Read a case study and answer the
questions below regarding Information Security, Privacy & Risks
Cottage Health, a health care entity, operates
several hospitals in California:
1. List
what you consider the top 5 highest risks for Cottage
Health starting with the greatest risk #1, then #2, etc. (Read note below before
starting #1)
?
Explain your reasoning and logic in the selection
and order of the risks you selected. Be specific relating your risks to
the heath care entity
in the case study.
?
IMPORTANT ? The case study/scenario outlines areas of deficiencies
in the protection/handling of PHI (Protected Health Information). Your
selection of risk items should not be limited to the information in the case
study ahead.
NOTE: While working on your list of the top 5 risks for
Cottage Health, list all the items you took into consideration for answering
the first part of
the assignment.
The list should include all those things that you as a CISO
(Chief Information Security Officer) responsible for several hospitals
should be
considering when looking at the information security, privacy, and
overall risk.
EXAMPLE: Critical patient care, access to patient records,
resilient network and Internet connection, etc.
Assignment 4
Assessing risks within the organization
The purpose of this exercise is for you to think extensively about the identification and management of risk.
You are the CISO (Chief Information Security Officer), responsible for several hospitals and you need to think of risks you should consider when looking at the information security, privacy, and overall risk of your healthcare entity.
Read the following case study and answer the questions below.
OCR Concludes All-Time Record Year for HIPAA Enforcement with $3 Million Cottage Health Settlement
The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) concluded an all-time record year in Health Insurance Portability and Accountability Act (HIPAA) enforcement activity.?In 2018, OCR settled 10 cases and was granted summary judgment in a case before an Administrative Law Judge, together totaling $28.7 million from enforcement actions. This total surpassed the previous record of $23.5 million from 2016 by 22 percent.?In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.
?
OCR?s final settlement of the year occurred in December 2018, when Cottage Health agreed to pay $3 million to OCR and to adopt a substantial corrective action plan to settle potential violations of the HIPAA Rules. Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital, and Cottage Rehabilitation Hospital, in California. OCR received two notifications from Cottage Health regarding breaches of unsecured electronic protected health information (ePHI) affecting over 62,500 individuals, one in December 2013 and another in December 2015.??
?
The first breach arose when ePHI on a Cottage Health server was accessible from the Internet.?OCR?s investigation determined that security configuration settings of the Windows operating system permitted access to files containing ePHI without requiring a username and password.?As a result, patient names, addresses, dates of birth, diagnoses, conditions, lab results, and other treatment information were available to anyone with access to Cottage Health?s server.?The second breach occurred when a server was misconfigured following an IT response to a troubleshooting ticket, exposing unsecured ePHI over the Internet.?This ePHI included patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information.
?
OCR?s investigation revealed that Cottage Health failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI; failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI; and failed to obtain a written business associate agreement with a contractor that maintained ePHI on its behalf.
?
?Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,? said OCR Director Roger Severino. ?The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.??
?
In addition to the $3 million settlement, Cottage will undertake a robust corrective action plan to comply with the HIPAA Rules.?The resolution agreement and corrective action plan may be found on the OCR website at:?Cottage Health Settles Potential Violations of HIPAA Rules for $3 Million.
[Source: OCR Concludes All-Time Record Year for HIPAA Enforcement with $3 Million Cottage Health Settlement]
Cottage Health is a health care entity that operates several hospitals in California.
1.List what you consider the top 5 highest risks for Cottage Health starting with the greatest risk #1, then #2, etc. (Read #2 below before starting #1)
?Explain your reasoning and logic in the selection and order of the risks you selected. Be specific relating your risks to the heath care entity in the case study.
?IMPORTANT ? The case study outlines areas of deficiencies in the protection/handling of PHI (Protected Health Information). Your selection of risk items should not be limited to the information in the case study ahead.
2.While working on your list of the top 5 risks for Cottage Health, list all the items you took into consideration for answering the first part of the assignment. The list does not have to be in any particular order or format.
It should include all those things that you as a CISO (Chief Information Security Officer) responsible for several hospitals should be considering when looking at the information security, privacy, and overall risk.
EXAMPLE: Critical patient care, access to patient records, resilient network and Internet connection, etc.
