Security Risk Analysis $100,000 Settlement

Medical Informatics Engineering, Inc. (MIE) an Indiana company that provides software and electronic medical record services to healthcare providers paid $100,000 to settle a HIPAA breach.

In this case hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people.  The Office of Civil Rights (OCR) investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach.

As part of the corrective actions of the settlement MIE agreed to:

Conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of MIE’s electronic protected health information (“ePHI”) (“Risk Analysis”). The Risk Analysis shall evaluate the risks to the ePHI on its electronic equipment, data systems, and applications controlled, administered or owned by the MIE, that create, receive, transmit, or maintain ePHI. Prior to conducting the Risk Analysis, MIE shall develop a complete inventory of all of its facilities, categories of electronic equipment, data systems, and applications that create, receive, transmit, or maintain ePHI, which will then be incorporated into its Risk Analysis.”

Sadly to say, this incident is not the first nor will it be the last of its kind.  The main reason for this is that Covered Entities (CE) and Business Associates (BA) still do not understand the importance of the SRA. Quite often CEs and BAs simply fail to conduct and SRA.  Other times they simply complete a form. fill a template or get the cheapest subcontractor to complete a “SRA” for them which most of the times do not meet the requirement of the law.

Our (Taino Consultants) recommendations based on the above are:

  • Covered Entities (CEs) and Business Associates (BAs) must conduct an annual Security Risk Analysis (SRA),
  • SRAs must be comprehensive enough to provide a baseline of the organization’s vulnerabilities,
  • SRAs should be conducted by a third party to ensure an objective point of view.
  • SRAs should provide a basic management/corrective plan.