https://apgarandassoc.com Privacy, information security, HIPAA, HITECH and regulatory compliance Wed, 14 Nov 2018 22:04:30 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.8 https://apgarandassoc.com/wp-content/uploads/2018/01/cropped-Apgar-Associates-Icon-32x32.png https://apgarandassoc.com 32 32 Policy Controls: Why The Whole World Wants You to Write Policies https://apgarandassoc.com/policy-controls-why-the-whole-world-wants-you-to-write-policies/ Tue, 13 Nov 2018 20:37:13 +0000 https://apgarandassoc.com/?p=2126 As a follow-up to Chris’s 2018 Privacy & Security Forum update, I’ll focus on policy controls, because the entire world has lasered in on policies thanks to the GDPR effect. But first, a tip of the hat to Professor Solove and Professor Schwartz for their role in designing and running this conference. It was substantial, […]

The post Policy Controls: Why The Whole World Wants You to Write Policies appeared first on .

]]>
As a follow-up to Chris’s 2018 Privacy & Security Forum update, I’ll focus on policy controls, because the entire world has lasered in on policies thanks to the GDPR effect. But first, a tip of the hat to Professor Solove and Professor Schwartz for their role in designing and running this conference. It was substantial, and rigorous, and there wasn’t an informercial to be found!

Policy controls and their importance is the hot topic for anyone doing business – healthcare, financial or retail – on either side of the ocean. Keep in mind that policy controls are the basis on which anyone assessing the company’s system is building. Also remember that GDPR uses the term “privacy” interchangeably for what we in the US differentiate into privacy and security. So when they say “policy controls” they’re saying privacy policies (e.g., controls) and those very likely pertain to privacy and security.

Note: This information will be explored in greater detail in our upcoming GDPR Guide for Business Associates. Keep an eye on our website and sign up for our newsletter to receive an alert. The guide should be available by early December.

Related to the topic of policy controls in all of its attendant meanings, I attended several GDPR-focused workshop sessions.

One of the speakers at a session I attended focused on policy writing – European style and United States style.  The German IT attorney who spoke about European style policy writing made the following statements (and yes, I’m paraphrasing):

  • Data Protection Authorities (DPAs) are likely to read policies
  • DPAs are likely to take policies at their word. If an organization is not following its own policies, the DPAs are likely to view that as a breach.

From a United States perspective, substitute OCR/regulators/auditors for DPAs, and the same advice holds true. For instance, consider the following instances of policies and procedural controls related to HIPAA, ISO 27001 and SOC 2.

The HIPAA Security Rule is not prescriptive. Covered entities and business associates must implement controls that are:

  • reasonable for the organization’s size,
  • the complexity of what it does, and
  • the sensitivity of the information with which it deals.

ISO 27001 is not prescriptive. ISO says that you build an Information Management Security System to ensure information privacy. Organizations develop their Information Security Management Systems based on:

  • risk assessment,
  • risk treatment plans, and
  • the Statement of Applicability.

SOC 2 is not prescriptive. Organizations design their own controls to meet the SOC 2 principles that are relevant to the business.

Privacy & Policy Controls Success Tip: Walk the Talk

With all that said, once an organization designs a policy control, it needs to live up to what it says it will do. Auditors are “show me” people. Say one of the controls you assert is in place for your information system includes a well-defined off-boarding system. You say that every step is tracked by a ticketing system, and that management reviews occur at regular intervals to make sure the system is being followed.

You can bet that the auditors will ask to see the written documentation that defines the system, a sample of the tracking tickets, and dated evidence of management review.  There may be a call for an organizational chart that depicts that management really is management, too.

You get to design and implement the policy controls that your organization will follow.  Follow regulation, and good practice, yes, but also make sure that your business can and will live by the standards that you’ve committed to – whether you’re in Portland, Oregon or Prague, Czech Republic!

For help with the intricacies of certification readiness, including policy controls, contact Julia Huddleston, a Certified Information Privacy Manager and a Certified Information Privacy Professional.  

*More information about the 2018 Privacy & Security Forum can be found here

 

 

 

 

The post Policy Controls: Why The Whole World Wants You to Write Policies appeared first on .

