In its press release on the settlement, OCR details that the source of the compromise was a malicious attachment downloaded through email - e.g. phishing.
...the electronic protected health information (e-PHI) of approximately 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organization’s IT system...But the release goes on to highlight the need for comprehensive risk assessments, noting that all parts of the organization and partners must be addressed in the risk assessment.
OCR’s investigation indicated UWM’s security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the Security Rule. However, UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.OCR had some additional guidance in the release concerning risk assessments, specifically that they extend past the EHR to all areas of the organization.
“All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” said OCR Director Jocelyn Samuels. “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”Whether you are in healthcare or another vertical, you have to get risk assessments correctly. When you document the requirement, you document the recognition that getting risk assessments correct is a necessity. But you actually have to what you document. Any failure to do so is a liability. If you need help with risk assessments, find individuals that specialize in infosec to help you. The cost of failure, as demonstrated by the latest OCR settlement is too high for you to get it wrong.