Judge Rules in Favor of OCR and Upholds $4.3M Fine for MD Anderson | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Judge Rules in Favor of OCR and Upholds $4.3M Fine for MD Anderson

June 19, 2018
by Heather Landi
| Reprints

Houston-based The University of Texas MD Anderson Cancer Center must pay $4.3 million in fines stemming from three separate breaches involving unencrypted electronic devices that exposed patient data for 33,500 patients, according to an administrative law judge's recent ruling.

On June 1, U.S. Department of Health and Human Services (HHS) Administrative Law Judge Steven Kessel that MD Anderson violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for failing to encrypt electronic devices, and granted summary judgment to the HHS Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties imposed by OCR.

According to a June 18 release from HHS, this is the second summary judgment victory in the department’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by a judge or secured in a settlement for HIPAA violations.

MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals.

“OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high-risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then, it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013,” according to OCR’s release.

The administrative law judge agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.

According to the judge’s decision, MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable.

The judge rejected each of these arguments, stating, “What is most striking about this case is that Respondents knew for more than five years that its patients’ ePHI was vulnerable to loss and theft and yet, it consistently failed to implement the very measures that it had identified as being necessary to protect that information.” Further, the judge wrote, “Respondent’s dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”

The judge wrote in the decision that the undisputed material facts establish that MD Anderson “was not only aware of the need to encrypt devices in order to assure that confidential data including ePHI not be improperly disclosed, but it established a policy requiring the encryption and protection of devices containing ePHI.” Further, the judge criticized MD Anderson that despite this awareness and its own policies, the cancer center made only “half-hearted and incomplete” efforts at encryption over the ensuing years.

“As a consequence, the theft of a laptop computer that was not encrypted and the loss of two unencrypted USB thumb drives resulted in the unlawful disclosure of ePHI relating to tens of thousands of Respondent's patients,” the judge wrote.

The judge also noted the material facts indicate that MD Anderson leadership identified the risk and dangers related to confidential data loss and decided on encryption of devices as a means of protecting such data, however, the organization delayed encryption of laptop devices for years and then proceeded with encryption “at a snail’s pace.”

According to the judge, MD Anderson did not begin mass encryption of its laptops until May 2012 with a goal of encrypting all university laptop computers by August 2012. As of January 2014, nearly ten percent of the organization’s computers, more than 2,600 devices, remained unencrypted. MD Anderson’s compliance officer issued an annual risk analysis in June 2013 that identified failure to encrypt data as a high-risk impact area, the judge stated.

According to OCR, in detailing the breach incidents, the first breach involved the theft of unencrypted laptop computer that contained the ePHI of 29,000 individuals and the information included patients’ names, Social Security numbers, medical record numbers and treatment/research information. In the second incident, an employee lost an unencrypted USB thumb drive containing ePHI relating to 2,200 individuals, including patients’ names, dates of birth, medical record numbers, diagnoses and treatment and research information. In the third incident, a visiting researcher lost an unencrypted USB thumb drive containing ePHI relating to 3,600 individuals, likely containing information such as patients’ names, dates of birth, medical record numbers, diagnoses and treatment information.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” OCR Director Roger Severino said in a statement. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”


2018 Raleigh Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

September 27 - 28, 2018 | Raleigh


Report: Healthcare Lags Other Industries in Phishing Resiliency

September 19, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

It’s no secret that the healthcare industry continues to be a target for cyber criminals and healthcare organization leaders face constantly evolving cyber threats. It's widely konwn that phishing attacks are a serious problem in the healthcare industry, yet the industry continue to lag behind other industries in its resiliency to phishing attacks, according to a recent report.

In 2017, there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) which affected a total of 5.579 million patient records. A Verizon 2018 Data Breach Investigations Report (DBIR) released in April found that the human factor continues to be a key weakness in data breaches. Financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated—with email continuing to be the main entry point (96 percent of cases). And, that report found that while, on average, 78 percent of people did not fail a phishing test last year, 4 percent of people do for any given phishing campaign. A cybercriminal only needs one victim to get access into an organization.

In a recently released report, Cofense, a security software services company, specifically examined phishing attacks in healthcare. Cofense’s analysis is based on more than 160 sample healthcare clients over the last year (September 2017-2018) and the report explores how phishing endangers healthcare providers and provides steps organizations should be taking to boost their resiliency rate.