]]>
Privacy & Security Forum Update: OCR Activity, Audit Protocols, Ransomware & the HIPAA Security Rule https://apgarandassoc.com/privacy-security-forum-update-ocr-activity-audit-protocols-ransomware-the-hipaa-security-rule/ Mon, 29 Oct 2018 17:57:04 +0000 https://apgarandassoc.com/?p=2117 Julia and I had the pleasure of attending the 2018 Privacy & Security Forum a couple of weeks ago.  One of the sessions I attended was focused on what’s happening at OCR these days.  The speaker was Roger Severino, Director of OCR, and the moderator was Adam Greene, partner at Davis Wright Tremaine, LLP.  I […]

The post Privacy & Security Forum Update: OCR Activity, Audit Protocols, Ransomware & the HIPAA Security Rule appeared first on .

]]>
Julia and I had the pleasure of attending the 2018 Privacy & Security Forum a couple of weeks ago.  One of the sessions I attended was focused on what’s happening at OCR these days.  The speaker was Roger Severino, Director of OCR, and the moderator was Adam Greene, partner at Davis Wright Tremaine, LLP.  I heard about new OCR activity, got an answer to my question about the future use of the OCR audit protocols, and key OCR takeaways.  I have the pleasure of passing the Forum’s highlights on to you.

OCR audit protocols use.

The big news to me was the answer to one of my questions about OCR audit protocols.  For over a year, we’ve been saying that for investigations and enforcement activity that it’s likely the OCR will use the audit protocols that were updated from the phase 2 audits.  I took the opportunity to ask the top authority at OCR about future use of the protocols.  Mr. Severino confirmed – that’s just what OCR intends to do and may already be doing so.

Other OCR activity includes:

  • Updating HIPAA/FERPA guidance (jointly with the US Department of Education)
  • Issuing a notice of proposed rule making (NPRM) request for information (RFI) HITECH Act accounting of disclosures language (the last NPRM was not well received by the industry and privacy advocates)
  • Evaluating ways OCR can distribute funds received as part of enforcement related civil monetary penalties and settlement agreements to victims of breaches of their PHI

That’s a fair amount of activity.  The only caveat is we don’t know how soon “soon” is.

FBI and FTC weighs in on ransomware attacks.

I also attended a session that featured speakers from the FBI and the FTC.  Along with Mr. Severino the FBI said the first step covered entities and business associates should take is to contact the FBI if you’re attacked by ransomware.  The FBI has agents in place to investigate ransomware and help covered entities and business associates get their data back without paying a ransom.  This is something to keep in mind when you’re updating your security incident response plans especially given local law enforcement may not have the resources to assist with an investigation.

Is the HIPAA Security Rule being updated?

There has been much talk over the past few years about the need to update the HIPAA Security Rule.  The Director indicated that he things there is nothing fundamentally broken with security rule so it’s unlikely the rule will be amended any time soon.  The Security Rule is technology neutral and is flexible.  It hasn’t become obsolete due to changes in technology and there has been a lot of change since the rule was published in 2005.

OCR phase 2 audit results and plans for enforcement.

Mr. Severino shared that OCR was finalizing phase 2 audits and results will be published soon.  As far as the audit program goes, he indicated that there would likely be no more formal audits.  Instead, the audits would become part of OCR’s enforcement activity.  He believes this promotes an enforcement mindset with a higher-level rigor, similar to enforcement activity conducted by the US Department of Justice.

An audience member asked if enforcement would continue unabated or would be curtailed under this administration.  The answer: OCR is still on track with enforcement.  Mr. Severino would like to see enforcement go down as a reflection of the expansion of a culture of compliance, which OCR has been pushing since 2011.  He did add that the industry was far from there today.

Adam Greene asked Mr. Severino to provide three takeaways for the audience.  The Director said:

  1. You need to treat PHI as if it was a bar of gold. That includes conducting periodic risk analyses, encrypting PHI and securing mobile devices.
  2. “We’re from the governments and we’re here to help” – tap into OCR resources through its website, the most popular website for the US Department of Health & Human Services.
  3. “Help us help you” – review NPRMs, RFIs, and other information OCR would like input from the industry about and provide feedback. Periodically check regulations.gov to check on opportunities to provide OCR feedback.

All in all it was a great conference and good to get information from the proverbial horse’s mouth.  Julia will be sharing information about some of the sessions she attended.  Look for more in the weeks to come!

 

The post Privacy & Security Forum Update: OCR Activity, Audit Protocols, Ransomware & the HIPAA Security Rule appeared first on .

