It’s no secret that the Department of Health and Human Services under the Office for Civil Rights is heavily enforcing HIPAA and entering into settlement agreements for those who egregiously violate HIPAA. And according to the Ponemon Institute, the 2017 average cost of a data breach in the US has risen to a record $7.35 million. The OCR’s goal is not to cause organizational turmoil, but rather they are leading organizations to take security and privacy seriously in an industry where the stakes have hit an all-time high.
Below are steps organizations can take to protect and secure your organization’s ePHI and reduce OCR settlements.
Run Risk Analysis of all systems holding ePHI
Position your organization for a strong security and compliance posture by conducting a risk analysis of all systems holding ePHI. A risk analysis looks to where your ePHI is stored and orders the prioritization of systems holding ePHI. With the large number of mergers and acquisitions in the health care industry, coupled with the robust number of cloud applications touching an EMR application, ePHI is difficult to track in today’s digital age. Under the HIPAA Security Rule all applications containing PHI are subject to the HIPAA Laws. Conducting a risk analysis to identify all systems and applications that contain ePHI will allow you to better monitor patient information.
Strengthen identity and monitor
To predict and prevent breaches, health care organizations can use behavioral analytics and auditing to ensure the safety of mission critical applications and systems. A recent Verizon study cites that 63% of breaches involve compromised user credentials. Insider threats continue to grow, but now those threats include outside adversaries who have compromised users to gain access to PHI through mission critical applications and systems. To determine what users have access to, perform Access Rights Review and Management including a user inventory of employees, affiliates and vendors. Careless users need to be identified to find out who needs training and who needs sanctioning.
Conduct risk assessments
Under HIPAA Regulations, a risk assessment appears under the Breach Notification Rule and is what an entity must conduct to determine the probability of compromised health information. The main goal is to determine whether a breach of ePHI will need to be lawfully reported. The ONC and OCR recently updated their Security Risk Assessment Tool to help guide organizations through the process.
Sign business associate agreements with vendors
It is imperative that every organization and vendor sign a BAA when handling PHI. This ensures that both parties are accountable for creating, receiving or transmitting PHI in a secure and intended manner. If either party violates the BAA, each may face penalties from U.S. Department of Health and Human Services. Most importantly, find a vendor who takes the BAA very seriously, any organization can sign one, but do they have the proper protocols in place to responsibly handle ePHI? Ask questions and investigate to assess how secure their processes really are.
Maintain perimeter security and firewalls/ patches
As we have witnessed in the global ransomware attacks of 2017, maintaining proper perimeter security, including firewalls and patches, is essential to securing your network. The first ransomware attack appearing in 2017, WannaCry, hit more than 150 countries and 200,000 computers. The attack preyed on systems that did not implement a Microsoft Windows patch known as Eternal Blue. The Petya ransomware outbreak appeared just months later, yet again, exploiting a patch.
Preventing ransomware attacks involves a multi-layer approach. Not only should your security team be aware of updating patches or vulnerabilities in your network, but they should also implement the latest perimeter security and firewall technologies to thwart the increasingly sophisticated cyber-attacks. Maintaining proactive security means that systems are constantly evaluated and updated to ensure the security of your network.
Encrypt portable devices
While mobile devices have created meaningful collaboration and interoperability of health information, they can pose a serious threat to the security of a health care organization. With 96% of physicians using smart phones as their primary device in clinical communications, proper security protocols must be enacted to ensure compliance and security. Consolidation of data onto a secure cloud or data center, behind a firewall will ensure that you have oversight over patient data.
Prepare incident response plan
You should always be ready for the worst-case scenario. Crafting a quality incident response plan will help contain security incidents that would otherwise become full blown breaches involving regulatory authorities. Under the HIPAA Security Rule, IRPs are required for covered entities. The department of health and human services provides a free Incident Response Plan template to help organizations craft an agile plan to handle incidents. Once created, an IRP requires frequent evaluation and chances to the plan as an organization naturally changes and evolves.
Train employees and maintain acceptable use policies
Organizations can implement a myriad of technologies and procedures to secure ePHI and avoid OCR sanctions, but without proper training and acceptable use policies for employees, they can easily be undermined. A clearly defined culture of privacy and security should be driven through any organization handling PHI. Training users on acceptable use policies and procedures through LMS will contribute to compliance.
Securing patient data and reducing OCR settlements takes a multi-faceted approach both in the short and long run. Organizations need to take immediate action to strengthen their security and privacy programs to ensure patient protection and mitigate risk from OCR settlements.
About the author: Kurt Long is the Founder and CEO of FairWarning, whose Patient Privacy Intelligence customers represent over 8,000 health care facilities globally, and protects financial services customers managing over $500 Billion in assets. Prior to FairWarning®, Long founded and served as CEO of OpenNetwork Technologies a leader in web single sign-on and identity management software solutions. As CEO, Long led OpenNetwork to over 2,000 percent growth with customers across the United States, United Kingdom, Europe and Australia. OpenNetwork was acquired by BMC Software of Houston.