Chris Apgar, CISSP, CCISO
Audit log monitoring is probably one of the most unsexy, uninteresting activities a healthcare organization or business associate has to do. But neglect it at the risk of your solid bottom line and reputation. Last time we talked about how you can get into legal (and costly) hot water with badly aligned policies and procedures or by having a weak security incident response plan. Audit log monitoring is another hot potato.
Say a patient thinks someone on staff is poking around their medical record, reports it, but you don’t have anything that documents you pre-emptively monitor for nosiness as part of protecting patient privacy. Even worse, say you do have a policy and procedure for audit log monitoring, but again, can’t prove you’re doing it. A prime target for a lawsuit.
I’ve been an expert witness in far too many lawsuits where healthcare organizations or their business associates couldn’t prove they keep watch on audit logs. And while being able to demonstrate monitoring may not prevent the lawsuit from being filed, it can go a long way toward helping you prevail (i.e., not cost you a fortune in money and reputation).
You simply can’t wait until an incident occurs to examine audit logs.
The 2013 HIPAA Omnibus Rule specifically states that if you create audit logs, then you need to look at them. Didn’t do it regularly? Willful neglect. What patient’s attorney won’t use that to their advantage?
If it gets to that point, expect them to point to laws that penalize physical or emotional harm to the patient, claim gross negligence, and so forth. They will, and it won’t look good for you. All because of the lack of audit log monitoring.
We recognize that you may think the strictures around data privacy and security in the time of a pandemic are a bit more forgiving. The reality is, you’re still expected to toe the line when it comes to protecting PHI, access control, and monitoring. Yes, there’s more telework. That means being more cautious, not less. More check-ins, not fewer. (Try these tips to address virtual workplace risk.)
Just because COVID19 makes it harder to hold court in-person doesn’t mean that the legal system has taken a vacation in the healthcare data privacy and security arena. And neither can anyone responsible for protecting patient information.
Do you have a process to check that the process(es) are getting done? If not, or if you’d like to review what you have in place, give us a call [503-384-2538].
For healthcare organizations and the businesses that support them, regulation and legislation too often turn into lawsuits and settlements. What’s happening to get you into trouble in the first place? How can you avoid the serious costs they bring – to the bottom line and to reputation? Here’s what Julia and I often see from a “from the trenches” perspective.
Policies & Procedures Misalignment
In other words, either you didn’t do what you said you were going to do, or you have serious gaps in what should be written down and followed. Here’s the thing about policies and procedures, they have to be accurate, yes, but they also should say what you will do, not just what you can do.
Do you say you’re going to test and check your firewall every 30 days? Better have that proof ready to show that you did it. Do you state that your mobile device use includes information security standards for mobile device hardening to protect PHI? Prove the steps you take – encryption, remote wipe capabilities, device tracking, etc.
If healthcare organizations or business associates don’t or can’t produce proof, and there’s a PHI breach, any legal action will include turning over privacy and security policies. You want to be able to do that with confidence.
Here are our Policy and Procedure Quick Tips, in a short video format. Feel free to share.
Breach Incident, No Security Incident Response Plan (IRP)
Naturally, if you do experience a PHI breach or any type of breach incident, you want to be able to take action. The thing that stinks is that even a not-so-bad breach can bring the wolf to the door, lawsuit-wise. At one point, if there was no proof of harm (e.g., identify theft), then there was a chance the courts may show leniency. That happens far less often these days. Especially when you can’t demonstrate that your security Incident Response Plan is reliable (or if you don’t have one in place).
Think about what the courts will want to see – or better yet, what a security risk analysis would reveal about your security IRP. Can you show that everyone knows what they’re doing and how they need to respond to a breach? If you’re not sure, talk to us about your organization’s security Incident Response Plan – we have a short motion graphic on that here.
Obviously, there’s no way to 100% guarantee you’ll never have a breach. What you can guarantee is that you have the right safeguards in place, that there’s a provably in-practice set of policies and procedures, and that when the breach did happen you had a super-viable security IRP to make things right as quickly as possible.