]]>
Communication Disconnect: Sales Promises & the Information Security Audit https://apgarandassoc.com/communication-disconnect-sales-promises-information-security-audit/ Fri, 12 Oct 2018 22:06:35 +0000 https://apgarandassoc.com/?p=2101 Has this happened to your company? The sales team has a hot prospect who wants them to conduct an information security audit. Sales promises that not only can that happen, but also that it will happen by a specific deadline. The problem? No one checked with the C-suite or operations management before committing. This communication […]

The post Communication Disconnect: Sales Promises & the Information Security Audit appeared first on .

]]>
Has this happened to your company? The sales team has a hot prospect who wants them to conduct an information security audit. Sales promises that not only can that happen, but also that it will happen by a specific deadline. The problem? No one checked with the C-suite or operations management before committing.

This communication – and timing – disconnect between sales and operations can cost companies both prospects and current customers. Information security is traditionally implemented and maintained behind the scenes. In today’s market, particularly for healthcare vendors, good market positioning means that information security has to be front and center.

As an example, the demand for a SOC 2 audit report is on the rise. Healthcare vendors and other service organizations are being asked for it as proof of a sound information security program. We work with clients as they prepare for and proceed through SSAE 16 SOC 2 audits. In cases where vendors engage a CPA firm conduct a SOC 2 audit, we find that the decision to go through an information security audit comes from two places: the C-suite and sales.  The C-suite sees the audit as a way to retain current customers and to maintain marketability.  The sales team looks at it as another strong sales point.

What happens when the sales team over-promises?

If the sales team sells a product or service based on the assumption an information security audit can be done without checking in with its IS department, they may find themselves in a huge bind. It’s even more problematic if the company executed a customer contract along with the promise to conduct a SOC 2 audit. Imagine how that will come back to bite the company when the customer demands a copy of the nonexistent report!

In one instance, a company we’ve worked with in the past lost out on a multi-million dollar deal based on an over-promise.  Sales promised they would complete a SOC 2 audit, that they then delayed for a couple of years. The prospective client walked away from the table.  Remember, the proverbial grapevine works well, healthcare industry or otherwise. If you’re doing a great job, people will hear about it. If you fall on your face, they’ll hear about it faster.

Sales teams like to run full steam ahead, promising results, valuable products and enhanced service.  That’s a good thing. That’s how companies stay in business and continue to grow.  Often, though, IT / IS is left trying to figure out how to keep the promises made.

Vendors for healthcare and other service organizations are under mounting pressure to prove customer data is safe and secure. Information security is a market driver.  If sales and the information security team aren’t on the same page, the outcomes could be disastrous for business. So communicate amongst yourselves! Sales, IT and the information security team.  Actively involve the C-suite. Then you can be assured the company is steered in the right direction, with the right resources. When promises measure up to delivery, everyone is happy.

The post Communication Disconnect: Sales Promises & the Information Security Audit appeared first on .

]]>
You’re a US company & subject to the GDPR. Now what? https://apgarandassoc.com/youre-a-us-company-subject-to-the-gdpr-now-what/ Thu, 27 Sep 2018 21:40:47 +0000 https://apgarandassoc.com/?p=2085 What happens now that US Organizations who thought they were off the GDPR hook, are so on it. The onset of the GDPR, at first glance, seemed straightforward. Are you in the EU? Do you employ or do business with anyone in the EU? No? All good on personal data privacy. Except that your one-time, […]

The post You’re a US company & subject to the GDPR. Now what? appeared first on .

]]>
What happens now that US Organizations who thought they were off the GDPR hook, are so on it.

The onset of the GDPR, at first glance, seemed straightforward. Are you in the EU? Do you employ or do business with anyone in the EU? No? All good on personal data privacy. Except that your one-time, at-a-glance, high level assessment won’t hold up. Blame the GDPR’s broad definition of personal data. And realize that Europeans are far more guarded of their personal data privacy than the US, at a very granular level. Beyond health or financial information, or minor’s personal information, the GDPR goes far deeper.

Examples of GDPR-defined personal data

  • Work email address
  • Political party
  • Religious beliefs
  • Racial or ethnic information

GDPR defines “personal data” as:

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

There are also two important functional roles defined under the GDPR: the Data Controller and the Data Processor. A data processor is defined as someone who processes data on behalf of the data controller. That may be a company providing a 3rd party software or platform that stores data. The data controller is the entity that collects the data, such as a health plan collecting member data or a bank collecting customer data.

