Kusserow on Compliance: OCR releases new guidelines on software vulnerabilities and patching

The HHS Office for Civil Rights (OCR) recently released a report focuses on software bugs and patches designed to reduce the vulnerability of computer systems that put electronic personal health information (ePHI) at risk. The OCR noted that last year researchers discovered a widespread vulnerability in computer processors that were sold over the previous decade. These vulnerabilities, known as Spectre and Meltdown, allow “malware” to bypass data access controls and potentially access sensitive data. This security flaw has been present in nearly all processors produced in the last 10 years and affects millions of devices. Upon discovery of these defects, vendors scrambled to release patches that addressed this problem. Managing patches plays an important role in maintaining HIPAA Security Rule compliance and without them vulnerabilities will not be fixed. The health care sector relies on software to manage ePHI and organizations are required under the HIPAA Security Rule to use appropriate technical safeguards to ensure the security of ePHI, including the evaluation of software vulnerabilities, the assessment of potential risks, and the implementation of solutions to keep risk at a reasonable minimum. The OCR suggested the following for effective patch management:

  • Evaluate patches to determine if they apply to your software/systems.
  • Test patches on an isolated system for any unwanted side effects.
  • Once patches have been evaluated and tested, approve them for
  • Deploy patch installation on live systems.
  • Test and verify to ensure correct patch installation and no unforeseen side effects

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: The challenge of protecting PHI

The challenges of securing sensitive information which is stored electronically, has become extremely difficult in the face of legal requirements to do so, and every day there are new reports of data breaches in the health care sector. Few would argue that it is likely that this kind of threat will continue to grow. There are some positive news on this front. According to Risk Based Security’s recent first quarter 2018 data breach report, the number of data breaches in the first quarter of 2018 marked a four-year low with a total of 685 breaches. This number is down from 1,444 breaches in the first quarter of 2017 and 1,153 in the first quarter of 2016. Overall, businesses saw the most reported breaches at 50.4 percent during the first quarter while medical breaches came in at 10.2 percent, according to the report. Within the health care sector, practitioners’ offices saw 43.4 percent of the data breaches while hospitals saw 30.2 percent and medical facilities were at 17.1 percent.  However, health care providers, managed care organizations, and others having access to patient data remain extremely vulnerable to cyber and ransom attacks because information is critical to operations and the need to share data among multiple parties creates opportunities for attack. Many organizations rely upon outdated software and lack controls over those with access to the systems. Not being able to access patient data can shut an organization down. Those desiring data for criminal use can find the needed identifiable data in patient records that include name, date of birth, Social Security Number, family information, and often credit information.

Dr. Cornelia Dorfschmid, PhD is an expert in this area and noted that there are many different measures available to take preventative measures to protect PHI, beginning with encryption that is the most basic method used. She offered a number of steps and tips that health care organizations can take to mitigate their exposure and risks to hacking:

  1. Ensure patient data is stored in an encrypted database
  2. Maintain close control and encryption over any removable media
  3. Have multi-levels of passwords to access any database storing PHI and change passwords frequently
  4. Periodically run background checks and sanction-screening on those handling PHI
  5. Make sure malware detection software is running on servers and workstations
  6. Ensure that your firewalls are up and secure
  7. Review and implement standard network security controls
  8. Protect PHI and other sensitive information wherever it is stored sent or used
  9. Control against shifting data from one device to another external device
  10. Restrict the downloading of data
  11. Shred all the files and folders before disposing of any storage equipment
  12. Ban unencrypted devices, including laptops and other portable devices
  13. Use solid passwords for any access and change them from time to time
  14. Limit accessibility to those who are working on company’s sensitive data
  15. Provide privacy and security training to all employees and others with access to data
  16. Establish a breach response plan to trigger a quick response to data breaches to limit harm
  17. Develop and maintain a disaster recovery plan should a breach occur
  18. Be on the lookout for any suspicious network activity
  19. Track movement of data within the network
  20. Use automated systems to regularly check password settings, server and firewall controls
  21. As part of ongoing monitoring, periodically check security controls

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: HIPAA enforcement update

At the 2018 HCCA Compliance Institute HIPAA Policy and Enforcement Update, it was reported that since September 2009 through the end of 2017 there were 2178 reports filed with the HHS OCR involving breaches affecting 500 or more individuals. In addition to large breaches, there were over 300,000 reports of breaches of protected health information (PHI) affecting fewer than 500 individuals. Individuals affected by the large breaches were about 177 million. So far, OCR’s website has posted 38 breaches as of April 2018. In all, nearly one million patients may have had their PHI put at risk by these incidents with the number continuing to grow. The breakdown of type of large breaches includes:

