With all of the phishing and other hacking attacks dominating the headlines, yesterday's OCR note was like reading a scenario from 2012. The University of Rochester Medical Center has agreed to a $3M, two-year corrective action plan after failing to encrypt their mobile devices. As with any investigation, the Office of Civil Rights also discovered URMC:
failed to conduct an enterprise-wide risk analysis
implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
utilize device and media controls; and
employ a mechanism to encrypt and decrypt electronic protected health information when it was reasonable and appropriate to do so.
We don't enjoy reporting non-compliance cases but post OCR actions so that organizations may consider the real impact of their compliance and security decisions. Click the graphic below to read the OCR report.