Kusserow on Compliance: The challenge of protecting PHI

The challenges of securing sensitive information which is stored electronically, has become extremely difficult in the face of legal requirements to do so, and every day there are new reports of data breaches in the health care sector. Few would argue that it is likely that this kind of threat will continue to grow. There are some positive news on this front. According to Risk Based Security’s recent first quarter 2018 data breach report, the number of data breaches in the first quarter of 2018 marked a four-year low with a total of 685 breaches. This number is down from 1,444 breaches in the first quarter of 2017 and 1,153 in the first quarter of 2016. Overall, businesses saw the most reported breaches at 50.4 percent during the first quarter while medical breaches came in at 10.2 percent, according to the report. Within the health care sector, practitioners’ offices saw 43.4 percent of the data breaches while hospitals saw 30.2 percent and medical facilities were at 17.1 percent.  However, health care providers, managed care organizations, and others having access to patient data remain extremely vulnerable to cyber and ransom attacks because information is critical to operations and the need to share data among multiple parties creates opportunities for attack. Many organizations rely upon outdated software and lack controls over those with access to the systems. Not being able to access patient data can shut an organization down. Those desiring data for criminal use can find the needed identifiable data in patient records that include name, date of birth, Social Security Number, family information, and often credit information.

Dr. Cornelia Dorfschmid, PhD is an expert in this area and noted that there are many different measures available to take preventative measures to protect PHI, beginning with encryption that is the most basic method used. She offered a number of steps and tips that health care organizations can take to mitigate their exposure and risks to hacking:

  1. Ensure patient data is stored in an encrypted database
  2. Maintain close control and encryption over any removable media
  3. Have multi-levels of passwords to access any database storing PHI and change passwords frequently
  4. Periodically run background checks and sanction-screening on those handling PHI
  5. Make sure malware detection software is running on servers and workstations
  6. Ensure that your firewalls are up and secure
  7. Review and implement standard network security controls
  8. Protect PHI and other sensitive information wherever it is stored sent or used
  9. Control against shifting data from one device to another external device
  10. Restrict the downloading of data
  11. Shred all the files and folders before disposing of any storage equipment
  12. Ban unencrypted devices, including laptops and other portable devices
  13. Use solid passwords for any access and change them from time to time
  14. Limit accessibility to those who are working on company’s sensitive data
  15. Provide privacy and security training to all employees and others with access to data
  16. Establish a breach response plan to trigger a quick response to data breaches to limit harm
  17. Develop and maintain a disaster recovery plan should a breach occur
  18. Be on the lookout for any suspicious network activity
  19. Track movement of data within the network
  20. Use automated systems to regularly check password settings, server and firewall controls
  21. As part of ongoing monitoring, periodically check security controls

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: HIPAA enforcement update

At the 2018 HCCA Compliance Institute HIPAA Policy and Enforcement Update, it was reported that since September 2009 through the end of 2017 there were 2178 reports filed with the HHS OCR involving breaches affecting 500 or more individuals. In addition to large breaches, there were over 300,000 reports of breaches of protected health information (PHI) affecting fewer than 500 individuals. Individuals affected by the large breaches were about 177 million. So far, OCR’s website has posted 38 breaches as of April 2018. In all, nearly one million patients may have had their PHI put at risk by these incidents with the number continuing to grow. The breakdown of type of large breaches includes:

  • Loss/Theft continues as the most often reported problem; nearly half of the cases.
  • Laptops and other portable storage devices represented one fourth of large breaches.
  • Hacking/IT Incidents account for about one in five reported incidents.
  • Paper records accounted for another fifth of the large breaches

10 largest 2018 incidents to date by number of patient records affected

  1. 582,174 – California Department of Developmental Services, 4/06/2018, Unauthorized Access/Disclosure Incident
  2. 279,865 – Oklahoma State University Center for Health Sciences, 1/05/2018, Hacking Incident
  3. 134,512 – St. Peter’s Ambulatory Surgery Center LLC- d/b/a St. Peter’s Surgery & Endoscopy Center, 2/28/2018, Hacking Incident
  4. 70,320 – Tufts Associated Health Maintenance Organization, Inc. reported on 2/16/2018 an Unauthorized Access/Disclosure Incident
  5. 63,551 – Middletown Medical P.C.,  3/29/201 an Unauthorized Access/Disclosure
  6. 53,173 – Onco360 and CareMed Specialty Pharmacy, 1/12/2018, Hacking Incident
  7. 36,305 – Triple-S Advantage, Inc., 2/02/2018, Unauthorized Access/Disclosure Incident
  8. 35,136 – ATI Holdings, LLC and its subsidiaries, 3/12/2018, Hacking Incident
  9. 34,637 – City of Houston Medical Plan reported on 3/22/2018 a Theft of Laptop Incident
  10. 30,799 – Mississippi State Department of Health, 3/26/2018, Unauthorized Access/Disclosure

Top 10 Recurring Compliance Issues

  1. Pattern of disclosure with sensitive paper PHI
  2. Business Associate Agreements
  3. Risk analysis issues
  4. Failure to manage identified risk, e.g. Encryption of data
  5. Lack of transmission security
  6. Lack of appropriate auditing
  7. No patching of software
  8. Insider threats from employees and contactors
  9. Improper disposal of data
  10. Insufficient data backup and contingency planning

