LaSalle Consulting Partners continues to emphasize the
importance of security and risk assessment in the workplace, particularly for
HIPAA covered entities and business associates. One of the areas we have seen overlooked
in risk assessment is the peripheral devices that exist on a computer network.
Peripheral devices are devices on your network other than your computers and servers. These include devices such as printers, multi-function copiers, scanners, tablets, and mobile phones. If any of these devices are used to store or process sensitive information, and contain a hard drive or other form of memory, then your organization may be vulnerable to a security breach.
The HIPAA Security Rule risk analysis implementation
specification at 45 CFR §164.308(a)(1)(ii)(A) mandates that organizations
identify and assess exposures that may compromise the confidential nature of ePHI.
Failure to protect confidential ePHI can result in hefty penalties and other
legal action.
Affinity Health Plan, Inc. paid federal regulators a
settlement amounting to $1.2 million after they returned copy machines to a
leasing company, unknowingly releasing the ePHI of over 300,000 individuals contained
on the machines’ hard drives. The breach was discovered by CBS Evening News,
who purchased the copy machines as part of an investigation, after Affinity
Health Plan returned them to the leasing company. While the incident was the
first HIPAA settlement involving copiers, it may not be the last.
We recommend subjecting peripheral devices to a risk
analysis. This precaution can assist in avoiding the legal and financial
consequences of violating HIPAA regulations. Please contact LaSalle Consulting
Partners for more information on the risk assessment of peripheral
devices.
