The 2018 version of a study conducted annually by Ponemon for Experian polled 624 executives and IT specialists who chiefly perform compliance, security, or privacy roles. Disturbingly, less than 1 in 5 of those surveyed – 19 percent – said their firm had a highly effective data breach response plan. Plus, more than half (56%) said their firm had suffered a breach during the prior year – a rise of 4% over the 2017 study. These figures may not be comforting, but certainly, improvements can be made at many organizations. Here are a few ways you can ensure that your cybersecurity is as strong as possible to minimize the chance that you experience a patient record breach:
1. Systematize risk management.
Security is fundamentally about mitigating risk. Risk management has always been part of the business. The threats have changed, as have the defenses, but the basic approach remains the same – which is why a ten-year-old Gartner report, “A” Risk Hierarchy for Enterprise and IT Risk Managers,” “is still relevant. The report noted that managing risk should “b” gin with enterprise-specific risk definitions and an organizational risk hierarchy to which all risk-related specialists can align.” “you will need to modify your risk framework to suit the situation. However, starting with a standard structure will strengthen governance, eliminate unnecessary redundancies, and bridge gaps.
Risk management is founded substantially on the implementation of routine risk analysis, the findings of which can inform your management approach. When you conduct a risk analysis, you exhaustively survey possible threats to your electronic protected health information (ePHI) availability, integrity, and confidentiality.
While every organization will have somewhat different risk assessment questions, these sample ones from NIST Special Publication (SP) 800-66 can be modified or give you a sense of possible ones, as noted by the HHS:
- What data do you hold? Is it ePHI (considering all the information you send, store, receive, or produce)?
- In what situations is ePHI being handled by a third party? Do service providers with which you have contracts send, store, receive, or produce ePHI?
- What are the greatest threats to the systems that handle your ePHI (whether caused by humans or the environment)?
2. Get independently audited.
Violations of federal healthcare are costly, extending far beyond the fines to lawsuits, training, and other costs. Since you want to prevent these incidents to the fullest extent under your control, getting an audit from a third party is a good idea, as indicated by Aytekin Tank, CEO of a San Francisco-based form-building company, JotForm. Performing an audit yourself can help illuminate any areas that need work before the outside audit.
The audit should extend to technical, administrative, and physical safeguards. As an example of requirements, the physical audit should proceed as follows:
Verify that you restrict physical access to any facilities and systems storing health data while allowing authorized access. Check your general facility access control policies and procedures. Make sure that they work for ePHI per healthcare law. Confirm that the policies and procedures describe how you will restrict physical access and stop unauthorized access.
Consider the responsibilities of workforce members and management related to access control protocols, the processes to issue and remove access authorization, the specific steps used to monitor access, the steps to manage and control physical access, and a list of all the locations where you are setting up physical access controls for health data.
Verify which workforce members have permission to physically access ePHI systems, along with the areas and facilities where you have ePHI stored. Please ensure that all locations of ePHI have lists of authorized workforce members, that management has approved these lists, that these lists are regularly assessed, and that individuals are taken off the lists when their need for access has expired.
Check your procedures for authorizing people to access ePHI locations. Ensure that all entry points properly verify authorization and that the logs of physical access are assessed routinely. Look over ePHI physical access records related to facilities and areas of health data. Confirm that proper oversight is given to anyone who visits these locations.
3. Prioritize training.
Because security training is required under the federal healthcare law, it can be easy to forget that internal education is a security best practice that will help you mitigate risk. After all, insiders are responsible for 58% of healthcare breaches, per Verizon’s study released in March. Training is critical because your staff can perceive what is occurring in real time, making them essential to your security posture. However, they must be properly informed to be helpful. Digital forensic specialist Ricoh Danielson said to “[“]mpower them with information security education to let them know they have skin in the game.”
“thetraining recommendations note that the HIPAA requirements are intentionally flexible so that the spectrum of covered entity sizes and types can meet them. Because of that, there is also a need for variation in training programs. The HHS provides training resources directly, but the most exhaustive list of resources and links is the “H” health IT Privacy and Security Resources for Providers” “from HealthIT.gov. One key tool available is the Guide to Privacy and Security of Electronic Health Information. This PDF is intended to help describe smaller providers’ security and privacy concerns. Beyond training, it features a step-by-step process to build security management into your organization. The summaries of the HIPAA Privacy, Security, and Breach Notification Rules on the HHS site are also helpful since those rules are central to understanding HIPAA compliance.
While these materials are undoubtedly thorough, they are not consolidated and can feel like a mess if you try to tie them together into your own training guide. Looking at more compact explanations of important elements to include in HIPAA training from organizations focused on the topic can help – us with this overview from TeachPrivacy.
