It’s not every day where you see a $150,000 US fine slapped onto a non-profit organization because of software not being patched. Truth is, they were two years overdue on their updates. This isn’t something to take lightly, it affects 2,700 individuals.
Anchorage Community Mental Health Services (ACMHS) failed to take basic risk assessment and, in March, 2012, was infected with malware. This malware compromised the systems of mental health providers, specifically their information technology resources. This could have been prevented if they followed a policy they adopted in 2005. Affecting that big of a population calls for action, that of which they did not take. Now, the ACMHS is being fined for a large sum because they did not take action.
What Prevention Methods Should They Have Taken
It is actually a simple fix, abide by policy and update your systems. Susan A. Miller, an independent HIPAA and healthcare attorney, stated “This is a wake-up call that people should be looking very closely at the security risk assessment tools available from ONC and OCR, as well as NIST [National Institute of Standards and Technology].” She goes on to state “the lesson here is that when a software patch or update is sent by a vendor, they should be applied immediately.”
About Managing Risk
If managing all risks were simple, we wouldn’t have policies in place to abide by. Miller makes a great point by noting all patches should be applied and that technology security should be looked at regularly. Networks and servers also have security issues that need to take looked at. Some can happen because of employees.
Along with the fine, ACMHS is also advised to train all employees on proper security procedures and practices, within the facility. This isn’t the first case, other problems have come across major health institutions in the past.
What You Can Take from This
Monitoring your network is always a priority, but it doesn’t mean you have the time to manage it. Managing a network is the same as managing a business; keeping up to date, employees notified, on top of threats and analyzing data. Here are some actions you can take:
Don’t know where to go? Go with someone that has experience with healthcare organizations. Give us a call at (317) 522-1362 ext 2 or email us at email@example.com. C.D.'s IT Consulting LLC, keeping disasters at bay while keeping your information safe.