We recently used Presbyterian Health Services potential breach of protected health information (ePHI) as a case study in why employee behavior and training are key elements of security and compliance. Not even a month later, and here we go again. Last week, Grays Harbor Community Hospital in Aberdeen, WA issued a formal notice of a potential electronic protected health information (ePHI) breach. Like Presbyterian Health Services, this potential breach was the result of a phishing email. In this case, the attackers initiated a ransomware attack holding the organization’s medical records hostage and demanding a $1 million ransom to release the key to de-encrypt their data. Grays Harbor seemed to have done everything right to prepare for this type of incident. They have an IT department, anti-virus solution, data backups, and even took out a $1 million cyber insurance policy. Even though they seem to have followed the playbook, there are some lessons to be learned from this incident.
On June 6, 2019, Presbyterian Health Services, a health care system and health care provider in New Mexico, discovered a potential breach of protected health information (ePHI). You might assume that a hacker breached their firewall or snuck into their network undetected. That was not the case. The breach occurred because well-intentioned employees fell victim to a phishing email.
When you think of email from a business standpoint you think of company announcements, junk mail, co-worker problem solving, and reminders that it's Jane's birthday. It is easy to get caught up in the flow of the business and overlook the full functions of this tool that you use every day. This is true even more so in health care because the focus tends to lean more on patient satisfaction than it does the technical aspects in the background. This is why email often gets overlooked when it comes to HIPAA compliance.
The short answer, it depends. The Health Insurance Portability and Accountability Act (HIPAA) is about more than just the tools you use, but how you use them. While some applications may never be HIPAA compliant, others that offer compliant features can still get you in trouble if your equipment is not physically secure, or if your employees are not trained to use the tools in a compliant way (i.e. walking away from a workstation without signing off or sharing passwords). At a minimum, HIPAA compliance requires you use the Pro version of windows, as Home versions do not offer the functionality required for HIPAA compliance. Additionally, your operating system must be currently supported by the software vendor. Any version of Windows prior to Windows 7 is not compliant, and Windows 7 will not be compliant after the Windows 7 end-of-life date on January 14, 2020. This article focuses on Windows 10 because other versions have reached or will soon reach end-of-life.