So how does a US organization, particularly one typically highly adherent to strict compliance standards deal with the GDPR? A company that has attained certification through HITRUST or SOC2 likely feels fairly confident of being able to meet the GDPR’s requirements. Unfortunately, one does not equal the other.

6 Actions You Can Take to Support GDPR Compliance

  1. Be sure that your Security Risk Analysis encompasses all “personal data” as defined under the GDPR, not just PHI and PII. Remember location data counts, too! If you’re a data controller, you’ll also need to look at impact assessments that relate to GDPR-defined personal data.
  2. Check that your 3rd party data processor is approved by the data controller. PHI that falls into the GDPR personal data category can only be used and disclosed on instruction from the data controller. That means that what typically would be ok use by a Business Associate under HIPAA isn’t if the data is defined as “personal data” under GDPR.
  3. Appoint your EU-based representative and designate a Data Protection Officer. This is a major point of compliance with the GDPR. The DPO’s contact info must be publicly published as well as formally shared with the EU’s Privacy Commissioners.
  4. Be sure you’re authorized to engage in data flow transfers that relate to the individuals, or “natural persons” under the GDPR regs. Validate under your operations management contract that the data transfer is necessary and authorized.
  5. Modify your security incident response plan to include the GDPR breach notification guidelines. Under the GDPR, data controllers only have 72 hours from the breach discovery to notify the EU Data Protection Authorities. Be sure to test your ability to comply with the requirement.
  6. Prominently display your privacy practices and the privacy rights of individuals to conform with the GDPR. Individual privacy rights include access to data collected, ability to correct that data, how they can restrict the processing of the data, even to require that you erase the personal data.

Under the GDPR, US companies who discover from their data analysis that they deal with personal data of any kind from people who live in the EU (even non-EU citizens), must comply with its requirements. The cost of non-compliance is huge – up to 20,000,000 EUR. For US healthcare organizations who still struggle to meet HIPAA requirements over two decades after its enactment, the GDPR may well mean that they simply choose not to do business with EU residents.

Are you contemplating how to comply with the GDPR? Contact Apgar & Associates for a data inventory and risk assessment: 503-384-2538.

The post You’re a US company & subject to the GDPR. Now what? appeared first on .

]]>
Privacy and Security Training: Less hype, less myth, more HIPAA realities. https://apgarandassoc.com/privacy-and-security-training-less-hype-less-myth-more-hipaa-realities/ Fri, 24 Aug 2018 20:51:01 +0000 http://apgarandassoc.com/?p=2053 I’m often taken aback by some of the marketing material I receive from privacy and security training vendors.  This is clearly a “buyer beware” moment.  The review of a training vendor’s material can give you some insight into their credibility. Particularly if you’re already somewhat knowledgeable of the material that needs to be covered in […]

The post Privacy and Security Training: Less hype, less myth, more HIPAA realities. appeared first on .

]]>
I’m often taken aback by some of the marketing material I receive from privacy and security training vendors.  This is clearly a “buyer beware” moment.  The review of a training vendor’s material can give you some insight into their credibility. Particularly if you’re already somewhat knowledgeable of the material that needs to be covered in any privacy and security training session you’re looking to enroll in.  The training risk comes when someone doesn’t have a good grasp of the material, because they may well be being fed outdated information or worse, partial truths about HIPAA.

I may be a little sensitive because of the type of privacy and security training that we and some of our partners provide. Timely, current event-relevant, regulation-sensitive training. But in this instance, we received a vendor mailing focused on email integration and texting in the healthcare communications environment. Sounds entirely reasonable, right? Unfortunately, the marketing copy reflected outdated or even misleading information.

Marketing hype or regulatory reality?

The vendor’s privacy and security training marketing materials included these topics and observations, presented as facts:

  • Email and texting are in the early adoption stages in healthcare settings. Texting is becoming the preferred engagement, overtaking paging.
  • Mobile phone use for texts or calls relating to payment, to provide critical healthcare information or other official purposes is a no-no for providers and violates HIPAA.
  • Risk evaluation and management related to business communication that may or may not contain PHI is under scrutiny. Improper exposure may be considered an official breach.
  • Violation enforcement can include fines up to $50,000 per day and more.
  • Impacts of the Telephone Consumer Protection Act (TCPA) limit the use of cell phones for payment and healthcare purposes unless consent is obtained.