It’s time to circle back to the topic of remote access. Earlier I provided you a checklist to send to your remote working employees to assess workspace and workstation security. With new portable devices and web apps that support working from home, including transmitting large amounts of data with minimum resources, I feel it’s important to share additional information that can help you protect your organization and your data.
Keep in mind, there’s nothing in HIPAA that prohibits remote access.
On the other hand, organizations are still required to implement appropriate safeguards to protect the privacy and security of protected health information (PHI).
In the past, I’d see articles saying that limiting the transport of documentation offsite also limited what could be easily copied. That hasn’t been true for some time. Technology that permits easy transporting or transmitting data offsite didn’t just pop up now, during the COVID era. We have a greater attack surface – more opportunities for misrouted data and breaches. Everyone needs to implement safeguards to protect the healthcare-related data that’s generated.
So, what does HIPAA say?
It really doesn’t matter if the PHI is stored on a workstation, in a cloud app or on portable media. Covered entities and business associates need to make sure they pay attention to the security safeguards implemented to protect PHI wherever it is. This is not just a technology issue. It still goes back to the fact that people are the weakest link when it comes to security. You can have the best technology in the world but if an employee or an organization’s vendor doesn’t adhere to good security hygiene, you end up with breaches and potential network damage. All it takes is one person to click on a malicious link.
Poor security practices at home could lead to inappropriate access by family members and friends, device and portable media theft, etc. No, you can’t eliminate all of the risks, but if employees pay attention, stick to the security controls you’ve developed, the risk is significantly limited.
Implement as many technical safeguards as you can that don’t rely on people.
Those safeguards include personal firewalls, SPAM filters, anti-malware, and blocking access to webmail on company-owned devices used remotely.
6 Safeguard Actions to Consider
- Set up a company controlled virtual private network (VPN) that is the only path into your organization’s network and applications
- Implement two-factor authentication such as texting a code to the employee’s phone that needs to be used in conjunction with the employee’s password
- Automate anti-malware updates and scans
- Force encryption on devices and when new devices connect to your company network
- Block the use of mass storage devices such as USB drives
- Automate patching on company-owned workstations and force patching through reboots if employees don’t reboot their workstations to apply new patches
Remember the administrative, too!
Implement strong administrative safeguards for remote access such as policies that employees are required to read, conduct training, especially around phishing, and if you permit BYOD, require the signing of a mobile device use agreement.
Whether your security access solution is technical, administrative, or physical, make sure you’re auditing. That means monitoring firewalls, using intrusion detection systems, and monitor access to your EHR and other web-based apps that store PHI.
COVID19’s effect on remote work expansion has changed everything. It’s critical that healthcare organizations develop safeguards to protect remote access to data, plus the assets, like workstations, that your employees rely on to be able to work remotely. Your attention to what happens outside your organization has become incredibly important.
Chris Apgar, CISSP, CCISO, is CEO and president of Apgar & Associates, LLC. He is a nationally recognized expert and educational instructor on information security, privacy, HIPAA, the HITECH Act, state privacy law, and electronic health information exchange. Contact him at 503-384-2538 for help with your information security program.
Remember that brief moment when we thought the COVID-19 business impact was lifting? It was a nice thought, but we were wrong. We’re firmly in the midst of the pandemic with alleviation an ever-moving target. What does this mean for businesses, especially covered entities (CE) and business associates (BA)? Telework and telehealth present security risks, but also are necessary for continuing business operations. Let’s look at the associated risks and how to manage them.
Because telework and telehealth create their own security environment and therefore their own risks, assuring that anyone working remotely follows good security hygiene needs to be a high priority.
7 Steps to Address Virtual Workspace Risk
- Ask those working remotely to use a checklist (you can start with the essentials in this one), complete, and return it. Using a simple mechanism like this is also a good way to assess risk, while also educating remote employees about proper remote office security.
- Send out regular security reminders focused on remote work risks, like “beware of phishing.”
- Make sure waiting rooms are enabled for the videoconferencing platform used for meetings and telehealth.
- Check that remote workers are not using their personal PIN when scheduling meetings and telehealth appointments. A secure PIN should be randomly generated.
