That was the title of an early January eblast to our subscribers where we talked about insider risk and audit controls. Then OCR sends out an email about a recent $5.5 million settlement with Memorial Healthcare Systems (MHS) about PHI being “impermissibly accessed” and “impermissibly disclosed” to doctors’ staff.
The email serves as an expensive yet imperative reminder of how important audit controls are to protecting PHI. MHS didn’t follow the HIPAA Security Rule’s proper access controls, didn’t address risks it had identified as part of risk analyses conducted from 2007 to 2012 and has paid the price. Unfortunately, those whose PHI was shared with far more people than necessary still lose, because the information can’t be unseen.
It begs the question: Why do so many people get access to ePHI who clearly don’t need that access? As we’ve talked about in a previous blog article, “Who has access to your healthcare data?” the insider risk is all too real.
It’s worth repeating that training won’t stop bad people from doing bad things. However, often the privacy breach is due to inadequate monitoring of health information access, especially when you’ve noted that is a risk yet have done nothing about it. Someone with no malicious intent yet had no reason to access to ePHI can wreak unintentional havoc.
6 Essentials for ePHI Access & Monitoring
- Train everyone. While it’s not a cure-all, the need for regular (at least semi-annual) privacy and security training cannot be overstated.
- Don’t hesitate to do a thorough screening of every employee who could potentially have access to or cause risk to ePHI.
- For those who will have access, be sure that their access is appropriate to their “need to know.” Maybe it’s time to get more stringent.
- Conduct regular, timely audits of PHI access logs. Many organizations audit but far too infrequently. Step it up to reduce breach risk.
- Review employee access to PHI on a regular basis to make sure someone who has left your organization no longer has access to your patients’ PHI.
- Review and possibly revise your current audit control protocols.
What are your action steps? If you’re not sure, or if you want to see if your prevention measures are where they need to be, give us a call at 877-376-1981. We’ll discuss best next steps for your ePHI protection planning.
In the interim, we suggest you download the Common Sense Guide to Mitigating Insider Threats, 4th Edition, from US-CERT (U.S. Computer Emergency Readiness Team).
All indicators are that 2017 will continue to see healthcare data come under attack as its value on the black market holds. That means that healthcare organizations can expect to remain prime targets for malicious cyberattacks.
It doesn’t help that many healthcare organizations struggle with challenges that include outdated information systems and cybersecurity gaps, as well as the fact that medical device manufacturers haven’t traditionally focused on device security. While healthcare organizations are diligently working to close gaps on their side in both in cyber and workforce, the OCIA (Office of Cyber and Infrastructure Analysis) has released a product that may help.
Healthcare & Public Health Sector Cyber dependencies
This fairly extensive product addresses everything from the sector background to cyber incidents affecting medical devices to the path forward. It’s the culmination of a collaborative effort with the Department of Homeland Security (DHS), National Protection & Programs Directorate, National Cybersecurity & Communications Integration Center, DHS Office of Intelligence & Analysis, and the HHS’s office of the Assistant Secretary for Preparedness & Response.
You can download the 13-page PDF here.
Apgar and Associates helps you with questions and concerns about your privacy and security compliance program, including updates and training, at 877-376-1981.
The Internet of Things (IoT) is leaving gaps that malicious software can exploit, bringing down extensive systems. The increasing frequency and severity of the attacks has healthcare systems and their supporting technology vendors on pins and needles.
Healthcare organizations may lose ability to access systems that are critical to patient care, in addition to affecting everyday use of patient portals. Because of dubious security in the IoT, everything from EHRs to drug infusion pumps could be taken out.
Organizations should perform scans of their networks for vulnerable IoT devices, continuously scan for compromised devices, apply security patches promptly to address known vulnerabilities and change all default passwords on every IoT device. Default passwords are easily guessed or can be found online. – HIPAA Journal
US Cert is once again the go-to reference for advice, with tips including*:
- Scanning for vulnerable IoT devices and performing risk remediation.
- Increase password strength, check username vulnerability.
- Update and stay on top of anti-virus and anti-malware, software patches.
- Get tough on the firewalls and allowed traffic.
- Segment networks for better isolation and access control.
- Monitor Port 48101 for suspicious traffic and IP ports 2323/TCP and 23/TCP for IoT control attempts.
- Double-down on security awareness, with renewed emphasis on WiFi exchanged data and remotely operated devices.
- Consider stronger email practices, including distribution of email addresses.
*We summarized the above US Cert tips, but you can see the specifics as well as information about the OCR warning here in the December 12th HIPAA Journal.
Apgar and Associates helps you on your compliance journey, including conducting a security risk analysis and creating risk mitigation and risk management plans. We’re now scheduling security risk analyses into Q2 2017. Contact us for more information at 877-376-1981.
Every organization that collects and shares consumer (personal) health information needs a HIPAA Authorization to be able to share the information with necessary parties. From spouses to health care providers, the HIPAA Authorization lets consumers control who has access to their PHI.
The FTC Act takes this a step further, or deeper. Your HIPAA-compliant authorization must not in any way inadvertently mislead the consumer as to how the PHI is used.
How to Clean Up Your Authorization Interface
- Be transparent; be clear. If not only the physician, but also a pharma company or other party will see it, say so up front, in big friendly letters.
- Limit scrolling. Your authorization may look completely different on a mobile device. Say exactly how their health information may be used or shared at the beginning, not buried six swipes or a lengthy scroll later.
- Give the whole story without contradictions. Let them know if a post – or message – will be viewed by others.
- Using paper? Keep important disclosures to the front page. Paper stacks with different statements on each page relating to health information use is confusing – and may be misleading.
- What does your electronic – or paper – authorization say? Is it effective and compliant?
If you’re interested in the details, you can read the FTC compliance tips here.
Apgar and Associates helps you on your compliance journey, including conducting a security risk analysis and creating risk mitigation and risk management plans. Contact us for more information, or with questions and concerns about your program at 877-376-1981. Apgar and Associates is also the home of the compliance consulting subscription program for qualifying organizations.
Source: "Sharing Consumer Health Information? Look to HIPAA and the FTC Act" from FTC.gov.