Precipitating Event: Internet firewall disabled on server.
The HHS Office for Civil Rights (OCR) opened an investigation after XYZ Hospital System notified HHS of the breach in which the PHI of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by XYZ Hospital System. OCR’s investigation indicated that XYZ Hospital System’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. XYZ Hospital System also failed to assess the likelihood of potential risks occurring.
XYZ Hospital System operates 29 outpatient clinics and is responsible for providing health information technology systems security at those clinics.
minor modifications for readibility
"disabling of firewall protections at servers"
To save money, some folks try to run their own server, but forget simple configurations like enabling the firewall.
Ask Yourself: Do you ever check the configurations on modems, routers or servers?
"XYZ Hospital System operates 29 outpatient clinics and is responsible for providing health information technology systems security"
Many universities and large healthcare systems have dozens of smaller, satellite offices.
Ask Yourself: Who is managing your far flung locations?
In a hospital, it is a full time job to manage the I/T of all the departments located physically withing the main hospital building or campus. In this case, there were also 29 smaller clinics spread throughout the state. Each location needs local management.
XYZ Hospital System disagreed with HHS about which locations for which it is responsible, from a HIPAA point of view. There are a lot of business models with shared resources. Make sure that contracts clearly state who is responsible for what. e.g. Shared surgery centers or seeing patients at another clinic
During HIPAA Probation, XYZ Hospital System has to do a GAP Analysis. This is a new request from HHS. It shows that XYZ Hospital System had a decent compliance plan at their main location, but was weak on the periphery.