- Assure that recorded telehealth appointments are stored locally (or on CE and BA servers) and that the recordings are encrypted.
- Include the risks associated with telework and telehealth when conducting your periodic risk analysis.
- Ask your critical vendors what they are doing to secure your data. And it’s not a bad idea to get their assurance in writing.
When it comes to security, you can’t be too careful. Now is a great time to assess organizational security, including the remote locations where your organizational workforce is doing business. Taking the time to implement these fairly simple steps will protect your organization, your employees, and your patients.
Extensive remote working situations are exposing more risks than many companies previously realized. Not the least being how to be sure your policies and procedures cover this situation properly. Whether you’re updating current policies and procedures or need new telework ones, give us a call at 503-384-2538 to get things moving.
As things ease up, and slowly people return to the office, what steps do you need to take to make sure data and devices are secure? It’s not quite a reversal of what covered entities (CE) and business associates (BA) went through when everyone who was non-essential was required to go to remote work, but there are some similarities.
Back to HIPAA as Usual
After the national emergency ends, so does OCR’s enforcement discretion.
Reassess telehealth vendors. That means if you made an in-the-moment decision to move forward with a non-HIPAA compliant video conferencing vendor for telehealth, you need to reassess. Either discontinue telehealth and telework or find a vendor who will sign a business associate agreement. If you continue to use a non-HIPAA compliant vendor and there’s a breach, it’s all on you.
Stop sharing (BAs). When enforcement tightens up again, BAs won’t be permitted to disclose PHI to public health and health oversight agencies. Only CEs will be permitted to disclose PHI to these agencies.
Teach employees how to create strong wireless passwords. One of the steps CEs and BAs may not have thought to take when remote work and remote health suddenly became the norm was to require that employees strengthen their home wireless network passwords. Take that step now if you want to continue with some remote work and telehealth, or if providers conduct telehealth from home.
CEs and BAs may require some training on the how-to of creating a strong wireless password. Plus, not all employees will know how to check their wireless network passwords. Remember, wireless carriers often set the password, and employees don’t reset when setting up their home router. That means these passwords may be easy to crack. If employees know that carriers set their network passwords, they’ll want to reach out to their carriers for instructions on how to change the home router password to meet strength protocols.
Clean, Patch and Update Remote Work Devices
Check device security settings and hard drives. As employees return from remote work and bring company laptops and tablets back to the office or clinical setting, check these mobile devices to ensure all security settings are where they should be. Also, the lack of timely patches on the devices may leave you open to cybercrime. For example, employees may have turned off device encryption, not updated anti-malware frequently enough or, if employees’ devices are not locked down, there may be non-approved applications installed.
With employees working from home, a number have pulled double duty – work remotely, make sure the children are taken care of, and keep them up on their classwork. That means a good likelihood that company-owned mobile devices were used for something other than work. Again, check hard drives. Children are quick to tap and install; ensure they didn’t install an application not approved for use on the device.
Clear off sensitive personal data. The above are also good reasons to remind remote-work employees to delete any sensitive personal data stored on those devices. Now that mobile devices are returning to use at the office, and in clinical settings, there’s a chance that personal data may be exposed during routine scanning, patching, and repairing the company-owned mobile devices.
Put PHI in Lockdown. Some CEs and BAs locked down company devices used remotely in such a way that the user couldn’t print, make screenshots, or plug in USB drives. A number likely have not. If employees were able to print at home, remind employees not to print PHI there, and if they have, to properly shred the paper. It’s a good time to lock those devices down so you make sure no one can print PHI at home or plug in a personal USB drive that may not be encrypted and may have malware present on the drive.
Hold Remote Work Training – Phishing, Telework
Run a Mock Phishing Exercise. If you haven’t run a mock phishing exercise recently or at all, now is the time. During the COVID 19 outbreak, cybercriminals have been actively spreading malware, setting up phishing campaigns, and so forth. Mock phishing exercises do a couple of things: (1) they educate employees or at least the ones who clicked a bad link, and (2) they help you assess risk – how many employees clicked on bad links. All it takes is one to jeopardize your organization, your network, and your PHI.
