One line says volumes about what is being looked at, especially mobile devices:
The Office of Civil Rights (OCR) launched a probe in April of 2014, after receiving a report that a CHCS-issued iPhone had been breached.
Investigators determined that protected health information (PHI) belonging to 412 nursing home residents was illegally obtained, including social security numbers, diagnoses and treatments, medical procedures, and names of relatives and medications.
“The iPhone was unencrypted and was not password protected,” HHS officials said in a statement announcing the settlement.
“At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident,” the statement continued. “OCR also determined that CHCS had no risk analysis or risk management plan.”
Too many times the pushback i get is I cannot afford the costs of the compliance. I can guarantee you for smaller businesses the government WILL make an example of you by shutting you down. I have seen it happen with my own eyes to a now former client of mine who refused to implement my reforms of her highly insecure data handling practices that led to an unauthorized data disclosure and a full law enforcement raid on her establishment. If you are not sure your network is properly locked down for the increasing costs of a HIPAA breach contact ETC Maryland for a full evaluation of your security posture in all areas.