Kusserow on Compliance: OCR releases new guidelines on software vulnerabilities and patching

The HHS Office for Civil Rights (OCR) recently released a report focuses on software bugs and patches designed to reduce the vulnerability of computer systems that put electronic personal health information (ePHI) at risk. The OCR noted that last year researchers discovered a widespread vulnerability in computer processors that were sold over the previous decade. These vulnerabilities, known as Spectre and Meltdown, allow “malware” to bypass data access controls and potentially access sensitive data. This security flaw has been present in nearly all processors produced in the last 10 years and affects millions of devices. Upon discovery of these defects, vendors scrambled to release patches that addressed this problem. Managing patches plays an important role in maintaining HIPAA Security Rule compliance and without them vulnerabilities will not be fixed. The health care sector relies on software to manage ePHI and organizations are required under the HIPAA Security Rule to use appropriate technical safeguards to ensure the security of ePHI, including the evaluation of software vulnerabilities, the assessment of potential risks, and the implementation of solutions to keep risk at a reasonable minimum. The OCR suggested the following for effective patch management:

  • Evaluate patches to determine if they apply to your software/systems.
  • Test patches on an isolated system for any unwanted side effects.
  • Once patches have been evaluated and tested, approve them for
  • Deploy patch installation on live systems.
  • Test and verify to ensure correct patch installation and no unforeseen side effects

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Conducting compliance risk assessments

The issue of conducting compliance risk assessments continues to be a challenge for Compliance Officers. In the SAI Global’s ninth annual Compliance Benchmark Survey conducted with Strategic Management Services, nearly four out of ten responding organizations reported that the Compliance Office had responsibility for all risk management, not just for the compliance program.  As with all program managers, Compliance Officers have responsibility for risk management in the areas of their areas of responsibilities. This includes conducting risk assessments as part of ongoing monitoring.  However, there remains a lot of confusion among compliance officers and organizations regarding the whole subject. However, regardless of who assumes the responsibility for assessing risk areas, the subject should begin with how regulatory bodies define risk assessment.

Defining risk assessment 

Federal Regulations. (e) Annual review. The operating organization for each facility must review its compliance and ethics program annually and revise its program as needed to reflect changes in all applicable laws or regulations and within the operating organization and its facilities to improve its performance in deterring, reducing, and detecting violations under the Act and in promoting quality of care  (see 42 C.F.R. 483.85).

US Sentencing Commission Guidelines Manual. 2(a)(5) The organization shall take reasonable steps—(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program (§8B2.1 Nov. 2016).

OIG Compliance Guidance Documents.  The OIG has in a variety of compliance guidance documents called for compliance risk assessments. For example, in their Compliance Guidance for Nursing Faculties they “recommend that all nursing facilities evaluate their current compliance policies and procedures by conducting a baseline assessment of risk areas, as well as subsequent reevaluations. . .” How a nursing facility assesses its compliance program performance is therefore integral to its success. The attributes of each individual element of a compliance program must be evaluated in order to assess the program’s ‘‘effectiveness’’ as a whole. Examining the comprehensiveness of policies and procedures implemented to satisfy these elements is merely the first step. Evaluating how a compliance program performs during the provider’s day-to-day operations becomes the critical indicator.

When conducting a risk assessment it is necessary to determine the objectives. The following relates to ideas and tips concerning compliance program risk assessment.

Compliance program risk assessment objectives

  • Verify all the elements of the compliance program have been implemented
  • Determine whether all the elements are functioning as planned
  • Evaluate the documentation evidencing effectiveness of the program
  • Identify compliance program strengths, as well as areas warranting improvement
  • Develop a work plan to measure program improvements and address any weaknesses

Questions to ask about compliance risk areas

  • Were levels of risk and vulnerabilities assigned?
  • Is there an annual work plan to address identified high-risk areas?
  • Are their internal controls and policies addressing high-risk areas?
  • Are policies periodically reviewed and updated?
  • Do policies address applicable regulations, recent OIG Work Plans, etc?
  • Were compliance-related policies distributed to all covered persons?
  • Is there a Code of Conduct that provides compliance guidelines for employees?
  • Do employees signed receipt evidencing receipt of Code of Conduct?
  • What evidence is there that employees were trained on the Code and policies?
  • What evidence exist that employees understood and remembered lessons?

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Tips on developing and revising the ‘Code of Conduct’

All compliance guidance from the U.S. Sentencing Commission to the HHS Office of Inspector General (OIG) and DOJ has called for having a Code of Conduct as a foundation document for any effective compliance program. However, many such codes are far out of date and fail to provide the needed guidance for employees on their obligations towards compliance. The initiation of compliance program guidance by the OIG was a major stimulant for having Codes of Conduct. In the early days of responding to such guidance, many organizations quickly developed a “Compliance Plan” that included all seven elements of the program, including a Code. Unfortunately, plans are statements of intent, not an operating program and converting them into fully functioning and effective programs has years. This has included reviewing, revising and updating their Code of Conduct and compliance-related policies.