Review and vet your telework policy and telework agreement. Many CEs and BAs scrambled when remote work became the norm. A telework policy may not have even existed, much less an agreement, because no one thought it would be needed. Take some time now to figure out what worked and what didn’t, what’s enforceable, and what’s not. After thinking that through, adopt or update your telework policy and your telework agreement. And after that, be sure to (1) educate your workforce on the updated telework program and (2) make sure you can enforce it.
It Happened Once – It can Happen Again
Review your business continuity plan (BCP). If you didn’t have a solid BCP before the pandemic, you were likely scrambling when all non-essential workers were required to work from home. Now that you’re slowly getting back to normal, dust off that plan. Check if it worked or if you need to make changes because of what went wrong. After any major disaster or disruption, like a pandemic, you need to take a moment to examine your plans and update them to reflect on the fact that it may reappear in the future. Start now to put the lessons learned to work and place your organization back on solid ground.
When all is said and done, great job! Everyone did what was necessary to continue the important work of healthcare, plan, or no plan. You know what else it’s a good time to do? Thank all of those who kept the ball rolling, taking care of patients, and supporting patient care. Again, great job!
The healthcare industry reports that video hijacking, or teleconference hijacking, emergence on the rise as telehealth appointments replace typical in-person ones during the COVID-19 crisis. The FBI has received multiple reports of conferences being disrupted by pornographic images, hate images and threatening language. Yet another reason that, even though OCR has indicated it will not enforce prohibitions on the use of non-HIPAA compliant video conferencing platforms like FaceTime and Skype, covered entities and business associates still need to exercise due diligence to avoid breaches of electronic protected health information (ePHI).
[Read our article on PHI during COVID-19]
Although the press release from the FBI mentions Boston and the New England area, the threat is nationwide. The FBI recommends applying due diligence and caution to cybersecurity efforts. They also provide smart steps that can be taken to mitigate teleconference hijacking threats, per below.
5 Steps to Help Reduce Video Hijacking Risks
- Do not make meetings or telehealth appointments public. If you are using Zoom, there are two options to make a meeting private: require a password or use the waiting room feature and control the admittance of patients or clients.
- Do not share a link to a teleconference or telehealth appointment on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Manage screen-sharing options. In Zoom, change screen-sharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
- Ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
Look at this situation as an ideal opportunity to educate your workforce – or remind them – about the how-tos of solid privacy and security practices that can protect your organization, patients, or clients. The greatest risk is not associated with the technology. The risk lies with the people. That’s where solid, and ongoing, education comes in.
There’s another thing to look at while you’re distributing security reminders about how to stay cyber safe. Double-check that your telehealth and telework policies are clear, concise, up-to-date and communicated. We’ve run across a few clients who have a telework policy in place but it’s not been clearly communicated to staff. In some cases, the telework policy includes requirements that aren’t being enforced. To avoid this recipe for an ePHI breach disaster, update your telework policy and get it out to your workforce ASAP.
Extensive remote working situations are exposing more risks than many companies previously realized. Not the least being how to be sure your policies and procedures cover this situation properly. Are you not quite sure where to start with updates? We can help. Whether you’re updating current policies and procedures, or you’ve never finished the “work from home” ones. Give us a call at 503-384-2538 to get things moving.
On April 2, 2020, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced that effective immediately, it will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency. The notification can be found here.
Why is this further “enforcement discretion” a new thing? Because the HIPAA Privacy Rule already permits covered entities to disclose PHI for public health and as it relates to communicable diseases. It doesn’t permit business associates to do the same, though. However, during the COVID-19 pandemic now BAs may disclose PHI to public health officials or health oversight agencies without fear of being penalized.
What types of Business Associates can disclose PHI?
AKA, Does the OCR “enforcement discretion” apply to you?
