The Importance of §164.308(a)(1)(ii)(D)
We read last week of Newman Regional Health (NRH) reporting an email-based data breach that exposed its patients' most personal data between January and November 2021. Their website doesn't articulate exactly what happened or how they discovered their unauthorized disclosure, but consider this:
One, the top banner of their public website advertises "...Newman Regional Health is notifying individuals affected by a recent cyber security incident...". While technically true, as §164.304 defines a security incident as "...the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system...", the fact is this is a reported breach and softening the language doesn't make it any easier. Consider if any healthcare organization you personally receive service at had to put a similar note on their website - how would you feel about the care you receive?
Two, now NRH has a web page hosted through IDX, a credit monitoring service. Notably, this web page is a pretty good example (just our opinion as a consultant...) of what to include following a breach. We don't know whether this service is provided through their insurance policy or was an unplanned expense, but we anticipate that NRH is potentially awaiting investigations and litigation. We've covered this kind of cycle / consequences previously.
The HIPAA Security Rule requires us to "implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.". There are many ways that system activity can be monitored as events happen (i.e. in real time) and we encourage those without the technical expertise to speak with a qualified managed service provider (MSP) or a vendor offering security operations center (SOC) services. If we truly care about the healthcare service we're offering, then adequately protecting the data involved is part of that patient care we advertise. Let us know if you need help understanding what reasonable and appropriate information system activity reviews look like.
Stay (HIPAA) safe,
Alan -
