Cottage Health System based in California notified over 32,000 patients that their personal information may have been accessible on Google.
A third party IT vendor for the Health System inadvertently removed security protections from a file containing personal health information on its server. The file was accessible through Google for approximately two months before the error was discovered. The Health System was not aware of the security issue.
The accessible information included name, date of birth, medical diagnosis, lab results, and addresses. No social security numbers or payment information was exposed.
The Health System's letter to its patients observed that the Health System took steps to prevent a similar event from happening again, including reviewing relationships with third parties and increasing security checks.
One Facet of BAS Security Practices to Manage System Changes
At BAS, we strive to protect against incidents as described above through the use of system change management controls. In fact, BAS has incorporated Tripwire(R) change management solutions that are designed, in accordance with the Health Insurance Portability and Accountability Act (HIPAA), to protect the confidentiality and integrity of electronic personal health information (ePHI) and personally identifiable information of BAS clients. Being HIPAA IT compliant means virtual and physical configurations- from networks and servers, to virtual machines and security infrastructure- must be maintained and assessed against HIPAA policies, and proven in the event of an audit.
The Tripwire solution for BAS' HIPAA IT Compliance incorporates best practices for high integrity systems management and enhances BAS' data security of electronic personal health information.
BAS' Tripwire solutions delivers a comprehensive solution by:
- Allowing BAS to meet the core intent of HIPAA's integrity controls with file integrity monitoring and helping identify changes in BAS systems.
- Helping BAS address each of the requirements in the Security Rules associated with Part 164, Subpart C, Section 164.312 of Title II of HIPAA.
- Helping BAS measure and control its HIPAA compliance status.
- Helping BAS automate the repair of system configurations that intentionally or accidentally fall from secure and compliant states.
- Helping BAS manage policy compliance for HIPAA.
BAS takes great steps to maintain its security compliance to protect clients' sensitive data from unauthorized access or disclosure.
