No passing the buck: OCR audits have healthcare executives on the hook

In 2015, one in three Americans was affected by a healthcare data breach. In the wake of these massive data leaks and thefts, individuals lose control over their most sensitive information: names and addresses, government and insurance ID numbers, bank accounts, and medical records.

Cyber criminals find these healthcare records extremely lucrative; a complete set can be sold for up to a thousand dollars on the black market, where credit cards are now worth only a dollar. As the cybercrime stakes get higher, executives in the healthcare industry need more powerful defenses to protect themselves, their companies, and their customers.

Given that large-scale data hacks were responsible for 98 percent of healthcare data breaches in 2015 (in 2014, the majority were caused by lost or stolen devices), it's not surprising that government oversight has intensified. The Office of Civil Rights (OCR) is rolling out Phase 2 of the HIPAA Audit Program. The OCR announced in March that data gathering exercises and desk audits have begun in 2016, and will be followed by comprehensive on-site audits in 2017. The desk audits will include entities that fall under HIPAA as well as their business associates; the reviews will focus on privacy, security, or breach notification rules.

The OCR's recent multi-million dollar settlements with several healthcare companies over HIPAA violations also point to an increase in enforcement efforts. Executives know that appearing on the HHS "Wall of Shame" is no way to build trust with partners and customers. It quickly gets personal when breach headlines prompt questions like "Who let that happen?" and "Who's in charge over there?" The responsibility for avoiding the significant fines and reputational damage resulting from breaches can't be passed on or glossed over—it lands squarely on the desks of C-level executives and board members. The focus on third party business associates will surely intensify, widening the scope and complexity of risk factors executives are required to oversee. Many of the recent breaches originated with third parties; a PwC survey of healthcare providers found that incidents attributed to partners jumped 56 percent last year.

The National Law Review points out points out that recent shifts in breach activity and OCR oversight "serve as a reminder of the importance of maintaining a culture of compliance and having the architecture in place to efficiently respond to more proactive and searching enforcement activity." The OCR requires evidence of practices that constitute a "permanent and robust program" — policies, procedures, training, and review processes in place and functioning as intended regarding security, privacy, operations risk management, and information governance. Documentation of all related activities is required in order to prove that policies and procedures have been communicated to relevant employees and third parties.

How do resource-strapped healthcare companies do this quickly, and what does it mean to have the "architecture in place" to respond efficiently? We are well past the point where spreadsheets and emails are sufficient tools for coordinating an organization-wide compliance program.

First of all, audit responses have to be compiled quickly. For OCR's desk audits, auditees will only have 10 business days to submit the information requested. Upon receiving draft findings from the OCR after a desk or on-site audit, auditees will have 10 business days to respond. This leaves very little time for reactive scrambling or manual data gathering. Due to the complexity and scope of compliance requirements (HIPAA and beyond), healthcare organizations need better tools: centralized data repositories, information security integrations, remediation workflows, advanced data analyses and visual reporting.

The scenarios raised by criminal exploitation of healthcare systems are alarming. Healthcare systems and devices are increasingly hyper-connected: drug infusion pumps, defibrillators, hospital refrigerators and even pacemakers can be hacked remotely. These dangers top a list of more commonly realized threats—ransomware, mass identity theft, insurance fraud, and prescription drug fraud. None of this is hypothetical. According to IBM's 2016 Cyber Security Intelligence Index, the healthcare industry is the most frequently targeted, surpassing financial services, government, and manufacturing.

Clearly, modern medicine requires modern risk and compliance management solutions that more effectively protect sensitive data, provide timely and less costly responses to OCR audits, and help organizations minimize the impact of incidents. Comprehensive governance, risk management, and compliance (GRC) platforms provide automated solutions to replace inefficient manual processes while reinforcing cyber security, vendor risk assessments, operational efficiency, business continuity planning, and compliance programs.

In today's digital business environments, preparing a healthcare organization for an audit using outdated manual processes is not a recipe for success. Time-consuming audit management processes reliant on spreadsheets, email collaboration, and multiple assessment tools will be characterized by data stuck in organizational silos, duplicated efforts, tedious case-by-case problem-solving, undetected gaps in coverage, disorganized documentation, and stressed out staff. These poor outcomes not only apply to audits, but also to other disruptive incidents like cyber attacks, natural disasters, mergers, lawsuits, and legislative and regulatory changes.