Let’s take it from the top. First of all, texts and emails are common in today’s healthcare environment. While the topic is worth addressing as part of ongoing training (and hopefully touches on serious email threats like phishing), it’s not a new issue.

[Read Phishing: Help Good Employees Avoid the Hook of a Cybersecurity Nightmare]

Secondly, clarification is in order when it comes to texts. HIPAA doesn’t require covered entities to obtain consent before, say, sending an appointment reminder via text message. I do, however, think it’s a courtesy that should be extended because not everyone is comfortable with anything to do with their health being texted to them.

Now to take it a step further, if the email or the text message is encrypted, there are really no HIPAA consent requirements. If the individual requests texts and emails be sent unencrypted, covered entities do need to document that the individual making the request has been informed of the dangers associated with unencrypted transmission of PHI.  That’s not the same as obtaining consent.

When it comes to risk evaluation and risk management, yes those are hot items. And while I do wonder what an “unofficial” breach is, I agree the improper exposure of PHI may result in a reportable breach.  Please keep in mind that if the exposure is unintentional, like a misdirected email, it may or may not be a reportable breach. That’s where the HIPAA Breach Notification Rule’s four factor risk assessment comes into play.

Here’s where I seriously part ways with the material: the violation enforcement information and the penalties.

If you’re doing the right thing, discover a breach, follow the required investigation and notification process and you timely report the breach to OCR, you likely won’t be fined by OCR.  Now, if there is a breach and OCR finds you haven’t conducted a risk analysis, haven’t adopted current and enforceable policies, haven’t trained your staff and so on, then yes, chances are higher that you’ll be paying in the form of a penalty or monetary settlement.

As far as the $50,000 per day, OCR can levy penalties up to $50,000 for a single violation up to a maximum of $1.5 million per calendar year.  There’s no reference in any OCR guidance that violations are counted in days. They could in fact be counted as the number of records breached.  If, as an example, 1,000 patients’ PHI was breached, OCR could count that as $50,000 X 1,000 (if you’re found guilty of willful neglect).  Because the penalty amount calculated this way would exceed $1.5 million, the maximum penalty amount would be levied unless a lower amount was negotiated between OCR and the breaching entity.

Finally, the TCPA. I need to point out that the TCPA was enacted in 1991 – pre-HIPAA – and addressed robocalls. It had nothing specifically to do with text messages and healthcare.

The bottom line on healthcare privacy and security training.

Emails and texting to communicate healthcare information has been going on for years. Keep in mind that yes guidance from OCR (“Right to Access”) emphasizes the need for covered entities to communicate effectively with patients there is no reference to text messaging or emailing other than to state that patients can request communications be made using unencrypted email as long as the risks associated with it are clearly communicated.  There is zero reference to text messaging in the guidance or in HIPAA itself.

I wholeheartedly agree that you need to regularly conduct privacy and information security training with your workforce. I also agree that you need up-to-date privacy and security training documentation.

I’m concerned that there are entities not up on the risks and how those risks are associated with patient communication. The first edict from HHS that applies to the use of email to communicate with patients dates back to January 2013 (the Omnibus Rule) and February 2014 (the HIPAA CLIA Rule) respectively.

Training vendors need to be vetted. If you or your staff are going to take your valuable time to attend any vendor-offered training, you need to know that it has more real-world application to privacy and security risks, engages employees on how they can protect ePHI, and accurately reflects regulatory requirements. More HIPAA realities, less marketing myth.

The post Privacy and Security Training: Less hype, less myth, more HIPAA realities. appeared first on .

]]>
What the Russian Indictment teaches us about cybersecurity. https://apgarandassoc.com/what-the-russian-indictment-teaches-us-about-cybersecurity/ Mon, 06 Aug 2018 15:52:57 +0000 http://apgarandassoc.com/?p=2041 Aside from the sensationalism of alleged espionage by a foreign power, the cybercrime accusations listed in the Mueller investigation’s indictment document should be a warning to businesses everywhere. It’s an object lesson in “this could happen to you” cybersecurity. Russian cyberwarfare notwithstanding, nation state attacks on US entities are common. The US CERT site has […]

The post What the Russian Indictment teaches us about cybersecurity. appeared first on .

]]>
Aside from the sensationalism of alleged espionage by a foreign power, the cybercrime accusations listed in the Mueller investigation’s indictment document should be a warning to businesses everywhere. It’s an object lesson in “this could happen to you” cybersecurity. Russian cyberwarfare notwithstanding, nation state attacks on US entities are common. The US CERT site has a running list of North Korean “malicious cyber activity” to prove it.

