Idaho State University recently agreed to pay penalties of $400,000 to settle a violation of the HIPAA Security Rule. At issue was the breach of unsecured electronic protected health information of patients at the University’s Medical Clinic.
The Clinic changed it firewall policies which exposed servers, effectively leaving patient information, to the amount of 17,000 patient records, unsecure. The University also had to enter into a two year Corrective Action Plan to implement enhanced security procedures and increased reporting to the government.
Implementing certain security controls could likely have prevented the breach. The University could have used a firewall management product to identify a hole in the firewall. After fixed, the patient information would no longer be considered “unsecure.” The University could also have implemented ongoing vulnerability assessment tools, with ongoing monitoring to identify any ongoing issues.
BAS employs Tripwire to monitor firewall penetration on an ongoing basis to prevent the exposure of electronic protected health information at all times.
