{"id":1923,"date":"2012-05-22T00:00:00","date_gmt":"2012-05-22T00:00:00","guid":{"rendered":"http:\/\/otava.test\/in-the-wake-of-a-healthcare-data-breach\/"},"modified":"2012-05-22T00:00:00","modified_gmt":"2012-05-22T00:00:00","slug":"in-the-wake-of-a-healthcare-data-breach","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/in-the-wake-of-a-healthcare-data-breach\/","title":{"rendered":"In the Wake of a Healthcare Data Breach"},"content":{"rendered":"

We hear all about what went wrong when a (typically unencrypted) HIPAA violation<\/a> occurs – who left what mobile device where – what data was made publicly available, who\u2019s to blame. But what\u2019s more important is remediation, and how someone or some organization chooses to react after the event in order to prevent future incidents.<\/p>\n

HealthCareInfoSecurity.com reports on the recent Utah Department of Health breach in which foreign hackers were able to access and remove 24,000 files of electronic protected health information (ePHI) on a server due to a configuration error [read more about\u00a0Server Hack Leads to HIPAA Violation by Utah Department of Health<\/a>]. Utah Gov. Gary Herbert recently announced his action plan toward security and compliance:<\/p>\n

    \n
  1. Replaced the state\u2019s chief technology officer<\/li>\n
  2. Hired Deloitte & Touche to conduct an independent security audit (also known as an independent HIPAA audit<\/a>) across all of the state agencies<\/li>\n
  3. Encryption of not just data in transit, but all stored data<\/li>\n
  4. Plans to hire a public relations firm to help handle crisis communications<\/li>\n
  5. Improvement of security controls, including network monitoring and intrusion detection capabilities<\/li>\n
  6. Created a new position – a health data security ombudsman (may also be known as a privacy and security officer) to deal with affected individuals<\/li>\n<\/ol>\n

    The Office of the National Coordinator for Health Information Technology (ONC) recently revealed a ten-step plan for healthcare organizations to follow in order to protect PHI – the second step requires compliance-minded companies to:<\/p>\n

    Step #2 – Provide Leadership<\/strong><\/em>
    \nDesignate a privacy and security officer. This person will be responsible for developing and maintaining your privacy and security practices to meet HIPAA requirements. This person should be part of your EHR adoption team and be able to work effectively with others. In a very small practice, you may be the privacy and security officer or your practice manager may carry both roles. Be sure to:<\/em><\/p>\n