It’s rare that the general public gets to see the “how” of a cybersecurity breach. Organizations typically stick to generalities when they own up to data breaches. Notice that the cyber-attackers used every tool at their disposal to locate and exploit vulnerabilities at the Democratic National Committee and Clinton campaign: spear phishing to steal passwords and gain network access, spoofed security notifications and email accounts, hacking tools and malware. This single-minded cyber-attack is a prime example of how things really play out when hackers want to get in your back door.

Every organization needs to take the cautionary message to heart. Because to mitigate the risk of a data breach recurrence, you not only need to know what happened, but also how and why it did. Think about it. What if you’re a healthcare provider? People’s lives are at stake.

3 Fundamental Tips for Risk Mitigation

  1. Implement perimeter controls to detect breaches and other cyberattacks such as ransomware. How else will you know a phishing attack has occurred? When the system takeover happens? Use appropriate technical perimeter controls to detect an attack early on so you can take immediate action.
  2. Launch system redundancy while you resolve the breach or security incident. You need to take the system down to root out every instance of malware, which means business continuity measures come into play. If you can launch your backup, business operations can continue with only a small blip.
  3. Engage computer forensic experts to get an image of the drives. Sure, maybe you can wipe drives as part of eliminating ransomware. Now what? You have no way to find out how it happened or why.

The above tips make the assumption that you have the basics in place, like security incident response and business continuity plans (which go hand-in-hand, by the way). If you don’t have functioning fundamentals, the ensuing scramble after a data breach or cybersecurity incident starts to look like that classic vaudeville sketch “Who’s on first?”

Chris Apgar, CISSP, is a nationally recognized expert and educational instructor on information security and privacy, as well as a frequent instructor, panelist and panel facilitator for leading national industry groups in healthcare, compliance and security.

The post What the Russian Indictment teaches us about cybersecurity. appeared first on .

]]>
How to lose data & money: The cost of unmitigated risk https://apgarandassoc.com/how-lose-data-money-cost-of-unmitigated-risk/ Thu, 28 Jun 2018 22:11:19 +0000 http://apgarandassoc.com/?p=2012 The post How to lose data & money: The cost of unmitigated risk appeared first on .

]]>

The OCR announcement of a $4.3 million price tag on MD Anderson’s Cancer Center for noncompliance highlights the cost of unmitigated risk. A 2006 security risk analysis showing that a lack of encryption posed a PHI security threat prompted the Center to develop policies for portable device encryption. Smart. But then an OCR breach investigation uncovered that the policy wasn’t actually enacted for years. Not smart.

Loss of USB devices and a stolen laptop exposed the disconnect between the stated policy and actual application of the policy. What could they have done differently? Followed through on their stated policies. Would a demonstrable attempt at PHI protection by alternate means, although encryption wasn’t implemented, have helped? Perhaps. It’s hard to know.

What likely didn’t help the Center was its 2011 internal Information Security Program report that stated ePHI on mobile devices and other portable storage devices was not yet mitigated – a written acknowledgement of failure to enforce its own policies. The USB device loss and the laptop theft happened in 2012 and 2013. In light of that fact, it’s fortunate that OCR asked for penalties under Tier 2’s Reasonable Cause vs Tier 3’s Willful Neglect, if only from the point of view of preserving (somewhat) MD Anderson’s Cancer Center’s reputation.

In light of the cost of “over-promising and under delivering” now is the ideal time to get a compliance assessment of your policies and procedures on the schedule. Are you in danger of an unmitigated risk? Are your policies realistic? Are they being practiced? Can you prove it?

4 Tips for Policy Follow-Through

  1. Tie your policies and procedures back to your actual business operation workflow and processes. Implementing an enforcement mechanism such as encryption gives policies “teeth.”
  2. Make sure you’re following the rules. Policies and practices need to align with the regulations you’re required to follow.
  3. Be realistic when drafting policies and procedures. “Audits will occur at weekly intervals” may not be a realistic policy to accomplish if you’re already overstretched. (See #1)
  4. Maintain proof of policy enactment. Document and be able to demonstrate you take action on all of your policies. For example: That information could include the date a policy was enacted, any time there was an internal citation for correction, and documentation of how it was corrected.

