The multi-state settlement with Medical Informatics Engineering makes the OCR settlement seem like a cake walk. The vendor agrees to pay OCR $100,000 with a standard 2-year corrective action plan. The states get $900,000 plus 5 years of very specific corrective action requirements. Vendors need to pay attention to this case and take appropriate action now.
Vendor Medical Informatics Engineering Settlements
First, we get the announcement from OCR that they have settled with MIE, and EHR vendor. Then, many people did not notice there was another settlement with 12 states who were in one big case against them together. Following all of that was the OCR guidance defining clearly what BAs may be held liable for under HIPAA as far as OCR is concerned. That bit will need to be in the next episode, though. The OCR MIE settlement wasn’t much to see but the state settlement screams look at me!
OCR Settlement with EHR Vendor, MIE
In the state’s settlement, they filed multiple charges in some states which makes it even more obvious that this is not just about HIPAA compliance this is about how MIE failed their customers as their vendor and in turn their patients. That is clear because the one thing that all states filed was a violation of their Deceptive Acts laws. Some included Data Breach violations and others also included PIPA violations.
Take a look at the chart included in the settlement of all of the charges filed in this one big lawsuit:
When we recorded the episode there was some confusion about being 12 or 16 states. Now, you can see that confusion. There are 16 states but of those 12 are filing in relation to the privacy and data breach laws. That is why so much of the coverage from a privacy perspective says it was 12. Whew! Glad I sorted that one out!
So, back to the list. That long list is what lead to the $900,000 state settlement but more importantly it includes the 5-year corrective action plan that isn’t playing around. Under the agreement MIE agrees to do the following things from this point forward.
- Comply with all Administrative and Technical Safeguards and implementation specifications required by HIPAA
- That’s what got us all in this mess. Not complying with HIPAA in the first place.
- Comply with the States’ deceptive trade practices acts in connection with their collection, maintenance, and safeguarding of consumers’ personal and Protected Health Information, and maintain reasonable security policies and procedures to protect such information.
- This shows that the states believe they deceived people and businesses by saying they were doing security requirements. At least allowing them to assume they were doing them maybe.
- Comply with the States’ breach notification acts.
- This one catches a lot of BAs who think only the upstream CEs need to worry about breach notification requirements. Not under state law. Each business must be responsible under state law.
- Comply with States’ PIPAs
- Both the HIPAA and the PIPA are required. That is just fun to say!
- Shall not make any representation that has the capacity, tendency, or effect of deceiving or misleading consumers in connection with the safeguarding of ePHI.
- Again with allowing people to think you are doing things you are not doing. How many of the HIPAA certified or HIPAA compliant stickers are making that statement that could be considered misleading, at best.
- Shall implement and maintain an information security program that shall be written and shall contain administrative, technical, and physical safeguards appropriate to: (i) the size and complexity of Defendants’ operations; (ii) the nature and scope of Defendants’ activities; and (iii) the sensitivity of the personal information that Defendants maintain. It shall be the responsibility of the Privacy Officer or other designated individual to maintain, promulgate, and update the policies and procedures necessary to implement the information security program.
- This is sort of reiterating the first one but adding in more specific points like that last sentence.
- Shall not employ the use of generic accounts that can be accessed via the Internet.
- Well doesn’t this give us a clue what happened to cause or contribute to the data breach that occurred?
- Shall ensure that no generic account on its information system has administrative privileges
- Yep, sounds like it is pretty clear that generic accounts were involved in some manner.
- Shall require multi-factor authentication to access any portal they manage in connection with their maintenance of ePHI.
- This is pretty interesting to see them require MFA. All you other vendors need to be paying attention here.
- Implement and maintain a Security Incident and Event Monitoring solution to detect and respond to malicious attacks. The Security Incident and Event Monitoring solution may utilize a suite of different solutions and tools to detect and respond to malicious attacks rather than a single solution.
- Requiring a SIEM for a company that has this many patients on file seems appropriate here but how many of these vendors are doing it because those things are NOT cheap. Wonder if it was discussed before the breach and not done because it was too expensive.
- Implement and maintain reasonable measures to prevent and detect SQL injection attacks that may impact any ePHI they maintain.
- More clues to the breach details. This is something all vendors have to battle but especially ones that are cloud-based.
- Shall implement and maintain reasonable measures with respect to the creation of accounts in systems under the administrative control of Defendants with respect to their own employees with access to ePHI to limit and control their creation and ensure that accounts with access to such ePHI are properly monitored.
- Worry about insiders? In healthcare? Really?
- Defendants shall implement and maintain a data loss prevention technology to detect and prevent unauthorized data exfiltration. The data loss prevention technology may utilize a suite of different solutions and tools to detect and prevent unauthorized data exfiltration.
