"they failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."Robinsue Frohboese, OCR Acting Director, stated "access to ePHI must be provided only to authorized users, including affiliated physician office staff. Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”
- OCR Acting Director Robinsue Frohboese
Learn how Veriphyr uses Structural Analytics to detect "impermissible use" of patient data in clinical and business applications by employees, contractors, and third parties.
(a) HHS $5.5M Settlement - HHS, 2/17/2017