Your policies and procedures are essentially marching orders for your staff. Be sure those policies are clear and accurate so you can not only enforce them, but also document that you’ve done so. Then when a breach happens and OCR comes in, you’re better positioned.

Apgar & Associates helps you discover privacy and security vulnerabilities so you can manage risks before a breach occurs. Contact us to schedule your assessment today: 503-384-2583.

The post How to lose data & money: The cost of unmitigated risk appeared first on .

]]>
How You can Meet Compliance Challenges – and Investor Demands https://apgarandassoc.com/how-you-can-meet-compliance-challenges-investor-demands/ Tue, 12 Jun 2018 23:16:12 +0000 http://apgarandassoc.com/?p=2001 From digital startups to financial firms, the ability to demonstrate information security per not only investor demands, but also board members and potential business partners, is widespread. As privacy and security consultants who also prep companies for certification, we’re seeing how the need for privacy and security compliance, long since a demand for healthcare, now stretches […]

The post How You can Meet Compliance Challenges – and Investor Demands appeared first on .

]]>
From digital startups to financial firms, the ability to demonstrate information security per not only investor demands, but also board members and potential business partners, is widespread. As privacy and security consultants who also prep companies for certification, we’re seeing how the need for privacy and security compliance, long since a demand for healthcare, now stretches across industries.

Take this example. An online company selling a product that’s gained rapid popularity attracts the attention of a multi-national interest. It’s a dream scenario for a start-up. A great concept, proven, that garners the best possible outcome: a well-heeled investor. Then a painful reality sets in during due diligence.

The straightforward request of “Let’s start with a review your policies and procedures” has everyone scrambling. Why? Because they don’t exist – at least in the format and detail that a true commitment to privacy and information security calls for.

A high-dollar investment from an established global entity is going to have requirements attached to it that a digital startup likely didn’t include in their gotta-get-launched-yesterday operational plan. Especially when the investor demand reflects an expected alignment with the standards to which their organization adheres, ISO 27001.

Digital startups are one thing, but what about established businesses? Maybe there are industry-related policies and procedures in place but the type of business never called for compliance with a particular set of security standards. Now there’s an opportunity to expand into government work. To play in the big sandbox, there’s a need not only to implement an information security program, but one that adheres to the NIST cybersecurity framework that was updated in April 2018. That’s a big leap.

There are common denominators for most certifications and regulatory needs. You may be asked to achieve ISO 27001 certification or HITRUST. Or you may need to choose the best assessor for your SOC certification process. Almost certainly, no matter your business, you’ll need a security risk analysis.

Start with the fundamentals. In nearly every state there are breach notification laws that require you to have an information security program in place. If not a specific program, then at minimum you need to be able to demonstrate administrative, technical and physical safeguards of sensitive data – whether that’s PHI or client financial information. Once you take care of the basics, your business will be ready for the next great opportunity, and able to meet investor demands.

Work with a team that knows how to map your path to certifications and regulatory standards regardless of industry. Apgar & Associates’ certification readiness preps you for HITRUST, ISO and more. Call us today to get started: 503-384-2538.

The post How You can Meet Compliance Challenges – and Investor Demands appeared first on .

]]>
Minor Privacy Rights: Where Feds & State Diverge https://apgarandassoc.com/minor-privacy-rights-where-feds-state-diverge/ Tue, 05 Jun 2018 14:16:59 +0000 http://apgarandassoc.com/?p=1993 In most instances, HIPAA rules apply for adults and minors. That’s to say, the federal regulation sets the bar. HIPAA treats minors as adults when it comes to privacy rights if they’ve reached the age of informed consent except when state laws say otherwise. Some state laws permit or require disclosure to parents or guardians […]

The post Minor Privacy Rights: Where Feds & State Diverge appeared first on .

]]>
In most instances, HIPAA rules apply for adults and minors. That’s to say, the federal regulation sets the bar. HIPAA treats minors as adults when it comes to privacy rights if they’ve reached the age of informed consent except when state laws say otherwise. Some state laws permit or require disclosure to parents or guardians regardless.

For example, in Oregon, minors reach the age of informed consent at age 15, with exceptions.  Those are: Parents or guardians can receive information on the minor up to age 18, unless the minor gets married or has been emancipated. Oregon law trumps HIPAA in those cases.

