Perfecting cybersecurity through better training and testing

Various types of training and testing of health care professionals and staff can be used by health care entities to perfect their cybersecurity programs, according to a Health Care Compliance Association (HCCA) webinar presented by Steve Snyder of Smith Moore Leatherwood, LLP.

Snyder believes that perfecting cybersecurity training and testing is made especially challenging due to the uniqueness of the cybersecurity threat. Snyder listed the primary factors making cybersecurity unique, including:

  • the people trying to penetrate are adversarial and usually off-shore;
  • cyberattacks are evolving rapidly, with attacks designed to respond to new defenses;
  • cybersecurity involves highly technical concepts, which make staff hesitant to embrace safeguards; and
  • cybersecurity is outside the core competency for most of the staff to be trained and tested.

Training

Snyder believes that cybersecurity training must take a long term view, be about learning and reminding, have the objective of conditioning behavior, and must evolve over time as circumstances and threats change.

Opportunities for training, according to Snyder, could be when new job functions are created, when introducing new procedures, or when reinforcing integral work functions. He listed the possible training scenarios and their pros and cons as:

  • External programs offered by third parties. These programs offer specialized knowledge and instruction but can be costly, rely on the competency of others, and may suffer from the lack of familiarity of the third-party with the organization.
  • Internal learning management systems (LMS). These internal systems, relying on online or classroom training, can develop custom content and make tracking compliance easy. However, they require internal expertise and can create a record of noncompliance for government investigators.
  • This method can be particularly effective for conveying best practices to staff members in a new role. However, it requires competent mentors and is not ideal for new and evolving issues that the mentor is unfamiliar with.
  • Passive measures (e-mail reminders, etc.). This method is easy, cheap, and is agile enough to address emerging issues. However, it is easy for staff to ignore and therefore it is hard to access effectiveness.
  • Training tips. Snyder’s cybersecurity training tips included the following:
  • Start with objectives (such as increasing reporting of possible cyber incidents) and work back to prevention methods.
  • Try to find objective metrics (such as the rate of reporting vs. known incidents).
  • Make it digestible by staff (we live in a sound bite society).
  • Show a tangible purpose (clicks = malware = detriment to business).
  • Use varying approaches as people learn differently.
  • Make it interesting by using gamification, simulations, scoring, ranking, competitions, etc.

Testing

Snyder believes that testing should be focused on existing knowledge and established procedures. He favors a testing program with a narrow focus and reoccurring elements. The goals of testing, according to Snyder, should insure that cybersecurity procedures are known and understood, are effective, guarantee compliance, and identify gaps in policies and procedures.

Snyder listed several types of cybersecurity testing:

  • Penetration testing (looking for breach of security from the outside).
  • Vulnerability testing from the inside (looking for known bugs, unpatched software, or legacy systems that can be exploited).
  • Simulated testing (using drills and tabletop exercises).
  • Pop quizzes (discrete staff testing).
  • Final comprehensive exams.

Final takeaway

Snyder wrapped up his presentation by stressing that in training and testing for cybersecurity, and organization should: (1) be contemplative in designing their programs, (2) use a mix of internal and external resources, and (3) assess and revisit the programs often.

New law stops potential criminalization of EMS ‘standing orders’ for timely controlled-substance use

A new bipartisan law, the Protecting Patient Access to Emergency Medications Act of 2017, P.L. 115-83, signed by President Trump on November 17, 2017, amends the Controlled Substances Act (CSA) (P.L. 91-513) to clarify that emergency medical services (EMS) professionals (including nurses, paramedics, and emergency medical technicians) are able to continue administering controlled substances (contained in schedules II, II, IV, or V) to critical patients, such as pain narcotics and anti-seizure medications, pursuant to standing (written medical protocol) or verbal (oral directive) orders when authorized by state law (Protecting Patient Access to Emergency Medications Act of 2017, P.L. 115-83, enacted November 17, 2017).

It has been a long-standing practice for medical directors of EMS agencies to write standing orders for the administration of controlled substances by EMS professionals. As reported by Emergency Physicians Monthly, in a January 2015 meeting with the National Association of EMS Physicians (NAEMSP) Executive Committee to discuss possible EMS regulations, the Drug Enforcement Administration (DEA) stated its position that the CSA only allows for patient-specific orders for controlled substances and that it is illegal for EMS agencies to deliver any controlled substances under written medical protocols or standing orders. Therefore, absent this new legislation, it was the position of the DEA that any regulations concerning EMS agencies would be required to prohibit the continued use of standing orders for EMS professionals.

The law also allows EMS agencies the option of having a single DEA registration in each state where the EMS agency administers controlled substances, in lieu of requiring a separate registration for each location of the EMS agency within the state, as long as certain transportation, storage, re-stocking, and recordkeeping rules for controlled substances are followed by the EMS agency. The act further provides that a hospital-based EMS agency may use the DEA registration of the hospital to administer controlled substances without an additional registration of its EMS agency.

The law was introduced as H.R. 304 in the House of Representatives by Reps. Richard Hudson (R-NC) and G.K. Butterfield (D-NC). The Senate version, S. 916, was introduced by Sens. Bill Cassidy (R-La) and Michael Bennet (D-Colo). H.R. 304 initially passed the House by a vote of 404-0 on January 9, 2017. It passed the Senate, as amended, by unanimous consent, on October 24, 2017.

