8028259495?profile=originalBreaches are preventable failures in risk management. A healthcare breach at Metro Community Provider Network (MCPN), a federally approved organization, led to a $400,000 penalty and a mandated correction plan. The Office for Civil Rights (OCR) levied the penalty; the cause of the breach has been cited as a failure to conduct “a timely and comprehensive risk assessment,” according to Information Security Media Group

As we’ve said before, an old proverb – An ounce of prevention is worth a pound of cure – is a fitting rule in risk management. Had MCPN invested in integrated risk management activities, it would have prevented the breach altogether. Instead, it’s financing corrective action (the “cure”) in a response to a phishing attack, must pay $400,000 for noncompliance, and will likely suffer major damage to its reputation.

What Happened? 

In January 2012, MCPN filed a healthcare breach report with OCR. A hacker reportedly “accessed employee’s email accounts and obtained 3,200 individuals’ electronic protected health information through a phishing incident.” It wasn’t until April of this year, however, that the OCR revealed it has signed a resolution agreement with MCPN following the healthcare breach. 

This is particularly calamitous for a healthcare organization, which the public trusts to safeguard sensitive information. Poor governance affects all of us and is never excusable. It’s negligence, and a company that allows a scandal to unfold through negligence is not just being unjust, it’s violating its moral obligation to its stakeholders and community. 

As described in another of our blog posts, “Use ERM to Defend Against Ransomware and Data Breaches,” phishing attacks target individual employees, often masquerading as trustworthy emails. 

MCPN failed to conduct an enterprise risk analysis until a month after reporting the breach. Even when the organization did start assessing risk, however, those efforts were not deemed sufficient to meet requirements in the HIPAA security rule. 

Failure to perform risk management best practices (a minimal investment compared to the fallout of a breach) led directly to the cybersecurity incident, compliance issues, and significant negative media exposure.

 

Companies in Every Industry Can Learn From This Healthcare Breach

 

As is the case with many incidents, this healthcare breach is fundamentally not a cybersecurity issue, nor a compliance issue. It’s a governance issue. Strong governance is crucial to effective risk management, and it’s also the framework for the “ounce of prevention” that makes “a pound of cure” obsolete. 

MCPN should have started performing root-cause risk assessments well before it did. Its failure to identify and assess risks in its ePHI environment prevented the organization from implementing appropriate mitigation activities/controls

Specifically, the $400,000 restitution is a sign that breaches/incidents are now considered “a symptom of larger issues that indicate general failures to have appropriate safeguards in place.”

 

Download our free eBook, 5 Steps for Better Risk Assessments, for an in-depth look at how risk profiles should be assessed to prevent breaches and other vulnerabilities.

Votes: 0
E-mail me when people leave their comments –

Steven Minsky is a recognized thought leader in risk management, CEO and Founder of LogicManager. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts and published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!