Back in February 09 I noted that CVS Caremark Corp. had agreed to pay $2.25 million to settle a federal investigation into allegations that it violated HIPAA privacy regulations when pharmacy employees threw items such as pill bottles with patient information into the trash.
This morning, 9 months later – I checked the stock performance of CVS Caremark. I was curious to see if the stock had taken a hit from the HIPAA violation federal fine. The answer is that there was no influence on stock performance and as a matter of fact CVS stock tracks the S&P 500 closely the entire period, currently at a year high of 38.
This was not a data loss event. It was a non-compliance situation that probably didn’t constitute a very big threat to patient information/customer data.
Data security vendors like Mcafee, IBM, Fidelis Security, Symantec, Verdasys, Reconnex, Vericept, Raytheon, Websense and Checkpoint have written thousands of white papers on how their data security products can help an organization be HIPAA compliant. For example (from the Checkpoint web site:)
Health Insurance Portability and Accountability Act of 1996 (HIPAA)—HIPAA includes security standards for certain health information. NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, lists HIPAA-related log management needs. For example, Section 4.1 of NIST SP 800-66 describes the need to perform regular reviews of audit logs and access reports. Also, Section 4.22 specifies that documentation of actions and activities need to be retained for at least six years.
True – but log-management cannot mitigate dumpster-diving, nor can it prevent bulk database dumps and file transfer. Checkpoint is well-known for taking a wait-and-see strategy with data security – and similarly to other information security vendors, this seems like a case of when you have a hammer, every problem looks like a nail.
It may be easier to collect PII in small quantities from a dumpster than from an information system, but when you want large quantities of data, it’s much more effective get command line SQL access and go for the gold.
See the below example for Oracle. Select all and save the credit card numbers in an external data file, zip the data and use secure copy to send it to a one-time instance of a Linux server in the cloud – for example on Mosso, where I can setup a server in 5′, transfer the data and then discontinue the service when I’m finished. All done in less than 15′.
SPOOL data.csv; SELECT credit_card_number from customer_table; END SPOOL;
Click here for the full article on CVS 2.5 million dollar fine for HIPAA violation