HIPAA Kicks Off Phase II of Privacy, Security and Breach Notification Audit Program
As the spate of healthcare data breaches continues, the federal government is stepping up its efforts to ensure the industry takes appropriate measures to protect electronic information–on both small-and-large-scale fronts.
On Aug. 18, the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) announced ramped-up efforts to investigate breaches involving fewer than 500 individuals
. OCR said it would take on more of these smaller investigations, prioritizing them based on factors including the size of the breach; whether it involves the theft or improper disposal of unencrypted Personal Health Information (PHI); and the amount and sensitivity of the PHI involved.
The news follows OCR’s record $5.55 million settlement
with Advocate Health Care Network for Health Insurance Portability and Accountability Act (HIPAA) violations tied to a 2013 breach involving stolen computers. OCR has also initiated a new round of HIPAA audits.
Over the summer, the OCR notified 167 covered entities that they were selected for the second phase of its auditing efforts around HIPAA.
The first round of audits
, which were conducted in 2012, were designed to test the pilot audit program’s effectiveness and offered organizations recommendations to address common compliance challenges and conduct their own self audits. This time around, audits will involve both covered entities and
business associates, examining vulnerabilities that aren’t currently surfaced through enforcement actions. Desk audits are already underway for covered entities and will start in the fall for business associates; more comprehensive onsite audits will begin in early 2017.
The expanded focus on business associates is well-timed, given another data breach making headlines recently in which hackers gained access to patient information via a health system’s food and beverage vendors. A cyberattack that started on credit card payment systems for food and beverage purchases quickly moved on to accessing patient information, putting more than 3.5 million of Banner Health’s patient records at risk. A Verizon study
found that point of sale systems are the most frequently compromised asset in healthcare data breaches, ahead of desktop workstations.
Ultimately, the OCR hopes to help the industry improve cybersecurity strategies by identifying best practices to mitigate breaches, and offering further guidance for improving compliance self-evaluations.
Healthcare is the only industry that stores and combines mass quantities of PHI, Personally Identifiable Information (PII) and Personal Payment Information (PPI). Each type of data is highly sought after by cyber criminals and easily monetized on the dark web. In combination,
the criminal value of these data sets skyrockets, as it enables the commission of multiple high-profit crimes such as identity theft, and financial and healthcare fraud.
PHI alone can be worth more than 10 to 50 times as much as a stolen credit card number on the dark web. One reason? Unlike PHI, a stolen credit card has a shelf life, as fraudulent use is easily detected by financial institutions and customers, and the card loses its value when cancelled. As stated earlier, health records, unlike a credit card or even a Social Security number, cannot be canceled and re-issued: They have enduring value to the criminal. Often, the owners of the medical records never realize their information has been stolen. The healthcare industry and insurers do not possess a central database that catalogs stolen healthcare records to alert insurers that, for instance, billing for patient X using healthcare record Y issued on a certain date is indicative of fraud … and an x-ray or diagnosis cannot be canceled and re-issued.
Criminals can use PHI to submit false billing for treatments, equipment or prescription drugs that may be resold for a profit. Criminals can also take on someone’s identity to obtain medical treatment without cost. Loss of PHI, then, can set off waves of fraudulent bills, and a cycle of audits and fines for the provider–to say nothing of the loss of patient/consumer trust and the financial costs of addressing the breach itself. Recent breaches are good reminders of the importance of cybersecurity steps outside of network security. Time after time, breaches are the result of human failures, negligence, noncompliance workarounds or naivet about suspicious links.
Many providers don’t realize, until they’re investigated by a regulator, that investigators will probe not only a flagged incident, like loss of a phone, but they’ll also open the hood on the entire car to take a look at the cybersecurity policies and protocols across the organization. A well-rounded and documented cybersecurity plan is crucial and should address the following:
Entities should perform regular risk assessments through which they can identify and classify their assets, risks, threats and vulnerabilities. Based on the results of the assessment, they can develop policies and procedures that address the entity’s specific risks and vulnerabilities. Risk assessments are broad in nature sweeping across infrastructure, privacy and cybersecurity.
Data/network mapping and access control/management:
Entities need to know where all HIPAA information is stored, how it traverses the network and the security around that data–who has access, who has control, who has what privileges? Is it encrypted at rest and in transit? Data mapping is a massive undertaking, often underestimated, but providers must know where data is to protect it appropriately. Collaterally, organizations must map their network, understanding the location and functionality of all computers, servers, routers, related hardware and end points. Are all the devices identified, properly patched and adequately protected? Are they all behind the firewall?
Several recent breaches were due to stolen hardware. Mobile device management, or MDM, can alleviate some of these human error risks. Do you know about every mobile device in your organization that contains PHI? Can you wipe them remotely? And are they encrypted so others can’t access information without enabling a password? Is two-factor or multi-factor authentication used to access the most sensitive devices, data and email systems? Is audit logging active on the devices? And is it being reviewed on a regular basis?
Third-party due diligence:
The OCR is starting business associate auditing this fall. Vendor systems can be an access point or weak link in your protection, and as electronic health records are shared more commonly among providers, security will only be as strong as the weakest link. Third-party risk due diligence must be done throughout the prospect, initiation and ongoing relationship stages to isolate changes in risk and vulnerability postures.
Top-down security mindset that supports staffing and training:
The board may not be building firewalls, but members must be informed and proactive in taking ownership over cybersecurity. Does the organization have a dedicated information security function? How is that person or team empowered by leadership and functionally aligned within the organization? Is the staff training not just provided, but reinforced through such means as “spear phishing” tests to objectively measure the effectiveness?
Well-documented policies, standards and procedures:
Providers should document their cybersecurity mindset and be able to produce specific guidance, like their cyber incident response plan, the types and frequency of network security tests performed, and training protocols.
How do I get more information?
For more information about how providers and healthcare organizations can improve their cybersecurity preparedness, please contact:
Managing Director, BDO Consulting Technology Advisory Services and Head of BDO’s Cybersecurity and Financial Crimes Unit
Chief Transformation Officer and Managing Director, BDO Healthcare Advisory
Practice Leader, BDO Healthcare Advisory