Daniel Peake of the Compliance Resource Center (CRC) (dpeake@compliancereource.com (703)-236-9854) works with compliance officers to provide a variety of compliance related services that includes the Policy Resource Center (PRC) which provides templates for compliance-related documents, including Codes, charters, policies, audit guides, etc. He notes that the PRC offers Code templates, but it is important that the Code should reflect the organization’s spirit, tone, and culture. If it doesn’t ring true to staff, securing their participation and cooperation in the compliance program will be much more difficult. The Code should be tailored to be an extension the mission and vision of the organization. It needs to be part of an ongoing monitoring effort subject to periodic reviews to ensure it remains up to date with the ever-changing regulatory environment.  He offered the following tips:

11 tips for developing or revising the Code of Conduct

 

  1. Determine whether it is time to review and possibly update the Code. Answering the following will help in making that determination: (a) When the Code was last reviewed/revised? (b) Any significant changes in law, regulation, or guidance since last revision? (c) Any changes/updates to compliance policies since last revision?
  1. Review Code templates and examples of other similar organizations. It is useful to review the codes of other organization to help focus on what is needed; and this can save a lot of time and effort. However, copying a Code from another source may prove to be problematic, if it runs counter to the culture of the organization.
  1. Gain buy-in from executive leadership. This is critical and needs to include personal involvement of the Compliance Officer, as well as HRM and Legal Counsel.
  1. Introductory letter from the CEO. It is a best practice to have the CEO introduce and endorse the Code, along with stating that (a) everyone is equally obligated to adhere to it, (b) everyone has a duty to report potential violations without fear of retaliation, (c) a confidential hotline is available to report confidentially or anonymously, etc.
  1. Reference the Code against compliance-related policies. The Code must not conflict with policies and procedures, as it would risk potential liabilities.
  1. Consider using experts to facilitate process. No need to “reinvent the wheel.”  Code development/revision can be simplified, facilitated, and guided by compliance experts in this field; and can ensure inclusion of key concepts, including those called for by the HHS OIG.
  1. Determine Core Code Content. Key to developing a successful Code is to ensure that it addresses the needs of all stakeholders (i.e. management, employees, Board, regulatory agencies, etc.).
  1. Code must detail procedures for addressing compliance issues. Employees should feel comfortable in approaching his or her supervisor, other members of management, HR or the Compliance Office. In addition there must be an option to report to a confidential hotline.
  2. Dissemination of the Code. The Code must be made available to all covered persons through an Intranet, in hard copy with signature receipt, through compliance training, or a combination of all. If the Code is not new, but one that has been revised, then steps need to be made to stop dissemination of the old version.
  3. Translating Code into other languages. A decision is needed as to whether the Code is to be provided only in English, or with versions in other languages. If it will be disseminated in multiple languages, the challenge will be to ensure the Code is written in simple terms, avoiding slang or jargon that will create problems in translating to be equivalent in meaning.
  4. Ensure all out of date Codes are removed from the website and hard copies collected. Having more than one version of the Code in circulation at the same time is a formula for creating problems.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: The challenge of protecting PHI

The challenges of securing sensitive information which is stored electronically, has become extremely difficult in the face of legal requirements to do so, and every day there are new reports of data breaches in the health care sector. Few would argue that it is likely that this kind of threat will continue to grow. There are some positive news on this front. According to Risk Based Security’s recent first quarter 2018 data breach report, the number of data breaches in the first quarter of 2018 marked a four-year low with a total of 685 breaches. This number is down from 1,444 breaches in the first quarter of 2017 and 1,153 in the first quarter of 2016. Overall, businesses saw the most reported breaches at 50.4 percent during the first quarter while medical breaches came in at 10.2 percent, according to the report. Within the health care sector, practitioners’ offices saw 43.4 percent of the data breaches while hospitals saw 30.2 percent and medical facilities were at 17.1 percent.  However, health care providers, managed care organizations, and others having access to patient data remain extremely vulnerable to cyber and ransom attacks because information is critical to operations and the need to share data among multiple parties creates opportunities for attack. Many organizations rely upon outdated software and lack controls over those with access to the systems. Not being able to access patient data can shut an organization down. Those desiring data for criminal use can find the needed identifiable data in patient records that include name, date of birth, Social Security Number, family information, and often credit information.

Dr. Cornelia Dorfschmid, PhD is an expert in this area and noted that there are many different measures available to take preventative measures to protect PHI, beginning with encryption that is the most basic method used. She offered a number of steps and tips that health care organizations can take to mitigate their exposure and risks to hacking:

  1. Ensure patient data is stored in an encrypted database
  2. Maintain close control and encryption over any removable media
  3. Have multi-levels of passwords to access any database storing PHI and change passwords frequently
  4. Periodically run background checks and sanction-screening on those handling PHI
  5. Make sure malware detection software is running on servers and workstations
  6. Ensure that your firewalls are up and secure
  7. Review and implement standard network security controls
  8. Protect PHI and other sensitive information wherever it is stored sent or used
  9. Control against shifting data from one device to another external device
  10. Restrict the downloading of data
  11. Shred all the files and folders before disposing of any storage equipment
  12. Ban unencrypted devices, including laptops and other portable devices
  13. Use solid passwords for any access and change them from time to time
  14. Limit accessibility to those who are working on company’s sensitive data
  15. Provide privacy and security training to all employees and others with access to data
  16. Establish a breach response plan to trigger a quick response to data breaches to limit harm
  17. Develop and maintain a disaster recovery plan should a breach occur
  18. Be on the lookout for any suspicious network activity
  19. Track movement of data within the network
  20. Use automated systems to regularly check password settings, server and firewall controls
  21. As part of ongoing monitoring, periodically check security controls

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.