Business partner Julia Huddleston and I had to think a bit about what types of business associates would be in a position to disclose PHI under this new relaxing of the rules. We identified several who may be able to make these disclosures:
- Telehealth vendors
- Population health vendors
- Group health plan third party administrators (among others)
That said, business associates will still need to pay attention to disclosures! Enforcement relaxation is not intended to give BAs broad permission to disclose PHI. This disclosure is only to be associated with treating those impacted by COVID-19, reporting where cases are appearing and so forth. Even then, if it is possible, the PHI should be de-identified. At the very least such disclosures need to be kept to the minimum necessary.
During the pandemic, covered entities and business associates have more latitude when it comes to the use and disclosure of PHI. Keep in mind that this is a temporary situation. After the national emergency is lifted, enforcement will resume. This means that business associates will no longer have the latitude to disclose PHI to public health officials and health oversight agencies. The current action is similar to the relaxing of enforcement related to the use of platforms like FaceTime for telehealth. For more information about OCR’s COVID 19 resources click here.
Are your policies & procedures up to the risks of a suddenly extended remote workforce? Now is a great time to double-check how relevant yours are for security standards, device use and more. Please call or email if you need help – and stay safe!
Novel Coronavirus, aka COVID-19, is on track to stretch our healthcare system to the breaking point, and our healthcare providers along with it. In effect as of March 15, 2020, the OCR’s published a Limited Waiver of HIPAA Sanctions and Penalties that during this National Emergency could give care providers one less source of anxiety as they work to save lives.
What the Limited Waiver means to hospitals, emergency rooms & you
Although HIPAA remains in force, the very nature of responding to care demands places a huge strain on healthcare providers. Extraordinary circumstances call for extraordinary measures.
To help reduce the concern of potential financial penalties, the HHS Secretary has (as per the issued publication) “exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule”:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
See 45 CFR 164.510(b)
- the requirement to honor a request to opt-out of the facility directory
See 45 CFR 164.510(a)
- the requirement to distribute a notice of privacy practices
See 45 CFR 164.520
- the patient’s right to request privacy restrictions
See 45 CFR 164.522(a)
- the patient’s right to request confidential communications
See 45 CFR 164.522(b)
Don’t forget the defining word is “limited.” The limited waiver only applies until the President of the United States or the HHS Secretary terminates the national emergency status. From that point on, the HIPAA Privacy Rule and associated potential penalties are reinstated. Also remember that national emergency or no, disclosures of personal information are allowed to disaster relief organizations, like the American Red Cross. That leniency lets them notify loved ones of your location. Also keep in mind that the waiver applies only to hospitals, including their emergency rooms. Other covered entities – like doctors and health plans, still must comply with all Privacy Rule requirements.
- On COVID-19, please visit: https://www.coronavirus.gov or https://www.cdc.gov/coronavirus/2019-ncov/index.html
- Regarding HIPAA and COVID-19, view the HHS Office for Civil Rights’ (OCR) March 16, 2020, Bulletin on the HIPAA Waiver here: https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf
- View the Waiver or Modification of Requirements under Section 1135 of the Social Security Act as the result of the consequences of the 2019 Novel Coronavirus at: https://www.phe.gov/emergency/news/healthactions/section1135/Pages/covid19-13March20.aspx
- How the HIPAA Privacy Rule applies in an emergency, visit the OCR’S HIPAA Emergency Preparedness, Planning, and Response page or you may use the HIPAA Disclosures for Emergency Preparedness Decision Tool.
Contact Apgar & Associates for consulting expertise in privacy, information security, HIPAA, HITECH and regulatory compliance. We also guide you through the what and the how of preparation for HITRUST, SOC2 and ISO certifications.
As we cope with the COVID-19 pandemic, it’s important to take a few extra measures to protect your organization, your patients and clients, and your data. Teleworking, where more and more individuals are working remotely, is widely accepted to prevent further spread of the virus. Now is a good time to address the risks that come with working remotely, especially if workstations are not owned by your organization.
