I said yesterday that, sadly, we needed a regular spot for health care breaches. Welcome, then, to Health Care Breach Watch.
Add another 39,090 to yesterday’s total of 123,170,696 affected records. Indiana State Medical Association has admitted to losing two “archive backup hard drives containing Indiana State Medical Association group health and life insurance databases” in February while they were being transported to a storage facility.
ISMA’s official statement can be found here.
2015’s total now stands at 123,209,786.
The Health Insurance Portability and Accountability Act (HIPAA)
Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.
HIPAA covered entities concerned about data security should implement an information security management system (ISMS), as specified by international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
Civil monetary penalties (CMPs) for HIPAA violations, however, can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.