The 2018 version of a study conducted annually by Ponemon for Experian polled 624 executives and IT specialists who chiefly perform a compliance, security, or privacy role. Disturbingly, less than 1 in 5 of those polled – 19 percent – said their firm had a highly effective data breach response plan. Plus, more than half (56%) said that their firm had suffered a breach during the prior year – a rise of 4% over the 2017 study. These figures may not be comforting, but certainly, improvements can be made at many organizations. Here are a few ways you can ensure that your cybersecurity is as strong as possible, to minimize the chance that you experience a patient record breach:
1. Systematize risk management.
Security is fundamentally about mitigating risk. Risk management has always been part of business. The threats have changed, as have the defenses, but the basic approach remains the same – which is why a ten-year-old Gartner report, “A Risk Hierarchy for Enterprise and IT Risk Managers,” is still relevant. The report noted that managing risk should “begin with enterprise-specific risk definitions and an organizational risk hierarchy to which all risk-related specialists can align.” You will need to modify your risk framework in order for it to suit the situation. However, having a standard structure from the beginning will strengthen governance, eliminate unnecessary redundancies, and bridge gaps.
Risk management is founded substantially on the implementation of routine risk analysis, the findings of which can inform your management approach. When you conduct a risk analysis, you are exhaustively surveying possible threats to the availability, integrity, and confidentiality of your electronic protected health information (ePHI).
While every organization will have somewhat different risk assessment questions, these sample ones from NIST Special Publication (SP) 800-66 can be modified or give you a sense of possible ones, as noted by the HHS:
- What data that you hold is ePHI (considering all the information you send, store, receive, or produce)?
- In what situations is ePHI being handled by a third-party? Do service providers with which you have contracts send, store, receive, or produce ePHI?
- What are the greatest threats to the systems that handle your ePHI (whether caused by humans or the environment)?
2. Get independently audited.
Violations of federal healthcare are incredibly expensive, extending far beyond the fines to lawsuits, training, and other costs. Since you want to prevent these incidents to the fullest extent under your control, it is a good idea to get an audit from a third-party, as indicated by Aytekin Tank, CEO of San Francisco-based form-building company JotForm. Performing an audit yourself can help illuminate any areas that need work prior to the outside audit.
The audit should extend to technical, administrative, and physical safeguards. As an example of requirements, the physical audit should proceed as follows:
Verify that you are restricting physical access to any facilities and systems storing health data while allowing authorized access. Check your general facility access control policies and procedures. Make sure that they work for ePHI per healthcare law. Confirm that the policies and procedures describe the ways that you will restrict physical access and stop unauthorized access.
Consider the responsibilities of workforce members and management related to access control protocols; the processes to issue access authorization and to take away authorization; the specific steps used to monitor access; steps to manage and control physical access; and a list of all the locations where you are setting up physical access controls for health data.
Verify which members of your workforce have permissions to physically access ePHI systems, along with the areas and facilities where you have ePHI stored. Make certain that all locations of ePHI have lists of authorized workforce members; that management has approved these lists; that these lists are regularly assessed; and that individuals are taken off the lists when their need for access has expired.
Check your procedures that are used to authorize people to access ePHI locations. Ensure that all points of entry are properly verifying authorization and that the logs of physical access are assessed routinely. Look over ePHI physical access records related to facilities and areas of health data. Confirm that proper oversight is given to anyone who visits these locations.
3. Prioritize training.
Because security training is required under federal healthcare law, it can be easy to forget that internal education is a security best practice that will help you mitigate risk. After all, insiders are responsible for 58% of healthcare breaches, per a study released in March by Verizon. Training is critical because your staff is able to perceive what is occurring in real-time, making them essential to your security posture. However, they must be properly informed in order to be helpful. Digital forensic specialist Ricoh Danielson said to “mpower them with information security education to let them know they have skin in the game.”
The HHS’s training recommendations note that the HIPAA requirements are intentionally flexible so that the spectrum of covered entity sizes and types can meet them. Because that’s the case, there is also necessarily variation in training programs. There are training resources provided by the HHS directly, but the most exhaustive list of resources and links is the “Health IT Privacy and Security Resources for Providers” from HealthIT.gov. One key tool available there is the Guide to Privacy and Security of Electronic Health Information. This PDF is intended to help describe the security and privacy concerns for smaller providers. Beyond training, it features a step-by-step process to build security management into your organization. The summaries of the HIPAA Privacy, Security, and Breach Notification Rules on the HHS site are also helpful since those rules are each so central to understanding HIPAA compliance.
While these materials are certainly thorough, they are not consolidated and can feel like a mess if you are trying to tie them together into your own training guide. Looking at more compact explanations of important elements to include in HIPAA training from organizations focused on the topic can help – as with this overview from TeachPrivacy.
