The Office for Civil Rights (OCR) announced a settlement agreement for $5.5 million dollars with Florida’s Memorial Healthcare Systems (MHS) stemming from allegations it failed to protect patient data. The privacy violation arose out of the unauthorized access of 115,143 patients by MHS employees. The information that was compromised consisted of names, dates of birth and social security numbers. A majority of these impermissible actions occurred when a former employee’s login credentials were used from 2011-2012 which affected 80,000 individuals.
The failure of MHS was not a failure in having adequate procedures in place but not following through with them. In OCR’s press release they stated MHS had “workforce access policies and procedures” in place which would have presumably prevented this issue. A review of access logs should have detected that a former employee’s credentials were being used to access patient information. However, a failure to adhere to these polices resulted in a massive breach and commensurate fine.
Crafting written policies and procedures for how to deal with cybersecurity issues is something all companies should do. Policies governing workplace monitoring, employees use of personal devices for work, and termination of access to systems for exiting employees are just a few examples of situations that would benefit from a written policy in place. Attempting to deal with these situations as they arise can lead to an inconsistent process that may overlook important aspects of a recurring situations. These policies should also be fluid documents that are evaluated periodically and changed when new problems present themselves. However, as demonstrated in this case, simply having a policy in place is not enough. The policies are only as good as the extent they are followed through on.
Enforcing these policies are more critical than ever in today’s digital environment. With remote access to company’s servers more prevalent and the amount of data being collected and generated higher than ever, how a company manages access to this information is critical. Access to information by employees should be on a tiered system where they can only access the specific information they need to complete their tasks. When someone exits the company that person’s access credentials need to be revoked immediately. A rogue employee could steal millions of valuable documents on a tiny flash drive and cause immense damage to an organization. That is why having procedures that monitor access and audits of who is accessing what information are critical to an organization but do not accomplish anything if they are not enforced.