To understand some of the broader implications, it helps to know that covered entities determine what makes up an individual medical record (aka designated record set, or DRS). So when a parent or guardian wants access to a minor’s record, they have it (unless state law trumps it). Oh, and divorce doesn’t change that ability get a copy of a minor’s medical record.

Minor privacy rights can vary according to the medical issue, as well. For instance, privacy rights as related to alcohol and chemical dependency diagnosis and treatment, which falls under the most stringent federal privacy laws. In these cases, the most strict law prevails when it comes to privacy or access to their PHI, which includes minors if they’ve reached the age of informed consent.

In some states, like Oregon, there are exceptions. For example, although the Oregon age of informed consent is 15, when it comes to:

  • outpatient mental health, alcohol and chemical dependency treatment, the age of informed consent is 14
  • HIV/AIDS information and STDs, the age of informed consent is from birth
  • Birth control, the age of informed consent is from birth

So when logic doesn’t apply, but the law does, what do you do? Be sure that you understand all of the ramifications of a minor’s privacy rights under both HIPAA and your state laws. That means not only must you train and re-train staff in that understanding, but you also need to pay close attention to your legislature’s activities. Document disclosures and authorizations and know what your liability is related to either.

Chris Apgar, CISSP delivers training webinars on regulations and best practices related to HIPAA, HITECH and cybersecurity issues. To learn how Apgar & Associates privacy and security expertise can help your organization, give us a call at 503.384.2538.

The post Minor Privacy Rights: Where Feds & State Diverge appeared first on .

]]>
How can you avoid the costly price tag of unauthorized ePHI access? https://apgarandassoc.com/how-can-you-avoid-costly-price-tag-unauthorized-ephi-access/ Thu, 24 May 2018 17:51:09 +0000 http://apgarandassoc.com/?p=1982 We’re talking millions. Take a look at the largest HIPAA-violation related fines of 2017. Companies like dialysis-giant Fresenius, Memorial Healthcare Systems, and 21st Century Oncology (21CO), which operates 143 centers nationwide, have been fined millions thanks to unauthorized access (21CO has filed for Chapter 11 bankruptcy). In 21CO’s case, the access was through a vulnerable […]

The post How can you avoid the costly price tag of unauthorized ePHI access? appeared first on .

]]>
We’re talking millions. Take a look at the largest HIPAA-violation related fines of 2017. Companies like dialysis-giant Fresenius, Memorial Healthcare Systems, and 21st Century Oncology (21CO), which operates 143 centers nationwide, have been fined millions thanks to unauthorized access (21CO has filed for Chapter 11 bankruptcy). In 21CO’s case, the access was through a vulnerable back door to their IT systems, but for Fresenius and Memorial Healthcare Systems, unauthorized ePHI access was employee-related.

When you look at the heart-stopping price tag of non-compliance, the question becomes: Could the unauthorized access been avoided? Most would argue – and I’d agree – that no system or organization is 100% secure. However, there are ways to mitigate risk, both human and technology. Let’s start with the human factor: your employees. Here are a few tips to pass along:

5 Ways Employees can Protect ePHI

  1. Be sure no one can see your screen. Whether at your desk or using a mobile device, if you’re accessing PHI, protect it from view. Angle your desk – or your body – so that no one can inadvertently see the sensitive data.
  2. Keep quiet about patient records. Just because a recent emergency visit was the stuff of urban legend doesn’t give you the right to share it.
  3. Protect your password and make it strong. A phrase that combines letters, numbers and special characters is a commonly used best practice.
  4. Stay off public wifi when accessing ePHI. It’s tempting to catch up on work at the local coffee shop or the airport, but public wifi is a notorious favorite of hackers.
  5. Immediately report any suspicious activity to your IT department. Strange email? Don’t click the link or open the attachment – call IT.

Things get a little more straightforward when you step into the technology side. That’s not to say it’s easier. But common security controls are just that, common. Data encryption for static and in-transit data, keeping up with software security patching, frequent system backups, a secure messaging platform and access control audits – all place significant barriers in front of sensitive healthcare data.

Where does responsibility for healthcare data breaches lie? Workforce, cybercriminals, technology vulnerabilities, lack of training – any and all can place ePHI at risk. While there is no magic pill to secure healthcare information, there are many ways to manage the risk. To learn how Apgar and Associates can help you manage risk and ramp up privacy and security measures, contact us today.

The post How can you avoid the costly price tag of unauthorized ePHI access? appeared first on .

]]>