4. Focus on access and identity management.
The nonprofit American Health Information Management Association (AHIMA) advised focusing on better access and identity management in cybersecurity strategies released. Among policies that fall under this umbrella, the group listed time-of-day rules, concurrent login restrictions, two-factor authentication, lockout following a preset number of failed login efforts, password standards, and training (as described above).
Password standards certainly deserve considerable attention – beyond the typical notions of password security that you have expected, following new password guidance released by the National Institute of Standards and Technology (NIST) in 2017. While no organization outside the federal government is expected to follow NIST rules, many security pros use them to create policies, so they are incredibly influential and (of course) are accepted by the HHS.
According to the NIST rules, to achieve strong security, these three new recommendations are important:
- All new passwords must be checked against commonly hacked or overused ones. This step systematically prohibits passwords such as 12345 and Password.
- You no longer need to change your passwords routinely. This advice is critical because, as NIST analysis indicates, making these regular replacements hurts your security.
- You do not need to enforce password complexity via mandatory inclusion of at least one number, letter, and unique character (or similar). With those requirements gone, you will not end up with passwords such as 12345A! (which is, despite its “c”mplexity,” ” weak password).
5. Use a strong backup approach.
Backup is utterly key to your security. You can become an easy target if you do not have a recent backup and systems to back up new information routinely. When you have a backup in a secure location, you never need to recover and decrypt stolen data from ransomware attackers. If you do not have that data available, you can be in a difficult position when your patient care depends on access and attackers control the only copy.
You are also in a challenging position because any organization that handles ePHI must mandatorily back up copies of all the data that match it exactly. Data backup must be encrypted, both during transmission and at rest. You must also be able to recover the data stored in your backups. At least one backup must be remote, as the HIPAA Security Final Rule indicates.
Data backup should occur regularly. Consider that if you are backing up daily and have a problem that occurs late on a particular day, you could lose substantial data reverting to the backup. Policies and procedures outlining your data backup and recovery steps and protocols must be developed. Routine testing of recovery must occur so you know the data in the backup can be immediately restored as needed. When a security event occurs, all the same defenses must be maintained as normal conditions.
6. Leverage solid business associate agreements (BAAs).
How the Department of Health and Human Services (HHS) discusses relationships with business associates indicates how integrally those relationships are connected to your risk profile. For example, the “G”idance on HIPAA & Cloud Computing” “ocument from the HHS explains, “[“]hile a covered entity or business associate may use cloud-based services of any configuration… provided it enters into a BAA with the CSP, the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.” “hether you are contracting with a cloud provider or any other business associate, make certain that your BAAs properly address all risks revealed from risk assessment and require that a routine evaluation by both parties be included.
The sample BAA from the HHS is very helpful in this process – providing a healthcare-compliant skeleton of the cocontract’structure that you can modify to fit your situation.
The core elements of a BAA are as follows:
- The business associate must set up technical, administrative, and physical safeguards to protect the covered entity’s information.
- Describe how the BA will use and disclose PHI – both in terms of what is necessary and allowed.
- Note that the BA must not perform any use or disclosure that is not within the contract or legally mandatory.
- Stipulate that the BA will notify the CE of any disclosure or use not permitted within the BAA (as in the case of breaches).
- The BA must supply the HHS with any documents related to its PHI disclosure and use so that the agency can verify the CECE’s compliance.
- Describe how the BA assumes responsibility for PHI and the HIPAA rules they must follow to meet those responsibilities.
- Note that the BA must ensure that any organizations with contracts to handle health data sign subcontractor business associate agreements that require them to adhere to the same terms and limitations as indicated within the original BAA.
- Provide that the BA provides PHI access to the CE when asked to meet the rule of giving people copies of their records and correcting errors.
- Allow the CE to void the agreement if the BA fails to meet its parameters.
- State that the BA must return any PHI handled on behalf of the CE (or destroy it if requested) if and when the agreement ends.
7. Form truly secure HIPAA-compliant partnerships.
Strong business associate agreements are typically founded on working with strong business associates. One way to know that potential BAs you are considering have strong security controls is when they go beyond HIPAA compliance certification to hold a Statement on Standard for Attestation Engagements 18 (SSAE 18; formerly SSAE 16) audit from the American Institute of Certified Public Accountants. Significant experience is also critical. While you will never have full transparency into an outside provider, the level of transparency they provide and the extent of knowledge they have for healthcare rules is key. After all, you want your business associate relationships to be partnerships, not just agreements.
Maintaining healthcare security
Security is absolutely fundamental to the healthcare sector, especially since more than half of covered entities experience breaches annually (per the study in the introduction). While security is vital to this field, it does not have to be obtuse. By following the above parameters, exploring the materials available from the HHS, and getting help from HIPAA-compliant BAs, you can have peace of mind that your ePHI is protected and that you have successfully mitigated your risk of a violation.