HHS OCR calls for health care organizations to establish contingency plans to keep patient data secure and mandate that covered entities and business associates have such plans. In their March newsletter, OCR officials urged health care organizations to figure out which IT systems are critical, to understand how to function in a disaster, and to back up PHI so it can be retrieved if the original data are lost or taken offline. Once developed, the plan should be routinely tested to identify gaps and ensure updates for plan effectiveness and increase organizational awareness. The plan should be reviewed and updated on a regular basis when there are changes: technical, operational, or in personnel.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Recap of the OCR’s 2017 HIPAA enforcement

The HHS Office for Civil Rights (OCR) HIPAA Privacy Rule enforcement has been steadily increasing since it began the effort in 2003. Over the years, OCR has received over 175,000 HIPAA complaints and initiated nearly 1,000 compliance reviews. OCR investigations have resolved nearly 30,000 cases by requiring changes in privacy practices, taking corrective actions, or providing technical assistance to HIPAA covered entities and their business associates. OCR has been enforcing the HIPAA Rules where an investigation indicates noncompliance by the covered entity or their business associate. OCR investigations have ranged widely and included national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. To date, OCR has settled or imposed a civil money penalty in about 60 cases resulting in a total dollar amount of about $75,000,000. The average of enforcement penalties has been about $1.5 million per case. In another 12,000 cases, no violations were found. In another 25,000 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation. In the balance of over 100,000 cases, OCR determined that the complaint did not present an eligible case for enforcement, because of lack of jurisdiction; complaints were untimely or withdrawn by the filer; or the activity described didn’t violate HIPAA;

 

Cases that OCR closes fall into five categories:

 

  1. Resolved without investigation. OCR closes these cases after determining that OCR lacks jurisdiction, or that the complaint, referral, breach report, news report, or other instigating event will not be investigated. These include situations where the organization is not a covered entity or business associate and/or no protected health information (PHI) is involved; the behavior does not implicate the HIPAA Rules; the complainant refuses to provide consent for his/her information to be disclosed as part of the investigation; or OCR otherwise decides not to investigate the allegations.

 

  1. Technical assistance only. OCR provides technical assistance to the covered entity, business associate, and complainant through early intervention by investigators located in headquarters or a regional office.

 

  1. Investigation determines no violation. OCR investigates and does not find any violations of the HIPAA rules.

 

  1. Investigation results corrective action obtained. OCR investigates and provides technical assistance to or requires the covered entity or business associate to make changes regarding HIPAA-related privacy and security policies, procedures, training, or safeguards. Corrective action closures include those cases in which OCR enters into a settlement agreement with a covered entity or business associate.

 

  1. Other. OCR may investigate a case if (1) DOJ is investigating the matter; (b) it was as result of a natural disaster; (c) it was investigated, prosecuted, and resolved by state authorities; or (d) the covered entity or business associate has taken adequate steps to comply with the HIPAA Rules, not warranting deploying additional resources.

 

Order of frequency of issues investigated

 

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Use or disclosure of more than the minimum necessary protected health information; and
  • Lack of administrative safeguards of electronic protected health information.

 

Most common types of entities resulting in corrective actions

 

  • General hospitals;
  • Private practices and physicians;
  • Outpatient facilities;
  • Pharmacies; and
  • Health plans (group health plans and health insurance issuers).

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: The OIG on Health IT security

Many are not aware of the fact that the HHS OIG boasts having an A-class team that focuses on IT controls and engages in what they refer to as penetration testing or “hacking” into IT systems and networks. With 100 million health care records already compromised and medical records serving as a top target for hackers, healthcare related cybersecurity has become a high priority for the OIG. Health IT offers some unique challenges, in that health records are for a lifetime, whereas credit cards may have a shelf life, if they’re compromised, of just a day or two. This makes them very valuable for criminals that can often realize 60 times more than what a stolen credit card can yield on the dark web. Compromised health information could have wide-ranging consequences, including affecting credit and even someone filing a false tax return with the information. In addition to people’s personal information, there is concern about health care provider and managed care proprietary information.

The OIG IT audits begin with setting an audit objective, which varies according to what they are trying to accomplish. The OIG desires to provide transparent and objective assessments of the security posture of the systems within HHS and those that receive funding from HHS. The OIG engages in penetration testing, as a means to help strengthen IT vulnerabilities. By engaging in penetration testing or “hacking into” IT networks, the OIG is able to provide chief information officers, and sometimes CFOs, with information regarding particular vulnerabilities. Among the common testing of IT systems is determining whether passwords are being changed periodically.  The OIG stated guiding philosophy is that “what gets checked gets done.” By identifying vulnerabilities, they draw management attention to addressing them and raising their awareness to cybersecurity.

The OIG wants to ensure that funds for cybersecurity, and ultimate for technology, are being used judiciously, and overall the OIG is working every day to protect sensitive personal and proprietary data. The OIG is using its resources to enhance awareness around cybersecurity.  The OIG focuses much of its resources on IT controls for the Medicare enrollment database; however the OIG does not confine its work to the Medicare and Medicaid space. The OIG is also looking at IT security at NIH, Indian health hospitals throughout the country, and FDA information on drugs and medical devices. The OIG typically addresses reports to senior level personnel, such as the CEO and Chief Information Officer, and often addresses reports to state administrators for Medicare and Medicaid.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.