How ISU Could Have Avoided a $400,000 HIPAA Violation

The importance of vulnerability remediation

The news last week that Idaho State University (ISU) was fined $ 400,000.00 by the U.S. Department of Health and Human Services for information security violations of the Health Insurance Portability and Accountability Act of 1996 (HIPA) served as a stark reminder of the importance of strict Information Security Policies and Procedures.

There was a breach of unsecured electronic protected health information records involving approximately 17,500 patients at ISU’s Pocatello Family Medicine Clinic. The breach occurred because firewalls protecting this information were left disabled for approximately 10 months.

You may ask yourself, how does a firewall protecting sensitive patient information remain disabled for 10 months?  In the busy life of an IT Engineer, there may very well be a need to disable firewall protection services to a specific server or entire network segments. The issue here is really about the lack of controls, not the fact that the firewall was disabled.

An important part of a robust Information Security posture is to have what is called a vulnerability remediation program in place. This program allows you to detect and prevent actual operational problems such as what happened at ISU. The program specifies regular scanning of the network, identification of vulnerabilities, and a way to get them into the change management system so that they can be fixed quickly. Problems like disabled firewalls, missing patches, blank accounts, etc. would be found quickly by such a system.

Many organizations conduct Vulnerability Assessments and think that they have done their job. A Vulnerability Assessment is a very worthwhile and necessary investment but only provides you with a snapshot of what the current environment looks like. Networks are always changing and it is critical to have systems in place that can mitigate the risks associated with constant change.

This need for proper security measures to help mitigate potential risk to patient information and policies is so imperative, Office for Civil Rights (OCR), Director Leon Rodriguez (the agency tasked with investigating HIPPA violations) stated: “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program”.