Minimum Employee Needs for Secure Remote Work
As you prepare yourself and your teams for expanded teleworking here’s a checklist of what you need to do to reduce the risks associated with mobile device use that may be outside of what you would normally permit. If employees will be using their own devices and working remotely, at a minimum they need the following:
- Secure wireless router that’s cabled or wireless secured with WPA 2
- A strong home router password
- A strong device password
- Up to date antimalware and firewall
- Up to date patching on the device used
- If connecting to your network, a secure connection to the network (e.g., VPN, TLS, HTTPS)
If employees are using a company laptop, you need to require the use of a secure connection with a strong password. It would also be a good idea to make sure if company workstations will be used that all of the above are addressed. Patching is important to prevent vulnerabilities from being exploited by cybercriminals.
One last caution: Phishing. Now more than ever employees need to be reminded to beware of phishing activity. There are a number of known phishing attacks associated with COVID-19. Social engineering can result in a breach, ransomware attacks and other damage to your infrastructure and data. It’s a good idea to point employees to the CDC and other reputable sources so they know what sites are safe to visit. That way they can remain up to speed on what’s happening with the pandemic, with less risk.
As was said every episode of Hill Street Blues, stay safe out there!
When you’re making on-the-fly revisions and updates to your policies and procedures during this critical time, you want to help them stick. A tip: make sure they state what you will do, not just what you can do. “If you say it, do it. If you do it, write it down.” Call on Apgar & Associates at 503-384-2538 for help with privacy and information security fundamentals as well as strategic planning.
It’s one of those questions that never goes away. The answer is, “Maybe” and very definitely, “Not always.” Contrary to popular belief, even after ransomware attacks, the safe harbor still applies when it comes to breaches. If your PHI data was encrypted prior to the ransomware attack that encrypted (aka “held for ransom”) it, you may very well not have suffered a breach. Which means that there may be no need to conduct a four-factor risk assessment.
If only it could be so simple. However, per OCR’s weigh-in, you do need to ascertain that the data attacked was encrypted at the time. If it was encrypted, it’s a security incident, but not a data breach. I’ll dig into that shortly. Far too often I see posts and blogs that adamantly declare, “If a ransomware attack occurs, it must be a breach.” Not so fast. It’s not so black and white.
OCR has stated that it’s a fact-based determination as to whether or not a breach occurred. If a breach, then you do need to notify OCR, individuals and potentially, the media. If you run into a consultant (and sometimes counsel) who states that all ransomware attacks absolutely equal a breach, get a second opinion.
Data Encryption & the Burden of Proof
Here’s the flip side – when encrypted PHI may become unsecure, representing a breach due to a ransomware attack. Keep in mind that when you’ve powered up and logged in to your laptop or other mobile device, data may be unencrypted at the time because you’re accessing the data. When ransomware hits and those files are unencrypted at the time of the attack, you may have a breach of unsecured PHI on your hands.
But – if you do use full disk encryption and your laptop was not turned on (which means your laptop wasn’t unencrypted), or if no files were unencrypted at the time of the attack, the PHI was not compromised. No breach occurred.
Also, if the ransomware attack hits your backup media, encrypted at the time of the attack, there is a high likelihood that no PHI breach occurred. Triple-check to be sure and be able to prove it if OCR comes to call. The burden of proof lies with you.
The burden of proof is greater under other circumstances, like when a ransomware attack occurs and PHI is not encrypted. At that point, you absolutely need to conduct a four-factor risk assessment. It bears mentioning, though, that if you have top talent forensic analysts who can prove that no PHI was siphoned off, you still may not be required to notify OCR or individuals because the PHI was not compromised.
Clearly, it’s not a simple black and white, yes or no answer to the breach question. Be careful. Preserve all evidence. Look closely at the circumstances to make sure no breach occurred that requires notification. But if a consultant or counsel, going on the basis of a blog post, says that you absolutely must notify because ransomware attacks always equal a breach, don’t take my word for it. Just ask OCR.
Compliance Planning includes the “what to do” in the case of a security incident and data breach. Chris Apgar, CISSP and Julia Huddleston, CIPP, CIPM, work with clients nationwide on HIPAA privacy and security compliance, and address the need for assistance with expanded use of electronic health information exchange. They also prep clients for the rigorous process of HITRUST, SOC2 and ISO certifications.