- Nothing watching for the exfiltration before. Wonder if that was skipped before to save money?
- Require the use of multi-factor authentication by their employees when remotely accessing their system(s) that store or permit access to ePHI.
- Complete us of MFA required everywhere. We believe is essential for vendors like these who have access to a vast amount of information including ePHI.
- Maintain reasonable policies and procedures to ensure that logs of system activity are regularly and actively reviewed and analyzed in as close to real-time as possible.
- Make sure someone is watching is part of a lot of security requirements. This relates directly back to the requirements above.
- Implement and maintain password policies and procedures related to their employees requiring the use of strong, complex passwords, and ensuring the stored passwords are protected from unauthorized access.
- More clues about problems with controlling access with proper username and password hygiene as part of the data breach.
- Educate their clients on strong password policies and promote the use of multi-factor authentication by their clients. Defendants shall make the use of multifactor authentication as well as Single Sign On (SSO) functions available to their clients.
- The number of times you hear vendors say that they don’t do things because clients do not want them to do it is huge. Wonder if that happened here.
- Shall implement and maintain appropriate policies and procedures to respond to Security Incidents.
- Basic security program requirements that must have been overlooked in whatever program they had in place.
- Shall, at least annually, train relevant employees regarding their information privacy and security policies, and shall document such training.
- This is a HIPAA requirement but we all know how we feel about annual training.
- Shall, within ninety (90) days of the Effective Date of this Consent Judgment, and thereafter annually for a period of five (5) additional years, engage an independent third-party professional who uses procedures and standards generally accepted in the profession to conduct a current, comprehensive, and thorough risk analysis of security risks and vulnerabilities to ePHI that they create, receive, maintain, or transmit, including a review of the actions or deficiencies that are the subject of the Consent Judgment. A professional qualified to conduct such risk analysis must be: (a) an individual qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); or a similarly qualified person or organization; and (b) have at least five (5) years of experience evaluating the effectiveness of computer systems or information system security. Defendants may utilize an independent third-party vendor with which they already have a contractual relationship to conduct the risk analysis, so long as the contract between the parties provides that the person or persons performing the analysis on behalf of the independent third-party vendor are qualified as a CISSP or CISA. The independent third-party professional conducting the risk analysis shall prepare a formal report (“Security Report”) including its findings and recommendations, a copy of which shall be provided to the Indiana Attorney General no later than one hundred eighty (180) days after the Effective Date of this Consent Judgment, which the Indiana Attorney General may share with the States pursuant to paragraph 56. Each year thereafter, a copy of the Security Report shall be provided to the Indiana Attorney General within thirty (30) days of the anniversary of the completion of the first Security Report, until the expiration of the five (5) year period.
- That’s a big long one but it says they have to get real with their SRAs and stop trying to approach it like a checklist. I find this one very interesting with the level of specificity concerning the SRA requirements.
- Within ninety (90) days of their receipt of each Security Report, Defendants shall review and, to the extent necessary, revise their current policies and procedures based on the findings of the Security Report. Within one hundred eighty (180) days of Defendants’ receipt of each Security Report, Defendants shall forward to the Indiana Attorney General a description of any action they take and, if no action is taken, a detailed description why no action is necessary, in response to each Security Report. The document submitted to the Indiana Attorney General in response to each Security Report shall be titled “MIE Security Action Report,” a copy of which may be shared with the States pursuant to paragraph 56.
- Keep in mind that all the states can get access to this documentation so MIE better stay on top of it. Resources to stay on top of it might be limited with one state but with it spread out they can take turns and each state only has to review the status once a year.
- Each Defendant shall designate a Privacy Officer or other official to ensure compliance with this Consent Judgment. The efforts of the Privacy Officer or other designated official in this regard shall be documented in the MIE Security Action Report that is submitted to the Indiana Attorney General and may be shared with the States pursuant to paragraph 56.
- One final point that someone has to be designated as the responsible party for making sure this gets done.
All of those individual items are pretty intense when you add it all up into requirements that must be met and proven for the next 5 years. With this announcement, there now exists a perfect list of what vendors should be putting into their risk management plans, if they aren’t already there.
As these cases from 2015 and later make it through to the OCR and State Attorneys settlements phase we will see more of these kinds of responses more than likely. We should watch the fall out from the AMCA breach it will be interesting to see how this part of the process proceeds (don’t worry we are watching that one closely for you). Vendors really should realize they have been put on notice, now if they haven’t before, that protecting data should be at the top of your concern list not buried within the IT budget. Your responsibilities as a vendor now are much more extensive than signing a BAA and going about your business. It is possible that MIE tried to do a lot of these things and even though they were doing them correctly. Either way, you have to wonder what they would do differently if they could go back in time.