Issue link: https://beckershealthcare.uberflip.com/i/717576
69 CIO / HEALTH IT Advocate to Pay Largest HIPAA Settlement to Date By Erin Dietsche D owners Grove, Ill.-based Advocate Health Care has agreed to pay $5.55 million to HHS' Office for Civil Rights to settle claims that it violated HIPAA. The settlement is the biggest to-date HIPAA payment involving one entity. The allegations against Advocate, the largest health system in Il- linois, involve electronic protected health information. In 2013, the OCR launched an investigation after Advocate submitted three different data breach reports on behalf of its subsidiary, Advocate Medical Group. In total, the breaches comprised the ePHI of 4 mil- lion individuals and included their names, demographic informa- tion, addresses, credit card numbers, dates of birth, clinical infor- mation and health insurance information. e problems began in August 2013, when four laptops containing pa- tient information were taken from an Advocate office in Park Ridge, Ill., during a burglary. Later that summer, an outside party accessed an Advocate business associate's network, which potentially compromised 2,000 patients' information. More than 2,000 more patients' informa- tion was stolen in November 2013 when a laptop was stolen from an Advocate employee's vehicle. Aer conducting an investigation, the OCR concluded that Advocate failed to assess the risks of its ePHI, restrict physical access to its IT systems, receive written record that its associates would protect Ad- vocate's ePHI and guard an unencrypted laptop while it was in an unlocked car overnight. "We hope this settlement sends a strong message to covered enti- ties that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure," said Jocelyn Samuels, director of the OCR. "is includes implementing physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level." In a statement, Advocate Health Care said, "Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ev- er-evolving digital landscape and the impact it has on security, we've enhanced our data encryption measures to prevent this type of inci- dent from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts." n Pokemon Go a Threat to Enterprise Cybersecurity, Experts Say By Akanksha Jayanthi H ackers accessed the "Pokemon Go" network, temporarily disrupting access to the aug- mented reality smartphone game in July, and security experts are warning companies of the threat this may cause to organizations' cybersecurity. A group called OurMine claimed re- sponsibility for the hack July 17, and claims to have interrupted access to the game to spread awareness about stronger security practices, re- ports Tech Crunch. Another group called PoodleCorp has claimed re- sponsibility for accessing the servers over the weekend of the 17th as well. For organizations with bring your own device policies or corporate-owned, business-only phones, the vulnerabili- ties of the app pose a threat to enter- prisewide security, according to Bar- bara Rembiesa, president, CEO and co-founder of the International Associ- ation of Information Technology Asset Managers. "Frankly, the truth is that "Pokemon Go" is a nightmare for companies that want to keep their email and cloud- based information secure," she said in a statement. "Even with the enormous popularity of this gaming app, there are just too many questions and too many risks involved for responsible corporations to allow the game to be used on corporate-owned or BYOD devices." Ms. Rembiesa said the only safe thing to do is to ban people from download- ing and using "Pokemon Go" on BYOD devices and corporate-owned devices. However, many of the fears of the "Pokemon Go" app security ar- en't unique to this game. In Janu- ary, a report from Arxan Technolo- gies found 80 percent of health apps approved by the FDA are vulnerable to multiple security risks. n Epic Now Live in First Australian Hospital By Akanksha Jayanthi E pic's first Australian customer is now live on its EHR. Royal Children's Hospital in Melbourne had its big bang go-live between April 30 and May 1. Royal Children's Hospital selected Epic in April 2014, announcing a $48 million (in Australian dollars) con- tract, which is roughly equivalent to $36 million in USD. According to the hospital, it is one of the first pediatric hospitals in Australia to replace paper-based medical re- cords with an electronic system. In addition to the medical records, Royal Children's Hos- pital also implemented a patient portal. Hospital CEO Christine Kilpatrick said the go-live was "re- markably smooth" and "successful," according to Epic. n