Security breaches have strong foot on healthcare industry this year. Nearly half of the organizations in healthcare were hit by security threats at least once this year and it is expected to increase in the forthcoming years. The security breaches under HIPAA Violations could be classified as • Stealth of Devices • Process loopholes • Employee Snooping • Software defects • Hacking

1. 4010, Moorpark Avenue, #205, San Jose, California 95117
HIPAA Security & Privacy Breaches 2014
Security breaches have strong foot on healthcare
industry this year. Nearly half of the organizations
in healthcare were hit by security threats at least
once this year and it is expected to increase in the
forthcoming years.
The security breaches under HIPAA Violations
could be classified as
 Stealth of Devices
 Process loopholes
 Employee Snooping
 Software defects
 Hacking
Hospitals / Clinics pay less attention towards OWN
devices used by the physicians with PHI in it, which
in turn if stolen or missed, becomes a very big
security threat. Another kind could be using
outdated software which obviously led to very high
risk of getting affected by malwares. Few hospitals
try to shrink the money spent for security, which in
turn gets their high bills to pay as penalty.
The following are few instances happened in 2014
Stealth of Devices
State of Massachusetts billed $100,000 to Beth
Israel Deaconess since one of its physicians failed to
follow encryption policy and his laptop been stolen
with 4000 patients information.
Unencrypted backup tapes stored in hospital premise
of “The Women & Infants Hospital of Rhode
Island” was stolen which contains patient names,
date of birth, SSN, ultrasound image and
examination dates. As a result WIH (The Women &
Infants Hospital) have to pay civil penalty to
Massachusetts Attorney General.
Eight computers with unencrypted data of patients’
SSN, demographics data, billing information
including medical diagnosis were stolen in
Sutherland healthcare solutions. This breach
affected 340,000 patients approximately.
Process Loopholes
San Juan-based insurance holding company, Triple-
S Management Corp received a bill of $6.8 million
as penalty from HHS for sending mailed letters
holding Medicare numbers visible from outside to
their Medicare Advantage patients.
A staff member of Virginia based health system,
accidently donated CDs containing PHI to an art
program for children which made patient’s DOB,
SSN and demographics data public.
Dignity Health Mercy oncology center patients’
diagnosis, medications, current therapy and
treatment plans are viewable in search engines like
Google when third party vendor posted a link to
their website containing transcribed physician’s
progress notes.
Software Defects
Being a new security threat with new different
viruses introduced, it’s inevitable to keep software
up to date to escape from this kind.
HHS billed Community Mental health services
$150,000 for using outdated, unsupported software
which affects 2,743 individuals due to malware data
breach.
HIPAA Security & Privacy
Breaches 2014

2. 4010, Moorpark Avenue, #205, San Jose, California 95117
Valley View Hospital in Glenwood Springs,
Colorado reported several of its computers had a
virus which copied screen shots of the computers
and stored these images in an encrypted, hidden
folder which could have been accessed by an outside
entity.
Heart bleed, discovered during April is a serious
vulnerability in OpenSSL cryptographic library. It
allows anyone to read the memory of systems which
has this vulnerable version of OpenSSL. This led the
attackers to get access to private keys, username and
password without much effort. A large group of
hospital, Franklin, Tennessee -based Community
Health Systems which operates 206 hospitals across
29 states, reported that hackers were able to gain
access to their CHS’s system due to Heart Bleed
vulnerability. This is said to be the largest hacking-
related to data breach happened in the year 2014.
Shellshock, discovered during September 2014 is
equivalent to Heart bleed. Unlike Heart bleed,
shellshock has series of bugs raised one after other
which requires fix immediately to prevent hackers
attack. Its bug in bash command through which
hackers could gain access to machine and they could
run bash commands to bring the server/machine to
their control.
Employee Snooping
Employee snooping and insiders misuse are also the
biggest privacy threats in healthcare industry at
present.
A former Tufts Health Plan employee, Emeline
Lubin was convicted of disclosing patient
information in a fraudulent tax refund scheme after
stealing the personal data of more than 8,700
members.
An employee in “Cleveland-based University
Hospitals” inappropriately accessed nearly 700
patient’s medical and financial records for more than
three years without knowledge of UH.
A former employee of Riverside Health System
inappropriately accessed 919 patient social security
numbers and records in EHR. The breach was
discovered after four years (September 2009 to
October 2013) on random audit.
Hacking
Unauthorized access to PHI has been increasing day
by day. An unknown source accessed and stored
about 60k patients PHI in Dallas-based Onsite
Health Diagnostics which contracts with state of
Tennessee’s wellness plan.
Bottom of Form
In one of the biggest HIPAA security breaches
reported, hackers accessed a server from Texas
healthcare system, compromising the protected
health information of about 405,000 individuals.
Sony notified employees that their medical data and
Social Security numbers were affected by cyber-
attack.
A hacker even threatened to make patient’s PHI of
Clay County Hospital in Flora public for ransom
payment. But external forensic experts investigated
and determined that Clay County Hospital servers
remain secure.
Steps to avoid HIPAA Breaches
Authentication and Authorization
Ensure that only the authenticated users are
accessing the system. Keep an eye on the access
control to confirm that they access only the
authorized pages.
Encryption
Storage Encryption - Whatever being stored in local
systems or on any devices should be encrypted and
could be accessible only by the authoritative persons
having appropriate keys.

3. 4010, Moorpark Avenue, #205, San Jose, California 95117
Transmission Encryption – PHI should always be
encrypted while transmitting to other physicians via
Internet. Also, ssl should be enabled on the server if
the application is web based.
BYOD – HIPAA
If physicians/staff are using their own devices to
access PHI, ensure BYOD HIPAA compliance is
implemented and instruct the physicians/staff to
follow the same.
Software updates
Make sure to update all the software in inventory
now and then with latest version so that risk to get
malwares or viruses gets reduced. Keep track of all
new security vulnerabilities so that update could be
performed on right time.
Auditing
Audit the access of all users and the data been
accessed. Verify the same at regular intervals to
check on employee snooping and unauthorized
access.
Backup
A proper backup is state of data being never lost.
Every day data including audit should get backed up
for further reference and for recovery. Make sure
proper recovery mechanism is in place so that the
backed up data could be recovered during
emergency or accidental deletion. We also need to
ensure that the backup data is encrypted to avoid any
misuse.
Disposal
If the data is not needed, make sure you dispose all
the whereabouts of it in back up, archives and in
third party storage devices. Any left out could make
data vulnerable.
HIPAA Audit
Assign a HIPAA Compliance Manager to regularly
check if the HIPAA Security and Privacy rules are
implemented appropriately in the EHR and also in
the Hospital Workflow process.
The Compliance Manager should also keep a close
eye on the security risks so that the mitigation steps
can be planned.
“Prevention is better than cure” - If the clinic and
the hospital follows all the HIPAA Security and
Privacy Rules, they can ensure that the patient data
is safe and need not pay lot of money to the
government as penalty.
About ViSolve
ViSolve, Inc. is a software services and consulting firm
with expertise in Healthcare and Cloud. ViSolve is
headquartered at San Jose, CA with best in class
Development & Support center in Coimbatore, India. To
know more about how ViSolve can enhance your IT
capabilities, get in touch with us:
Website: www.visolve.com
Email: services@visolve.com
Twitter: @ViSolve_Inc
Google Plus: plus.google.com/+ViSolveUSA
Facebook: facebook.com/ViSolve
LinkedIn: www.linkedin.com