The federal government is upping the ante on healthcare providers to strengthen their policies and procedures for protecting electronic health information. On March 26, the final Health Insurance Portability and Accountability Act omnibus rule went into effect, which strengthens the security and privacy rules and also extends direct liability for HIPAA security violations to Business Associates of HIPAA Covered Entities.
This new rule is only the latest development in a far-reaching effort over the past three years by the federal government (Office of Civil Rights of the Department of Health and Human Services and the Department of Justice) to greatly strengthen HIPAA enforcement and protection of confidential health information. This campaign has resulted in the imposition of much higher fines and even criminal prosecution of individuals working for hospitals, physician groups and other HIPAA Covered Entities for privacy and security violations.
The stick of enforcement is now being backed up by the carrot of incentive payments tied to the adoption and utilization of electronic medical records by healthcare providers. The meaningful use core measures require hospitals and other healthcare providers to "protect health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities."
CMS has interpreted this requirement as mandating that providers "conduct or review a security risk analysis" in accordance with the HIPAA requirements [under CFR 164.318(a)(1)] and "implementing security updates as necessary" and correcting "identified deficiencies as part of [its] risk management processes."
Recently, the OCR proactively undertook an audit of 20 healthcare providers to assess compliance with HIPAA rules on privacy and security. That audit found several deficiencies, 65 percent of which were related to security (versus 26 percent for privacy), including inadequate risk analysis, outdated policies and procedures, and non-existent contingency plans. According to Leon Rodriguez, director of the OCR, "what we're learning from the audits…is there's plenty of noncompliance out there and plenty of room for improvement." Hospitals and other healthcare providers need to do a better job of inventorying their data, assessing security risks on a continuous basis and tightening controls.
Organizations looking to step up their security compliance efforts should begin with a comprehensive security risk assessment, as mandated by HIPAA and meaningful use rules. The first step in evaluating vulnerabilities and controls is understanding what you have to protect: what patient data does the institution possess, where is it stored and how is it transmitted. In our experience, many hospitals and healthcare organizations do not have a firm grasp on this most basic requirement.
The power of a risk assessment is not in checking a few boxes on a checklist but in really undertaking a thorough analysis of potential vulnerabilities and whether the controls you have in place are adequate to protect against potential threats. The assessment should guide your organization in prioritizing security risks, reallocating resources, and developing work plans to mitigate the most important threats. Finally a risk assessment should not be a one-off exercise; in the digital landscape, new threats are always emerging.
1. Vendors are a major risk to ensuring the security of patient health information. The case of South Shore Hospital in Massachusetts, where their data destruction vendor lost backup computer tapes containing patient information, should be a lesson to healthcare organizations which are outsourcing functions that involve PHI. The new HIPAA rule extending liability to Business Associates should go a long way in promoting greater security. But this rule does not absolve healthcare organizations of responsibility and liability for protecting their own patient data. Organizations should require that their vendors provide a SOC 2 or SOC 3 report or at a minimum require that they attest to compliance with the health care organization’s own security standards by completing a questionnaire.
2. Human vulnerability is another risk. As OCR Director Rodriguez has remarked, "A lot of these cases [of data breaches] turn on some kind of human frailty." Hackers know this and are increasingly turning to social engineering techniques, which exploit use people's behavior, including their trustfulness, curiosity or even greed, to illicitly steal confidential information.
This condition highlights the critical importance of training. A good information security program is only as good as the people who follow it. Inform and train your employees on proper information security procedures. Your employees should be instructed to never use a link embedded in an email message or to use USB, CDs or DVDs not provided by the organization. Your IT department should send out regular notices about how to avoid dangerous schemes or information about IT best practices, which will help keep security top of mind.
3. Mobile devices also create security challenges. Current trends in healthcare delivery and organization are creating new security challenges. The growing use of mobile devices for delivering patient care and transmitting patient health information promises to improve quality of care, but it also creates entirely new vulnerabilities, as there are now many more points for accessing information. The shift to accountable care organizations, which is premised on making patient health care information available across multiple providers, means that the security of patient information rides on the weakest link in the ACO chain.
Healthcare organizations need to devote at least as much attention and resources to new security demands as they did in complying with HIPAA's privacy rules.
There is no single technological solution, but there is a menu of steps from which organizations can choose, from strengthening administrative procedures to encrypting all patient information, which can go a long way in guarding against the loss or theft of information. Finally, there also needs to be clear lines of authority and accountability for ensuring the security of patient health information. Sharing information is the underpinning of creating a more patient-centered, coordinated care system. Without robust information security, we will fall short of the promise of the power of knowledge for advancing high quality, efficient healthcare.
Michael E. Kanarellis is senior IT assurance manager, and Ryan Rodrigue, CISA, CISSP, is manager, IT Assurance Services, at Wolf & Co. Together, they lead the heathcare IT practice at Wolf & Co., a Boston-based accounting, tax, auditing and risk-assessment firm.
