The key to Redspin’s rapid rise as the leader in HIPAA compliance for healthcare providers has been our unyielding focus on IT security.
Last week’s news that OCR had reached a $4.8 million settlement agreement with New York-Presbyterian hospital and Columbia University Medical Center relating to HIPAA compliance violations further affirms our position. What started as an investigation of a 6,800 record ePHI breach became a multi-million dollar black-eye for those providers.
At the source of the breach was an improperly deactivated server that remained live on the network. ePHI contained on the server became accessible by Internet search engines. OCR cited the two organizations for failing to conduct “an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI.” That means an IT security assessment that is broad and deep enough to find such a rogue server containing ePHI. That’s exactly what Redspin does – in fact it is a fairly common finding.
No doubt IT security is complicated, made even more so by the dynamic nature of technology and the ever-challenging threat landscape. There is no silver bullet. It may be best to think of IT security as a chronic illness, a condition that requires ongoing treatment, testing, and re-evaluations. With security, the goal is not an outright cure but a lessening of symptoms, a lowering of risk. If we could prescribe a treatment plan, it would look like this:
1. Conduct an Annual HIPAA Risk Analysis
This is your annual exam. Periodic risk analysis is a requirement of the HIPAA Security Rule anyway so you might us well plan it in advance and budget for it. When you consider all of the changes that take place year-over-year such as new system deployments, IT infrastructure enhancements, organizational restructuring, and employee turnover, it is certain that new vulnerabilities have arisen at the same time. At Redspin, we like to say that while security assessments have a shelf life, they also have an expiration date.
As we highlighted above, don’t be fooled into thinking that a HIPAA risk analysis need not be technical. It is not possible to assess security risk without identifying real vulnerabilities and developing a remediation plan to address them. That’s like a physical exam without blood work!
2. Inoculate Yourself By Encrypting Data-At-Rest
Insist on encryption of data on all portable devices. For 4 consecutive years, we have listed encrypting laptops and other portable devices as our top recommendation in our annual PHI breach report. From 2009 to present, the loss or theft of unencrypted portable devices has made up over a third of all large breach incidents and impacted over 50% of all health records put at risk.
We recognize that there are still significant hurdles – clumsy technology, budgetary constraints, and user-training needs. Users resist it but extending the analogy; people resist needles too. As painful as it may be, it won’t compare with the pain of a major breach incident due to a lost device chock full of PHI. The costs of forensics, reparations, attorney’s fees, an OCR investigation/civil penalty, potential class action lawsuits, and negative publicity can easily run into millions of dollars.
3. More Frequent Vulnerability Assessments and Penetration Testing
The threat from malicious outsiders – hackers – has the potential to wreak havoc on the healthcare industry. While there have not been widespread occurrences, there can be no room for complacency. Just consider that 12th largest breach of all time was the 2012 hacking incident at the Utah Department of Health (780,000 patient records). In our opinion, hacker attacks are likely to increase in frequency over the next few years. Personal health records are high value targets for cybercriminals as they can be exploited for identify theft, insurance fraud, stolen prescriptions, and dangerous hoaxes. In addition, many healthcare providers process and store credit card information.
To combat this threat, we recommend continuous vulnerability scanning and remediation. Implement a monthly or quarterly schedule so that you can compare results and see what you’ve fixed, what you haven’t, and what new vulnerabilities may have arisen. If you don’t have the resources to do this yourself, Redspin can put you on an auto-scheduled service to do it for you. Also consider penetration testing – both internally and externally. This types of security testing more closely mimics the paths of malicious attackers and can often expose inter-related weaknesses that would be beyond the scope of typical vulnerability assessments.
4. Invest in the Security Awareness of Your Workforce
The lack of security awareness among your employees is your overall biggest risk and the hardest of remediation. But every dollar spent on educating your employees on IT security is an investment in your organizations future success. The task goes well beyond PowerPoint presentations. You need to engage all of your employees in building a culture of security through a process of frequent and engaging security awareness training, of internal training, daily reminders, and visual workplace cues.
Situational training is a must – run social engineering tests (phishing, pre-text phone calls). Reward success. Track what people do in specific situations (good and bad) and integrate that info back into the training. Implement hotlines, place posters on walls, screen-saver reminders, and monthly tips. Redspin, among other firms, can help build and customize an effective program for you.
5. Engage With Your Business Associates
The responsibility of PHI security now officially extends outside the organization. The Omnibus Rule legally extends compliance with HIPAA security provisions and direct civil liability for breach to business associates and their vendors. That said, healthcare providers still retain their obligation to ensure that its business associates are safeguarding PHI effectively.