How to lose data & money: The cost of unmitigated risk

The OCR announcement of a $4.3 million price tag on MD Anderson’s Cancer Center for noncompliance highlights the cost of unmitigated risk. A 2006 security risk analysis showing that a lack of encryption posed a PHI security threat prompted the Center to develop policies for portable device encryption. Smart. But then an OCR breach investigation uncovered that the policy wasn’t actually enacted for years. Not smart.

Loss of USB devices and a stolen laptop exposed the disconnect between the stated policy and actual application of the policy. What could they have done differently? Followed through on their stated policies. Would a demonstrable attempt at PHI protection by alternate means, although encryption wasn’t implemented, have helped? Perhaps. It’s hard to know.

What likely didn’t help the Center was its 2011 internal Information Security Program report that stated ePHI on mobile devices and other portable storage devices was not yet mitigated – a written acknowledgement of failure to enforce its own policies. The USB device loss and the laptop theft happened in 2012 and 2013. In light of that fact, it’s fortunate that OCR asked for penalties under Tier 2’s Reasonable Cause vs Tier 3’s Willful Neglect, if only from the point of view of preserving (somewhat) MD Anderson’s Cancer Center’s reputation.

In light of the cost of “over-promising and under delivering” now is the ideal time to get a compliance assessment of your policies and procedures on the schedule. Are you in danger of an unmitigated risk? Are your policies realistic? Are they being practiced? Can you prove it?

4 Tips for Policy Follow-Through

  1. Tie your policies and procedures back to your actual business operation workflow and processes. Implementing an enforcement mechanism such as encryption gives policies “teeth.”
  2. Make sure you’re following the rules. Policies and practices need to align with the regulations you’re required to follow.
  3. Be realistic when drafting policies and procedures. “Audits will occur at weekly intervals” may not be a realistic policy to accomplish if you’re already overstretched. (See #1)
  4. Maintain proof of policy enactment. Document and be able to demonstrate you take action on all of your policies. For example: That information could include the date a policy was enacted, any time there was an internal citation for correction, and documentation of how it was corrected.

Your policies and procedures are essentially marching orders for your staff. Be sure those policies are clear and accurate so you can not only enforce them, but also document that you’ve done so. Then when a breach happens and OCR comes in, you’re better positioned.

Apgar & Associates helps you discover privacy and security vulnerabilities so you can manage risks before a breach occurs. Contact us to schedule your assessment today: 503-384-2583.