HIPAA, HIPAA, HIPAA
I had a conversation with Mike Semel at www.semelconsulting.com a few days ago that was pretty interesting.
He was called by a Business Associate who received notice from the OCR (Office for Civil Rights) that one of the Business Associate’s Covered Entity clients was being selected for a HIPAA audit.
Because OCR often audits Business Associates when they audit a Covered Entity (you do remember that ALL Business Associates MUST be compliant at the same level as the Covered Entity), this should not have been a surprise to the BA.
However, the notice to the Business Associate started off something like this:
Since you have failed to respond to our email request for information, we are now changing your audit to an onsite audit.
The Business Associate somehow missed emails from the folks at the Office for Civil Rights, which they interpreted as ignoring them, and decided to do a full blown audit on the Business Associate.
During the audit, the OCR Investigator required proof of a Security Incident Form, a Breach Notification Letter, and evidence of Training of staff in Breach Notification. Even though there had been no breach…
The takeaway is that you need to be prepared to do your part when there is a Security Incident, you need to have your notification Forms ready to go in the mail, you need to have trained staff, and you need to have procedures in place to accurately identify a breach, then be prepared to show the results to the OCR.
Devin McGraw, Office for Civil Rights
Deven McGraw serves as the deputy director for health information privacy at the HHS Office for Civil Rights (OCR) and is the acting chief privacy officer for the Office of the National Coordinator for Health Information Technology.
At a recent Allscripts conference, McGraw made the following observations that we should pay attention to:
“A lot of times we hear about organizations that go overboard with BA agreements with everyone that interacts with them,” she said. But, more often than not what we see is the failure to get business associate agreements with entities that clearly are business associates.”
The janitor, the electrician and the plumber are NOT Business Associates. They have casual contact in your business and are not required to be HIPAA compliant. If they have signed a Business Associate Agreement with you because you asked, then neither of you understand the rules.
“You can be in violation of HIPAA rules if you are sitting on your notification, waiting for those 60 days, she said. It’s not great to have to let people know of a breach, but it is without unreasonable delay.”
If you have a breach, then own it. Make your notifications to your Patients ASAP and to OCR when required. Her statement indicates that is must be done without “unreasonable delay”.
“(If) We did not find anything, we write a little note, it goes up on the web site, and you are good to go, McGraw said. Maybe you need to improve upon a couple of things, and that becomes the closer letter. And then there are the cases of systemic non-compliance. And so far to date we have had 49 settlement agreements that included detailed correction action plans and monetary settlement amounts.”
“Systemic non-compliance”. That means you have been thumbing your nose at HIPAA and have made no documented measurable steps to achieve compliance. You have now joined the bad boys/bad girls club and OCR is going to get your attention by making you take out your wallet. You do not want to go there.
Get Out Of Jail Free
The September 2013 Omnibus Rule changes to HIPAA compliance set forth a standard worth noting. Patients do not have to prove harm any longer if you have a breach. YOU have to prove that your breach did not disclose any ePHI (electronic Protected Health Information).
If you lose a laptop, or it is stolen by a Patient, or you left the laptop on the back seat of your car and a thief stole it YOU now have a huge problem.
First off, your HIPAA Policies and Procedures should address that no one is to leave a laptop unattended which means it should never get lost.
In the second case, the laptop should have not been left unattended in areas where a Patient has access. If you must use a laptop/portable device in those areas, you should lock them to the furniture. This should be a written Policy and Procedure.
In the third case, leaving it in the car while you were browsing in T.J. Maxx should also be a violation of your company’s written HIPAA Policies.
There is a way to avoid all this.
That way is called Full Disk Encryption (FDE). Full Disk Encryption does just that; it encrypts all of the data on the hard disk so that none of it can be decrypted without the password. The Omnibus 2013 changes allow for a device that has Full Disk Encryption enabled, to be lost or stolen and it is NOT a reportable Breach.
This is your “Get Out of Jail Free” card.
Full Disk Encryption costs about $150 per machine, for a 3-year license. Cheap insurance of you ask me.
