The OCR notes serious concerns with Banner Health’s pervasive noncompliance with the HIPAA Security Rule

Banner Health

• OCR’s investigation of Banner’s data breach in 2016 found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity.
• Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states.

Findings

• No analysis to determine risks and vulnerabilities to electronic protected health information (ePHI) across the organization
• Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack
• Failure to implement an authentication process to safeguard its ePHI
• Failure to have security measures in place to protect ePHI from unauthorized access when transmitted electronically

The Attack

• Banner Health discovered unauthorized access to process payment card data at some Banner Health food and beverage locations during a two-week period in June and July 2016.
• The attackers targeted payment card data, including cardholder name, card number, expiration date, and internal verification code, as the data was being routed through affected payment processing systems.
• Banner Health learned that attackers accessed patient information, health plan member and beneficiary information, and physician and other healthcare provider information.
• The attack hit 27 locations and 3.7 million individuals.

Why is this Important?

• The OCR indicated that hacking is the largest threat to ePHI, with 74% of 2021 reported breaches involving hacking/IT incidents.
• This settlement and corrective action plan remind us that healthcare providers must take action to protect the privacy and security of PHI. It is just as important to document all measures taken to secure ePHI.
• The corrective action plan states that Banner must do the following to address the findings of the OCR’s investigation:
  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
  • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
  • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically.

What you should do

(Hint: Turn Banner’s Corrective Action Plan into a checklist)

• Complete or review an existing risk analysis and management plan. Include the identification of all ePHI that is created, stored and transmitted.
• Make sure policies and procedures include an authentication process to safeguard data and records. Technical Safeguard Standard §164.312(d) addresses person or entity authentication. This standard requires covered entities and business associates to “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” This is typically addressed with unique user IDs and passwords and the extra step of multi-factor authentication especially for administrative accounts.
  
  Conduct a quick audit: Does your risk analysis and management plan address person or entity authentication? If not, it’s time for a more thorough review.

Need help with the HIPAA Security Risk Analysis? MPA can help. Reply to this email to learn more.