New York dietary supplement maker accused of failing to comply with cGMP regulations

At the request of the FDA, the U.S. Department of Justice filed a civil complaint against Riddhi USA Inc. of Ronkonkoma, New York, and its owner and President Mohd M. Alam, to enjoin the distribution of adulterated and misbranded dietary supplements. The complaint alleges that Riddhi and Alam prepared, packed, and held dietary supplements under conditions that failed to comply with the FDA’s current good manufacturing practice (cGMP) regulations for these products.

According to the complaint, the FDA inspected the Riddhi facility in January 2017 and found numerous significant deviations from cGMP regulations, including a failure to: (1) establish product specifications for identity, purity, strength, and composition of their finished dietary supplements; (2) conduct at least one appropriate test to verify the identity of a dietary ingredient; and (3) establish and follow written procedures for quality control operations.

The complaint further alleges that many of the cGMP deviations were the same as those observed by the FDA during a previous inspection that occurred in January 2016. The complaint notes that on April 27, 2016, the FDA issued a warning letter detailing violations of cGMP regulations observed during the 2016 inspection and that these violations are the same as those observed during the FDA’s subsequent 2017 inspection.

The complaint also alleges that the dietary supplements were misbranded under the labeling provisions of the federal Food, Drug & Cosmetic Act (FDC Act) (21 U.S.C. §301 et seq.) because the products are fabricated from two or more ingredients but fail to declare any ingredients on their product labels or labeling. Specifically, the complaint alleges that the dietary supplement Neuroxygen is misbranded because it is manufactured using soy lecithin, which contains “soy,” but soy is not listed on the product label. The complaint also alleges that the products Prenatal Formula, Osteo Gest, Neuroxygen, Inflam-Ease, and All-Ease, are misbranded because their label or labeling fails to declare the place of business of the manufacturer, packer, or distributor.

Recommendations for creating compliant security relationships with vendors

Recent regulatory changes have had an impact on what “covered entities” must do to create and maintain a compliant security relationship with their “business associates.” This impact, and how information technology (IT) and compliance departments can interact to improve business associate selection and management, were the topics of a recent Health Care Compliance Association (HCCA) webinar featuring Francois J. Bodhuin, Director, Information Security Officer, and Joseph A. Piccolo, Vice President, Corporate Compliance, at the Inspira Health Network. The presenters also offered a five-step life cycle approach to managing vendor security requirements.

Background

The term “covered entity” is defined in 45 C.F.R. sec. 160.103 as either a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic format. According to the presenters, the HITECH privacy provisions (Title XIII) of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5) resulted in the promulgation of the January 25, 2013 Final rule (78 FR 5566), which strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rule also expanded the definition of “business associates” (BAs) to include subcontractors/vendors (and written assurance from subcontractors/vendors that they will uphold the security and privacy of protected health information (PHI)), increased reporting requirements, and enhanced penalties (see HIPAA final rule modifies Privacy, Security, and Enforcement Rules and establishes direct liability for business associates that violate certain rules, Health Law Daily, January 25, 2013).

Enforcement themes and challenges

The presenters noted several themes present in recent government enforcement actions, including accusations of inadequate risk assessment plans, outdated vendor agreements, the lack of risk analysis, and inadequate oversight (lack of communication). The presenters also laid out several new logistical challenges, including (1) insuring that vendor agreements are current (and incorporate the 2013 rule changes); (2) the need to educate board members, employees, and vendors; and (3) the monitoring of vendor agreements.

Interaction of IT and compliance

The presenters stressed the need for IT and compliance to jointly develop a process that makes use of (1) HHS Office of Civil Rights (OCR) guidance, audit criteria, and recent settlements; and (2) that sets guidelines for vendors, including a vendor code of conduct, specific policies and procedures for vendors, and vendor education requirements.

The presenters see the IT role as performing annual security assessments, frequent vulnerability scans, and the integration of risk analysis. In addition, in support of compliance, they believe that IT must: (1) be represented on the compliance committee; (2) have software that tracks vendors; (3) develop security questionnaires; and (4) evaluate the security programs of vendors.

Compliance, according to the presenters, must support IT by: (1) being a conduit for communication in understanding vendor relationships; (2) collaborating with IT on new and unique projects; (3) educating the board on the compliance/IT partnership; (4) developing and updating policies; and (5) including audits as part of the annual work plan.

Collaborative management of vendors

The presenters recommend language in vendor agreements that will allow for the covered entity to conduct a survey or questionnaire of the vendor. They suggest that the questionnaire incorporate the organizational values of the covered entity, not just government requirements. The questionnaire should be required of both new and existing vendors.

The presenters also recommend that the covered entity create an oversight group to review vendor responses, extrapolate risk levels, review actions taken with the vendor, tweak questionnaires, and report results to executives though the compliance committee.

Five-step approach

The presenters concluded by describing their five-step life cycle approach to managing vendor security requirements. Their approach centers on the following elements: (1) patient satisfaction; (2) quality outcomes; (3) electronic data security; (4) patient engagement/population management; and (5) stewardship and reputation.