4. Focus on access and identity management.
Focusing on better access and identity management was advised in cybersecurity strategies released by the nonprofit American Health Information Management Association (AHIMA). Among policies that fall under this umbrella, the group listed time-of-day rules; concurrent login restrictions; two-factor authentication; lockout following a preset number of failed login efforts; password standards; and training (as described above).
Password standards certainly deserve considerable attention – beyond the typical notions of password security that you have come to expect, following new password guidance released by the National Institute of Standards and Technology (NIST) in 2017. While no organization outside the federal government is expected to follow NIST rules, many security pros use them to create their policies, so they are incredibly influential and (of course) are accepted by the HHS.
According to the NIST rules, in order to achieve strong security, these three new recommendations are important:
- All new passwords must be checked against ones that are commonly hacked or that are overused. This step systematically prohibits passwords such as 12345 and Password.
- You no longer need to change your passwords routinely. This advice is critical because making these regular replacements actually hurts your security, as indicated by NIST analysis.
- You do not need to enforce password complexity via mandatory inclusion of at least one number, letter, and special character (or similar). With those requirements gone, you will not end up with passwords such as 12345A! (which is, despite its “complexity,” a weak password).
5. Use a strong backup approach.
Backup is utterly key to your security. You can become an easy target if you do not have a recent backup and systems to routinely back up new information. When you have a backup in a secure location, you never need to recover stolen data from ransomware attackers and decrypt it. If you do not have that data available, you can be in a difficult position when your patient care depends on access to it and the only copy is controlled by attackers.
You are also in a tough position because any organization that handles ePHI mandatorily has to back up copies of all the data that match it exactly. Data backup must be encrypted, both during transmission and at rest. You must further be able to recover the data that is stored in your backups. At least one backup must be remote, as indicated within the HIPAA Security Final Rule.
Data backup should occur regularly. Consider that if you are backing up daily and have a problem occur late on a particular day, you could lose substantial data reverting to the backup. Policies and procedures must be developed outlining your data backup and recovery steps and protocols. Routine testing of recovery must occur so you know the data in the backup can be immediately restored as needed. If and when you do have a security event occur, all the same defenses must be maintained as with normal conditions.
6. Leverage solid business associate agreements (BAAs).
The way that the Department of Health and Human Services (HHS) discusses relationships with business associates is indicative of how integrally those relationships are connected to your risk profile. For example, the “Guidance on HIPAA & Cloud Computing” document from the HHS explains, “hile a covered entity or business associate may use cloud-based services of any configuration… provided it enters into a BAA with the CSP, the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.” Whether you are contracting with a cloud provider or any other business associate, make certain that your BAAs properly address all risk that is revealed from risk assessment, and require that a routine assessment by both parties be included.
The sample BAA from the HHS is very helpful in this process – providing a healthcare-compliant skeleton of the contract’s structure that you can modify to fit your situation.
Core elements of a BAA are as follows:
- State that the business associate must set up technical, administrative, and physical safeguards to protect the covered entity’s information.
- Describe how the BA will use and disclose PHI – both in terms of what is necessary and what is allowed.
- Note that the BA must not perform any use or disclosure that is not either within the contract or legally mandatory.
- Stipulate that the BA will notify the CE of any disclosure or use that occurs that is not permitted within the BAA (as in the case of breaches).
- State that the BA must supply the HHS with any documents related to its PHI disclosure and use so that the agency can verify the CE’s compliance.
- Describe whatever ways the BA is assuming responsibility for PHI and the HIPAA rules they must follow to meet those responsibilities.
- Note that the BA must ensure that any organizations with which it contracts that will handle health data will sign subcontractor business associate agreements that require them to adhere to the same terms and limitations as indicated within the original BAA.
- Provide that the BA provide PHI access to the CE when asked so that they can meet the rule to give people copies of their records and allow them to correct errors.
- Allow for the CE to void the agreement if the BA fails to meet its parameters.
- State that the BA must return any PHI that it handled on behalf of the CE (or destroy it if requested) if and when the agreement ends.
7. Form truly secure HIPAA-compliant partnerships.
Having strong business associate agreements is typically founded on working with strong business associates. One way to know that potential BAs you are considering have strong security controls in place is when they go beyond HIPAA compliance certification to also hold a Statement on Standard for Attestation Engagements 18 (SSAE 18; formerly SSAE 16) audit from the American Institute of Certified Public Accountants. Significant experience is also critical. While you will never have full transparency into an outside provider, the level of transparency they provide and extent of knowledge they have for healthcare rules is key. After all, you really want your business associate relationships to be partnerships, not just agreements.
Maintaining healthcare security
Security is absolutely fundamental to the healthcare sector – especially since more than half of covered entities are experiencing breaches annually (per the study in the introduction). While security is vital to this field, it does not have to be obtuse. By following the above parameters, exploring the materials available from the HHS, and getting help from HIPAA-compliant BAs, you can have peace-of-mind that your ePHI is protected and that you have successfully mitigated your risk of a violation.