A (Bad) Blast from the Past

With all of the phishing and other hacking attacks dominating the headlines, yesterday's OCR note was like reading a scenario from 2012. The University of Rochester Medical Center has agreed to a $3M, two-year corrective action plan after failing to encrypt their mobile devices. As with any investigation, the Office of Civil Rights also discovered URMC:

• failed to conduct an enterprise-wide risk analysis

• implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level

• utilize device and media controls; and

• employ a mechanism to encrypt and decrypt electronic protected health information when it was reasonable and appropriate to do so.

We don't enjoy reporting non-compliance cases but post OCR actions so that organizations may consider the real impact of their compliance and security decisions. Click the graphic below to read the OCR report.