A State CSO Reflects on a BreachAlaska's Health and Social Services CSO Offers Lessons Learned
The key lesson, he says, is to take ongoing action to comply with HIPAA and carefully document all those steps.
"Any steps you're doing for compliance, be expedient," Ryan urges. "With the benefit of hindsight, we would've saved millions of dollars" in settlement and other costs if the department had taken several steps sooner - including making widespread use of encryption, updating a risk assessment and ramping up HIPAA compliance training.
The Department of Health and Human Services' Office for Civil Rights' investigation of the Alaska agency was triggered by the October 2009 theft of an unencrypted portable storage device (see: Alaska HIPAA Penalty: $1.7 Million).
Ryan notes in an interview with HealthcareInfoSecurity that the agency was half-way through encrypting all its PCs as well as mobile computing and storage devices at the time of the incident, and he stresses the value of widespread use of encryption.
The OCR investigation determined the Alaska agency lacked a current risk assessment, as required under HIPAA. "We had a risk assessment, but it was a few years old," Ryan says. "However, OCR never defined in their language what a 'current risk assessment' is. We had previously asked for clarification on that, and they said there was no definition available on that. So, to be found that we missed a definition that was not defined was interesting," he says.
Ryan explains why his agency agreed to the settlement as part of a resolution agreement: "We don't think we were in violation of the HIPAA privacy or security rule, however [the settlement] was the least expensive way for us to proceed," he contends.
He points out that his department reported the breach even though it wasn't clear whether the stolen device contained any patient data. Although OCR claimed the stolen device contained data on about 500 Medicaid patients, Ryan contends the device contained no Medicaid data (see: Alaska Breach: Tip Of Iceberg). "We're not sure if there was any data involved - at the time of the theft there was no proof that any data existed on [the device]. However, there was a possibility there may have been data." he says. "But when it doubt, report it - that was the advice we had from our legal counsel," he says. "We don't regret reporting. We did the right thing."
In the interview, Ryan also describes:
- Why the department was surprised by the resolution agreement.
- How the department is complying with details of an OCR-approved corrective action plan. This includes the rollout of a learning management system to support HIPAA compliance training.
- What it's like to undergo an OCR investigation. In investigating HIPAA compliance in the Alaska department, OCR officials conducted one-on-one, in-person interviews with about a dozen staffers.
Ryan has served in a number of roles within the State of Alaska over the last 12 years. Before being named Alaska DHSS information security officer in 2008 and then chief security officer in 2011, Ryan held a variety of IT positions at various Alaska state agencies. Those positions included server administrator, security administrator and security analyst.