-fruit security issues and work toward continuous improvements.

Are there any changes you made on the cultural side to address the problems that were there? For example, are there any new policies related to how employees may or may not handle e-mails?

Cowperthwaite: Communication, training and awareness is a significant component of our strategy. In the past we had these things but didn’t feel they were as robust as we wanted them to be. I’ve always had a good relationship with our communications department. That’s been the case since I got here in May 2006. They’ve really helped me to strengthen communication with employees. Employees also go through mandatory training called “Security and Your Job,” which focuses on how they individually can take action to improve security, and we have an awareness component where we visit different locations and help people address specific concerns, like how to defend against phishing.

Talk a bit about the level of support you’ve had from upper management. Has it been adequate?

Cowperthwaite: I can tell you that the interest, support and awareness at the most senior levels are definitely there, at least since the day I arrived [in 2006]. I have regular one-on-one meetings with the CEO and members of the executive council that report to him, and I work closely with general counsel, the chief risk officer, etc. It really makes a difference.

Give an example of the difference that is made.

Cowperthwaite: A good example is when you have a new significant risk to the company, the theft of and malicious use of data, for instance. Having support from the senior execs means you can elevate the visibility of that risk to the appropriate level without being stuck in the position where you have to bring it to a mid-level manager who can’t do anything about it anyway.

If you are the CSO of an organization and a regulatory agency comes along and tells you the company is out of compliance, what is the right or wrong way to respond?

Cowperthwaite: If a regulatory agency shows up on your doorstep and suggests you are out of compliance with HIPAA, PCI or some other item, treat it like any other security incident. You should automatically activate your crisis management team, which should include general counsel, human relations, public affairs, etc. Typically the agency serves you with a formal letter or subpoena, depending on the scenario. That represents a crisis for the company.

You then need to determine whether the complaints are right or wrong. Ether way you need to go into a response mode and be prepared, in conjunction with your attorneys, to work with the regulators and not fight them. Unless you have something really bad, like with Enron, the regulators are not setting out to do you in. Your best bet is to be as cooperative as possible so you don’t have to resort to court action.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a