This new rule is only the latest development in a far-reaching effort over the past three years by the federal government (Office of Civil Rights of the Department of Health and Human Services and the Department of Justice) to greatly strengthen HIPAA enforcement and protection of confidential health information. This campaign has resulted in the imposition of much higher fines and even criminal prosecution of individuals working for hospitals, physician groups and other HIPAA Covered Entities for privacy and security violations.
The stick of enforcement is now being backed up by the carrot of incentive payments tied to the adoption and utilization of electronic medical records by healthcare providers. The meaningful use core measures require hospitals and other healthcare providers to "protect health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities."
CMS has interpreted this requirement as mandating that providers "conduct or review a security risk analysis" in accordance with the HIPAA requirements [under CFR 164.318(a)(1)] and "implementing security updates as necessary" and correcting "identified deficiencies as part of [its] risk management processes."
Recently, the OCR proactively undertook an audit of 20 healthcare providers to assess compliance with HIPAA rules on privacy and security. That audit found several deficiencies, 65 percent of which were related to security (versus 26 percent for privacy), including inadequate risk analysis, outdated policies and procedures, and non-existent contingency plans. According to Leon Rodriguez, director of the OCR, "what we're learning from the audits…is there's plenty of noncompliance out there and plenty of room for improvement." Hospitals and other healthcare providers need to do a better job of inventorying their data, assessing security risks on a continuous basis and tightening controls.
Organizations looking to step up their security compliance efforts should begin with a comprehensive security risk assessment, as mandated by HIPAA and meaningful use rules. The first step in evaluating vulnerabilities and controls is understanding what you have to protect: what patient data does the institution possess, where is it stored and how is it transmitted. In our experience, many hospitals and healthcare organizations do not have a firm grasp on this most basic requirement.
The power of a risk assessment is not in checking a few boxes on a checklist but in really undertaking a thorough analysis of potential vulnerabilities and whether the controls you have in place are adequate to protect against potential threats. The assessment should guide your organization in prioritizing security risks, reallocating resources, and developing work plans to mitigate the most important threats. Finally a risk assessment should not be a one-off exercise; in the digital landscape, new threats are always emerging.
3 major threats to data security
From our vantage point of conducting healthcare IT risk assessments, there are three insights we would emphasize:1. Vendors are a major risk to ensuring the security of patient health information. The case of South Shore Hospital in Massachusetts, where their data destruction vendor lost backup computer tapes containing patient information, should be a lesson to healthcare organizations which are outsourcing functions that involve PHI. The new HIPAA rule extending liability to Business Associates should go a long way in promoting greater security. But this rule does not absolve healthcare organizations of responsibility and liability for protecting their own patient data. Organizations should require that their vendors provide a SOC 2 or SOC 3 report or at a minimum require that they attest to compliance with the health care organization’s own security standards by completing a questionnaire.
2. Human vulnerability is another risk. As OCR Director Rodriguez has remarked, "A lot of these cases [of data breaches] turn on some kind of human frailty." Hackers know this and are increasingly turning to social engineering techniques, which exploit use people's behavior, including their trustfulness, curiosity or even greed, to illicitly steal confidential information.
This condition highlights the critical importance of training. A good information security program is only as good as the people who follow it. Inform and train your employees on proper information security procedures. Your employees should be instructed to never use a link embedded in an email message or to use USB, CDs or DVDs not provided by the organization. Your IT department should send out regular notices about how to avoid dangerous schemes or information about IT best practices, which will help keep security top of mind.
3. Mobile devices also create security challenges. Current trends in healthcare delivery and organization are creating new security challenges. The growing use of mobile devices for delivering patient care and transmitting patient health information promises to improve quality of care, but it also creates entirely new vulnerabilities, as there are now many more points for accessing information. The shift to accountable care organizations, which is premised on making patient health care information available across multiple providers, means that the security of patient information rides on the weakest link in the ACO chain.
Healthcare organizations need to devote at least as much attention and resources to new security demands as they did in complying with HIPAA's privacy rules.
There is no single technological solution, but there is a menu of steps from which organizations can choose, from strengthening administrative procedures to encrypting all patient information, which can go a long way in guarding against the loss or theft of information. Finally, there also needs to be clear lines of authority and accountability for ensuring the security of patient health information. Sharing information is the underpinning of creating a more patient-centered, coordinated care system. Without robust information security, we will fall short of the promise of the power of knowledge for advancing high quality, efficient healthcare.
Michael E. Kanarellis is senior IT assurance manager, and Ryan Rodrigue, CISA, CISSP, is manager, IT Assurance Services, at Wolf & Co. Together, they lead the heathcare IT practice at Wolf & Co., a Boston-based accounting, tax, auditing and risk-assessment firm.