By way of example:
On August 29, 2012, OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients.
OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.
“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”
HIPAA Hot Water
A San Antonio, TX OB-GYN practice, The Institute for Women’s Health (IFWH), is in hot water with OCR as the result of a keylogging malware that was installed on their computer network.
The keylogging software was discovered on July 6th, 2017, but, was found to have been installed on June 5th, 2017. So, for a little over a month, criminals were able to scrape patient data, such as names, dates of birth, Social Security numbers, addresses, medical procedures, scheduling notes along with credit card and payment information.
Based on this statement from IFWH
“After the incident, IFWH implemented additional safeguards to improve data security on its web server infrastructure and reduce the risk of exploitation.”
it appears that they had an Internet facing web server on their network that got compromised. For educational purposes, you NEVER want to run an Internet facing web server on your local network. Web servers belong at web server companies where the security is much better and where a compromise is less likely to allow access to your Patient network.
Cloud Hosting Vendor TekLinks Reports Breach
Alabama Surgical Dermatology Group was notified recently by their Cloud Provider that a hacker had access to their cloud based servers from March 23, 2017 until about May 1, 2017.
Alabama Surgical Dermatology’s investigation team has secured the server, and officials said policies have been revised to improve security for the organization.
All patients were notified and offered a year of free credit monitoring and identity theft protection services. Officials said the organizations also reported the breach to appropriate authorities, including the FBI.
The number of breached records was not included in the notification, and the data is not yet included on the U.S. Department of Health and Human Services’ Office of Civil Rights breach reporting tool.
Ransomware 2.0 Next Version
The general line of thinking is that all of the ransomware that we have seen so far is scattershot…just throw it against the wall and see what sticks. By that, I mean that the ransomware actors we have seen are sending mass phishing emails and hoping that one of your employees clicks on their link without thinking about it to open your door to their hacking.
Ransomware hackers are counting on some percentage of folks paying the ransom (it is called ransomware for a reason). But, after so much of it and with so much competition among the hackers, the end users are no longer trusting that paying the ransom will get their files back. This is taking the profit out of ransomware and it removes the incentive of the hackers to hack. This is why our government does not pay ransom demands. It only encourages the behavior.
So, with a dwindling market, the hackers have to come up with a new strategy to keep their money flowing. That strategy is going to be “selective ransomware”. The crooks are going to start targeting specific companies and/or individuals in those companies. This will require that they research the targets better, which may include your staff members. They may try to determine what computers and systems you have installed. And, they may also try to determine how much ransom you are willing to pay.
It is critical that your computer infrastructure is composed of the right equipment, running the right security software that is patched up to date as soon after patches and bug fixes are released. It means a good, self-updating, endpoint protection software. It means staff training on recognizing phishing emails. Just as good handwashing in a medical environment can reduce contamination, good computer and network hygiene can drastically reduce the ability of a hacker to gain a foothold in your organization.
Network Security Is Not Optional
Healthcare Practice Managers and Physician Owner’s should stop thinking about network security as a cost and begin thinking about it as a fundamental cornerstone of their business.
Face it – you are in healthcare and the Office for Civil Rights requires that you protect your Patient’s data, whether you like it or not.
The day you plugged your Practice into the Internet, you opened Pandora’s proverbial box. There are bad people on the other side of that data cable and it is up to guys like us to help you keep them in their place.
No IT Vendor is 100% successful in doing that because there are new tricks, new threats and new software emerging hourly. But, if you allow your network to be layered in security, then you can rest assured that you have put up a lot of roadblocks to the potential threats. Couple the security layering with repeated staff training will get you a long way towards safety.
According to Beazley, a cyber insurance firm, in healthcare specifically, unintended disclosure – such as misdirected faxes and emails or the improper release of discharge papers – continued to drive the majority of healthcare losses, leading to 42 percent of industry breaches during the first half of 2017.
Hacks and malware accounted for 18 percent of healthcare data breaches in the first half of 2017, compared with 17 percent during the first half of 2016.
ePHI is everywhere. Protect it!