The report researchers examined healthcare’ resiliency to phishing attacks. Resiliency is the ratio between users who report a phish versus those who fall susceptible, according to the report. While resiliency in healthcare has improved in the past three years—from a rate of 1.05 in 2015 to a rate of 1.49 in 2018, so far—but it doesn’t mark dramatic improvement.

Based on a resiliency analysis across industries of the last 12 months, the healthcare industry clearly trails behind other industries in its phishing attack resiliency rate, as the average resiliency score for all industries was 1.79, according to the report.

The energy industry had a resiliency rate of 4.01, the financial services industry had a rate of 2.52, and the insurance industry had a rate of 3.03. The report’s researches surmise that one possible reason resiliency is higher in insurance versus healthcare is that insurance is tied to financial services, which is frequently attacked as well as heavily regulated.

“The healthcare industry knows better than most that phishing is a serious problem. But the industry is still playing catch-up in phishing resiliency,” the report authors wrote.

One factor that surely inhibits the industry’s resiliency is high turnover, according to the report. “With physicians, registered nurses, and administrative staff constantly churning, it’s hard to gain traction in the fight against phishing,” the report states.

Cofense builds and tracks phishing simulations for its customers in which users receive simulated phishes. Based on the company’s analysis of these phishing exercises, the top five phishing scenarios that healthcare workers most frequently clicked on, based on the email subject line, were requested invoice, manager evaluation, package delivery, Halloween eCard alert and beneficiary change.

The next five were Holiday eCard alert, HSA customer service email, employee raffle, file from scanner and Halloween costume guidelines.

“These wide-ranging scenarios show that vulnerability is spread across business and social contexts,” the report authors wrote. The analysis indicates low scores in Requested Invoice and e-Card simulations alike. “While some would argue that an e-Card would never evade their secure email gateways, remember the gaps created by BYOD (bring your own device). Not everyone is on the corporate network and protected by its email systems. When personal devices are exposed, a breach can easily ensue,” the report authors wrote.

The Cofense report also notes that phishing attackers are masters at pulling emotional levers, as “Requested Invoice” plays on urgency, and “Manager Evaluation” taps into urgency too, tinged with fear. What’s more, “Employee Raffle” is purely about the desire for reward. “These are scenarios any healthcare company will want to use in conditioning employees to be careful and not take the bait.

In previous years, Cofense reported that fear, urgency, and curiosity were the top emotional motivators behind successful attacks. Now they’re closer to the bottom, replaced by entertainment, social media, and reward/recognition,” the report authors wrote.

The trend shows that as Internet behavior changes, so do phishing attacks, according to the report authors. And the report authors note that any active threats that a company faces is fodder for training. Security professionals who manage phishing awareness programs should ask their incident responders or threat intelligence analysts which active phishing threats should be simulated, according to the report.

“To guard against the phishing onslaught, healthcare providers would be smart to create an end-to-end defense, following the lead of the company featured in the case study. A collaborative defense, built with technology and skilled humans, both users and security professionals, is the best way to lower risk,” the report authors wrote.

More From Healthcare Informatics


Health System CISOs Form Group to Address Third-Party Risk

August 30, 2018
by David Raths, Contributing Editor
| Reprints
One goal: developing common vetting and oversight practices

Chief information security officers from six large health systems have formed a council to develop best practices around managing the information security-related risks in their supply chain and to safeguard patient safety and information.

The founding members of the Provider Third Party Risk Management Council include:

• Allegheny Health Network

• Cleveland Clinic

• University of Rochester Medical Center


• Vanderbilt University Medical Center

• Wellforce/Tufts University

One goal of the new organization is developing common vetting and oversight practices that will benefit health systems, hospitals and other providers in the United States and around the world.

In a prepared statement, Taylor Lehmann, CISO of Wellforce, parent organization of a health system that includes Tufts Medical Center and Floating Hospital for Children, described the challenge: “Health systems and other providers need to be more active in assessing and monitoring risks posed by third parties to protect patient information while delivering effective care. The primary challenge is organizations can engage with vendors of various sizes, maturity and complexity without really knowing whether the vendor should be engaged in the first place based on their beliefs and investment in cybersecurity.”

Supply chains are filled with third parties who support the care delivery process and require access to patient information. Properly vetting and monitoring these third parties is a major challenge, and in some cases, insurmountable for many organizations who simply don’t have the expertise or resources.

The council is working with the HITRUST Common Security Framework (CSF) and its assurance programs for this initiative to better manage risk. The organizations on the council have each independently decided to require their third-party vendors to become HITRUST CSF Certified within the next 24 months.



