According to HITRUSTAlliance.net’s report on U.S. healthcare data breaches affecting 500 or more individuals, A Look Back: U.S. Healthcare Data Breach Trends, the leading cause of breaches involved theft (54 percent) and the leading sources of breached PHI (protected health information) were laptops (25 percent) and paper records (24 percent).
The most frequently stolen items included laptops, desktops and mobile media (USB drives, CDs/DVDs, backup tapes). When it came to business associates, they accounted for 58 percent of the records breaches, and were implicated in 21 percent of the breach cases.
Business Associate Breaches; Source: HITRUSTAlliance.net
With numbers like these, physician practices and health system CIOs should be aware of the possible areas of IT risk in order to secure PHI (according to HITRUST) – for each of the following areas, I’ve provided resource links and tips:
Information Security Policies and Procedures
Establishing a set of standards that are custom to your organization can help guide user behavior toward more secure practices. Policies are necessary to abide by the HIPAA Security Rule’s Organizational, Policies and Procedures and Documentation Requirements standard 164.316(a) for covered entities:
Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach].
Security policies should address password management, PHI storage/use, encryption, PHI exchange procedures, privacy filters, etc. For a list of example HIPAA resources, including policies, procedures and training materials from a variety of established medical centers and university health systems, visit HIPAA Resources: Policies, Procedures and Training Materials.
This involves protecting networks when connecting remotely via any number of devices, including laptops, desktops, servers, phones and tablets. Connecting remotely via a VPN (Virtual Private Network) that requires two-factor authentication (username/password, and a secondary form of authentication, typically via a cell phone call or text) may provide more assurance against the risk of unauthorized access to sensitive healthcare data. Other security services like firewalls, antivirus and patch management may also help secure endpoints.
Learn more about two-factor in our upcoming webinar, The Affordable Way to Maintain Security and Compliance with Two-Factor Authentication, June 4 @2PM ET, or check back after for a recording of the presentation.
The BYOD (Bring Your Own Device) movement in the healthcare industry calls for a mobile security policy. Read our Mobile Security white paper on how to keep devices and mobile apps secure, as well as a BYOD case study of a mobile security architecture designed and implemented successfully within a hospital environment.
Encrypting devices, email and other healthcare data is another industry best practice and addressable standard of HIPAA technical safeguards that require access control:
A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv))
Join our upcoming webinar Encryption – Perspective on Privacy, Security & Compliance to learn more, or read about Encrypting Data to Meet HIPAA Compliance.
Sensitive IT infrastructure including managed servers, cloud, power and networks should be protected by restricted access, and routers, switches and devices should meet HIPAA compliant requirements to protect ePHI (electronic protected health information) found on networks. Firewalls and Intrusion Detection Services can work to identify security breaches and notify you or your hosting provider to take action.
Staff Training and Security Awareness
HIPAA security awareness and training is another administrative safeguard required by the HIPAA Security Rule – not only is a staff training program required, but periodic retraining is necessary whenever new policies or procedures, significant software or hardware upgrades, new security technology, etc. are implemented within an organization.
Business associate training is also important, as they were implicated in 21 percent of HIPAA breach cases, as mentioned earlier. Check that your vendors have a delegated security and risk officer, and that training is updated/established for new employees.
The HIPAA breach notification rule dictates that covered entities must notify affected individuals/the media/the HHS (if affecting more than 500 state residents) of a data breach no later than 60 days after discovery. Business associates are also required to notify covered entities no later than 60 days.
As a healthcare CIO, check your vendor contracts, or business associate agreement (BAA) for terms on their roles and responsibilities when it comes to breach notification policy to ensure you’re on the same page, and you can gather the documents and information you need to accurately report to the OCR. To find out what the recent HIPAA omnibus rule dictates for BAAs, read Final HIPAA Omnibus Rule: Business Associate Agreements & Roadmap to Compliance.
For a list of information that the OCR requests shortly after a self-reported HIPAA breach, including documentation, risk assessments, policies and procedures and more, read OCR Audit Requirements Following a Self-Reported HIPAA Breach.
Your third-parties may be your business associates now that the final omnibus rule has widened the scope of who may be audited and fined for not meeting HIPAA compliance. Think it’s not your problem? Think again – the new rule document states that the “proposed changes would make covered entities and business associates liable under § 160.402(c) for the acts of their business associate agents, in accordance 61 with the Federal common law of agency, regardless of whether the covered entity has a compliant business associate agreement in place.”
As I initially wrote about in How the Final Omnibus Rule Affects HIPAA Cloud Computing Providers, cloud service providers and HIPAA hosting providers now fall under the definition of a business associate. Covered entities can ensure their third-parties can meet HIPAA by reviewing their independent audit reports measuring their security standards and practices against the OCR HIPAA Audit Protocol. Anything less than fully compliant is a risk your organization can’t afford to take.
A HIPAA standard that helps meet technical safeguards, access control refers to restricting PHI system access to only authorized persons or software. The specifications include:
- Unique User ID – Just as it sounds, assign a unique username or code to track users.
- Emergency Access Procedure – This should be in the established policies and procedures that allows access to ePHI as needed in an emergency.
- Automatic Logoff – Establish a way to terminate electronic sessions after a predetermined time of inactivity.
- Encryption/Decryption – See Endpoint/Mobile Security.
HIPAA Security Standards for physical safeguards, specifically facility access controls, requires the implementation of:
…policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Restricting physical access to servers should be on your list of IT security – only authorized personnel should have building access to where your data is stored or processed, and dual factor authentication with the use of badges and biometrics (fingerprint recognition) can assist in tighter access control. Environmental controls can also be managed with surveillance, monitoring and alarm systems, as well as policies for visitors.
For more on using the cloud and secure hosting for HIPAA compliant solutions, read our HIPAA Compliant Hosting white paper. Questions to ask your HIPAA hosting provider, data center standards cheat sheet and a diagram of the technical, physical and administrative security components of a HIPAA hosting solution (including HIPAA compliant clouds) are included.
Or read our Mobile Security white paper for how to secure electronic protected health information (ePHI) while using mobile devices in the workplace, ideal for any healthcare organization interested in implementing a secure BYOD (Bring Your Own Device) environment.
Still have questions? Contact us or chat now.
A Look Back: U.S. Healthcare Data Breach Trends (PDF)
HIPAA Security Standards: Physical Safeguards (PDF)
Breach Notification Rule