Instead, an organization's investment in GRC compliance solutions can, with the right toolset and program, help develop a standardized approach to compliance, risk and audit management, and build up operational efficiency, fundamental security, and organizational resilience. GRC solutions can get your company ready for audits—and more— by automating, integrating, and documenting all the activities that comprise functioning and compliant privacy and security programs.

Managing the policy lifecycle
Comprehensive GRC platforms centralize document management, including revision workflow and review. By integrating a library of rules and regulations, you can map external requirements to internal activities. This enables analyses of the gaps between your practices and the standards, highlighting risks and vulnerabilities in addition to potential areas of non-compliance. You can also document company-wide communications pertinent to compliance and capture end-user acceptance and sign-off that policies and training were received and understood.

Documenting and mitigating risks
A GRC solution can be used to identify, categorize, correlate and assess risks—from those originating in relationships with business associates to incidents like patient falls. Workflows are automated, moving from risk identification to analysis to remediation, with visibility throughout the process, and documentation of all related activities. A full-featured GRC platform should be readily integrated with IT solutions, such as vulnerability, web application, device, and configuration scanners. Once all assets and data stores have been inventoried, they can be ranked in order of value and mapped to known issues and alerts to create a prioritized list of remediation tasks. Dashboards and visual data analyses of these findings increase executive oversight and participation in risk management.

Breach prevention and remediation efforts
Your organization can do everything right but still end up in hot water with the OCR, business associates and patients if you can't "show your work." GRC platforms track and manage prevention and remediation activities documenting each step in the workflow process. Incident reporting (HR, infosec, client, vendor, anonymous) follows specific processes to keep information gathering consistent and complete so nothing falls through the cracks. Incidents can then be linked to related risks, continuity plans, and compliance requirements; this helps determine when notification is necessary.

Reporting on all compliance efforts
Assembling the required reports can be one of the most time-consuming compliance tasks. You will need to produce different reports for audit responses, third-party assessments, and various internal stakeholders. On a GRC platform, centralized document and data repositories make it easier to create customized reports and dashboards. GRC tools contextualize risk and compliance data, empowering executives to see the big picture and make intelligent decisions about future steps and resource investment.

By integrating people, processes, and content on a comprehensive technology platform, healthcare executives can weave a tighter web, ensuring that important incidents or requirements don't fall through undetected holes in security and privacy programs. Standardizing and automating workflows and behind-the-scenes activity helps to effectively communicate the depth of your organization's security and information governance programs. The ability to pull up reports and visualize information in a manner that relates to the user's role in an organization means that progress and priorities can be shared more readily across the organization, fostering a culture of accountability. Knowing that the reports are developed from verified, common data builds trust and eases decision-making processes. Those tasked with GRC activities, such as managing OCR-related processes, compliance and technology security, can get more done, take on more responsibility, and be more proactive in shaping the business—with the same amount of staff.

Compliance is much more than busywork, and shouldn't be relegated to silos of specialists. Proper information governance and security measures are integral to mitigating risks to your company, your employees, and those you ultimately serve—patients and their families. Done right, GRC helps leaders build strong, resilient healthcare organizations. Securely delivering the services and products that keep our communities safe and healthy is of the utmost importance. Once you have compliance and risk management under control, you can start making headlines for all the right reasons—excelling in a competitive marketplace with innovative products and services.

Sam Abadir is the Director of Product Management at LockPath, a leading provider of governance, risk management and compliance (GRC) solutions. He has over twenty years of experience helping companies realize value through improving processes, identifying performance metrics, and understanding risk. Early in Sam's career he worked directly with financial institutions and manufacturing companies, helping them understand how risk management could be a competitive advantage. As a Sr. Manager at Deloitte he broadened his experience focusing on Global 2000 companies. In the past five years, Sam has worked with software companies like LockPath to build the tools that help companies harness the value of understanding and assessing risk.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.​

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Top 40 Articles from the Past 6 Months