Related Insights For: Cybersecurity


The Healthcare CISO: An Essential Cyber Guardian

August 24, 2018
by Nick Giannas, Industry Voice
| Reprints
Click To View Gallery

Business-driven information security executives at the C-suite level remain in high demand. This is particularly true in the healthcare industry as cybersecurity incidents increase and evolve. The notion of not if, but when an attack will occur remains cemented in the minds of healthcare leadership teams and boards. Market trends and forces, such as the shift to a ubiquitous digital environment and consolidation through mergers and acquisitions are fueling the increase in cybersecurity risk.

Three quarters of respondents to the most recent HIMSS cybersecurity survey said that their organizations had suffered a major security incident in the previous 12 months. Meanwhile, SecurityScorecard ranks healthcare 15th out of 18 industries in terms of cybersecurity preparedness.

With an undeniable and precarious cyber-threat landscape, the value of having a Chief Information Security Officer (CISO) continues to rise. With cyber-attacks threatening to disrupt care delivery and patient safety, increase breach costs, and damage brand reputation, the CISO role is a leadership imperative. Not only does a CISO drive an organization’s information security program but it is also critical in establishing a culture of cyber-safety and risk awareness that permeates the entire organization.

Recruiting Challenges

Provider organizations have made considerable progress in hiring CISOs over the past few years; however, some challenges still exist:


How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

Salaries are rising with demand, pricing some organizations out of the market for top-notch executives; according to a recent Information Systems Security Association (ISSA) study – "The Life and Times of Cybersecurity Professionals" – the number one factor most likely to cause a CISO to leave one organization for another is being offered a higher compensation package. It is safe to say that healthcare CISOs as a separate category would have similar statistics. 

Organizational budgets and commitments are still not where they should be, given the outsized risk that cybersecurity issues involve in healthcare; the same ISSA study suggests that another factor likely to cause a CISO to leave is that the budget for cybersecurity is not commensurate with the organization's size and industry.

Many healthcare organizations are still young in terms of their cybersecurity maturity. Responsibilities and reporting structures for CISOs vary from one organization to the next, making it difficult to recruit individuals with aligning skill sets and expectations.

Regarding the latter point, healthcare provider-based CISOs are primarily reporting up through IT and/or Corporate Compliance. Some CISOs are leading the Security Oversight function while others are responsible for all areas including security operations. Many organizations have elevated the CISO position to the Vice President level and are more open to recruiting candidates outside the industry, which has helped mitigate the high-demand, low-supply candidate pool dilemma.

What's Needed in Today's Healthcare CISO Candidates

As a result, identifying the ideal CISO is a necessity for healthcare organizations. The CISO must be an executive who can effectively lead the strategy and operations for the information security program of an enterprise.

The ideal background for a CISO in healthcare includes executive and board level presence with excellent communication and relationship-building skills. The ISSA study referenced above suggests that leadership skills (52 percent), communications skills (43 percent) and a strong relationship with business executives (35 percent) were the three most important qualities of a successful CISO. Other abilities that are essential for healthcare CISOs include:

  • Knowledge and experience in information security, risk management, and regulatory compliance;
  • Progressive experience in information security management, including planning and policy development and training/awareness;
  • Strong business acumen—the ability to enable the business while communicating risk;
  • Proven success as a strategic leader who is up-to-date on current and future trends including the utilization of security tools associated with artificial intelligence, machine learning and analytics;
  • Active engagement at the local and national level, sharing and learning intelligence and best practices in cybersecurity.

For many healthcare organizations, it is a matter of not if, but when they will begin ramping up their cybersecurity programs, technologies, and readiness. “The divide between the ‘real world’ and cyberspace is disappearing,” says Cleveland Clinic CISO Vugar Zeynalov. “Healthcare organizations are looking for cybersecurity professionals not to shield them from cyberspace, but to help them safely execute digital strategies.” The CISO has become a pivotal role from an operational and strategic standpoint.

Nicholas Giannas is a consultant in Witt/Kieffer’s Information Technology practice. Healthcare Informatics’ “Industry Voices” articles provide a platform for industry experts to weigh in on the latest healthcare IT trends and best practices. All Industry Voice submissions (submit here) are subject to editorial approval and cannot include explicit mentions of vendor products. More information on our submission guidelines can be found here.


See more on Cybersecurity