  • Loss/Theft continues as the most often reported problem; nearly half of the cases.
  • Laptops and other portable storage devices represented one fourth of large breaches.
  • Hacking/IT Incidents account for about one in five reported incidents.
  • Paper records accounted for another fifth of the large breaches

10 largest 2018 incidents to date by number of patient records affected

  1. 582,174 – California Department of Developmental Services, 4/06/2018, Unauthorized Access/Disclosure Incident
  2. 279,865 – Oklahoma State University Center for Health Sciences, 1/05/2018, Hacking Incident
  3. 134,512 – St. Peter’s Ambulatory Surgery Center LLC- d/b/a St. Peter’s Surgery & Endoscopy Center, 2/28/2018, Hacking Incident
  4. 70,320 – Tufts Associated Health Maintenance Organization, Inc. reported on 2/16/2018 an Unauthorized Access/Disclosure Incident
  5. 63,551 – Middletown Medical P.C.,  3/29/201 an Unauthorized Access/Disclosure
  6. 53,173 – Onco360 and CareMed Specialty Pharmacy, 1/12/2018, Hacking Incident
  7. 36,305 – Triple-S Advantage, Inc., 2/02/2018, Unauthorized Access/Disclosure Incident
  8. 35,136 – ATI Holdings, LLC and its subsidiaries, 3/12/2018, Hacking Incident
  9. 34,637 – City of Houston Medical Plan reported on 3/22/2018 a Theft of Laptop Incident
  10. 30,799 – Mississippi State Department of Health, 3/26/2018, Unauthorized Access/Disclosure

Top 10 Recurring Compliance Issues

  1. Pattern of disclosure with sensitive paper PHI
  2. Business Associate Agreements
  3. Risk analysis issues
  4. Failure to manage identified risk, e.g. Encryption of data
  5. Lack of transmission security
  6. Lack of appropriate auditing
  7. No patching of software
  8. Insider threats from employees and contactors
  9. Improper disposal of data
  10. Insufficient data backup and contingency planning

HHS OCR calls for health care organizations to establish contingency plans to keep patient data secure and mandate that covered entities and business associates have such plans. In their March newsletter, OCR officials urged health care organizations to figure out which IT systems are critical, to understand how to function in a disaster, and to back up PHI so it can be retrieved if the original data are lost or taken offline. Once developed, the plan should be routinely tested to identify gaps and ensure updates for plan effectiveness and increase organizational awareness. The plan should be reviewed and updated on a regular basis when there are changes: technical, operational, or in personnel.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Physicians must comply with sharing patient information

Under the electronic health records (EHR) metric, The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (P.L. 114-10) requires attestations from doctors that they are not knowingly and willfully limiting or restricting their EHR’s ability to share information with providers that may have different record systems.  CMS has issued new guidance reminding providers of their responsibilities to promptly share medical information with patients and other clinicians, or else face financial penalties. The targets are providers participating in the Merit-based Incentive Payment System (MIPS) to comply with MACRA. The notice stated physicians will need to attest that they are not engaged in information blocking and that they give patients their data in a timely fashion. Many physicians and medical practices use vendors for their information management systems. They will now have to ensure their vendors enable them to comply with the information sharing mandates.

Under MIPS, providers become eligible for either bonus payments or penalties based on their performance, including evidence of quality improvement, cost reduction or maintaining current levels of spending; efficient use of EHRs; and clinical improvement activities such as later office hours and greater use of care coordination. The Prevention of Information Blocking Attestation has three related statements for MIPS eligible clinicians:

  1. They did not knowingly and willfully take action to limit or restrict the compatibility or interoperability of Certified EHR Technology (CEHRT).
  2. They implemented technologies, standards, policies, practices, and agreements reasonably calculated to ensure the CEHRT was connected and compliance with applicable law and standards for timely access by patients to their data and other health care providers.
  3. They responded in good faith and in a timely manner to request to retrieve or exchange EHR from patients and other health care providers.

CMS also stated that physicians would not be held accountable for things outside of their control, but must get adequate assurances from their vendors that they are able to comply with the information sharing requirements. On the other hand, physicians must take care that they don’t violate the HIPAA Privacy law for patient Protected Health Information (PHI).

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.