IT experts say foreign actors, human error biggest threats to health record security

Foreign hackers and human error are two of the most significant threats to protected health information (PHI) and other health records that providers and health care entities must prepare for, according to four information technology experts speaking at a conference sponsored by Becker’s Hospital Review. They all agreed that breaches and cyberattacks will continue, so health care institutions must be diligent about security systems, audits, training, insurance, and adequately responding to breaches to mitigate punishment and quickly recovery from an attack..

Weakest link 

Aaron Miri, chief information officer for Imprivita, and Michael Leonard, director at Commvault, both noted that regardless of the tools and systems put in place to ward off breaches, malware, ransomware, and other cybersecurity threats, people will always be the weakest link. Leonard noted that when it comes to an institution’s cybersecurity program, “people training has to be continuous and repetitive.”

Katherine Downing, senior director at the American Health Information Management Association (AHIMA), highlighted one type of “insider threat”—physicians who do work arounds that bypass the security features of electronic health record (EHR) systems (like texting PHI about patients to each other). Although David Miller, CEO of HCCIO Consulting, LLC, was blunter when asked what the biggest threat was to PHI and other health records—”Russia and China.”

Jurisdictions

Miri noted that providers must deal with a “wide disparity of laws” regarding the security and privacy of health information, not just federal and state laws, but, starting in May 2018, the General Data Protection Regulation (GDPR) issued by the European Union. The GDPR replaces a framework of different information security measures that mainly affected just European companies with a national network and information security strategy that will impact American life sciences and healthcare entities that collect and/or use any data concerning health, genetic data, or other types of protected health information (PHI).

Audits

Miller expressed amazement at how many health care institutions have not had a HIPAA audit in the previous two years. The HHS Office for Civil Rights (OCR) reviews organizations’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules and looks for documentary proof that entities have conducted risk assessments and created and implemented policies and procedures governing areas including the shielding of PHI. Miller noted that providers must continually educate and re-educate staff on policies related to HIPAA. But he added that providers can also “take advantage of a breach situation to talk to senior management to increase security measures.”

Record retention

In addition to protecting PHI, health care entities have to make decisions about destroying records after record retention periods have ended. Katherine Downing, senior director at the American Health Information Management Association (AHIMA), noted that entities “can’t keep everything forever.” Downing noted that health care entities already have the expense of saving, backing up, and securing required health records; doing the same for older records that no longer have to be retained is just an added expense.

In the end, Miri noted that these are the questions that health care entities have to ask: What are they willing to spend to avoid a breach? What are they willing to risk regarding their reputations?

Kusserow on Compliance: Defending against ransomware threat

Cyber attacks have risen to dramatic levels over the last two year and are likely averaging one attack a day, with the most disturbing trend involving ransomware. A survey by the American Health Lawyers Association indicated that virtually all healthcare lawyers believe they will be involved with cyber security matters with their client and the threat will continue to increase over the coming years. Data breaches include actions by those inside the organization, as well as external attacks including phishing, hacking, and ransomware. Ransomware typically involve a sophisticated computer virus introduced into a victim’s system that encrypts the system’s data.  The attackers threaten to delete the private key needed to decrypt the files unless the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin. The healthcare industry, particularly hospitals, have proven to be a soft target, as they need to have immediate access to their patient information and many have paid the ransom to regain control over it. The healthcare sector is considered a “soft target” for Ransomware attacks, particularly hospitals that are the perfect mark for this kind of extortion in that they provide critical care and rely on up-to-date information from patient records. As such, compliance officers need to consider this a compliance high-risk area where ongoing monitoring and auditing applies.  Simply assuming that someone in IT is addressing this problem area can be a big mistake. At the same time, the compliance office is not responsible for the program, but is responsible to ensure that those that have that responsibility are doing their job, including IT and human resource management (HRM).

According to new studies reported, healthcare now ranks as the second highest sector for data security incidents, after business services. The “2017 Internet Security Threat Report” found that in healthcare (a) over half of emails contained spam; (b) one in 4,375 emails being a phishing attempt; and (c) email-borne ransom-ware spiked 266% over the previous year.  The Ponemon Institute further found breaches could be costing the healthcare industry $6.2 billion annually. All these studies indicate that the biggest vulnerability to cyber attacks is employees that let-down their guard when opening or responding to emails from unknown sources. Often “scammers” create the appearance of legitimate sites, including using similar names, emblems of companies and even government agencies, etc. (including the OIG and IRS). Once someone opens the door, all kinds of bad things can happen.

Practical Tips

  1. Implement policies and procedures on taking precautions against malware and train all covered persons on them.
  2. Ensure ongoing (repeated) training of employees to keep them aware and being on guard against allowing software breaches by clicking on an email link or attachment, or responding to “pfishing” inquiries.
  3. Don’t entirely rely upon employees to always do the right thing and provide assistance by configuring email servers to block zip or other files that are likely to be malicious.
  4. Restrict permissions to areas of the network by limiting the number of people accessing files on a single server, so that if a server gets infected, it won’t spread to everyone.
  5. Limit employee access to systems on a need to know standard.
  6. Security efforts should focus on those files that are most critical, patient records.
  7. Conduct a risk analysis to identify ePHI vulnerabilities and ways to mitigate or remediate these identified risks.
  8. Maintain disaster recovery, emergency operations, and frequent data backups to permit restoring of lost data in case of an attack.
  9. Move quickly on any report of an attack to prevent the malware from spreading, by disconnecting infected systems from a network; disabling Wi-Fi, and removing USB sticks or external hard drives connected to an infected computer system.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

Kusserow on Compliance: CMS to issue new Medicare card to 60 million beneficiaries

New cards will no longer contain Social Security number

Over 2.5 million beneficiaries are victims of identity theft incidents

CMS is readying a fraud prevention initiative that removes Social Security numbers from Medicare cards to help combat identity theft, and safeguard taxpayer dollars.  This is being done to meet the congressional deadline for replacing all Medicare cards by April 2019 that followed the passage of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA). CMS will assign all Medicare beneficiaries a new, unique a Medicare Beneficiary Identifier (MBI) number which will contain a combination of numbers and uppercase letters. Beneficiaries will be instructed to safely and securely destroy their current Medicare cards and keep the new MBI confidential. Issuance of the new MBI will not change the benefits a Medicare beneficiary receives and will be designed to help protect against personal identity theft affects a large and growing number of seniors.  According to the DOJ, people age 65 or older are increasingly the victims of this type of crime that now are estimated to affect 2.6 million seniors a year. Two-thirds of all identity theft victims reported a direct financial loss with also the problems associated with disrupting lives, damage credit ratings, and result in inaccuracies in medical records and costly false claims.

New card will be mailed beginning in April 2018 and will use the unique, randomly-assigned MIB number to replace the Social Security-based Health Insurance Claim Number (HICN) currently used on the Medicare card.  Providers and beneficiaries will both be able to use secure look up tools that will support quick access to MBIs when they need them. There will also be a 21-month transition period where providers will be able to use either the MBI or the HICN further easing the transition.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Preparation is key to HIPAA compliance for health IT vendors

Health IT vendors are not breach proof but should be “breach ready,” according to a Health Care Compliance Association webinar entitled, HIPAA: Marketing and Contracting Solutions for Health IT Vendors. William J. Roberts, partner at Shipman & Goodman LLP, discussed strategies for vendors to incorporate compliance with the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) into negotiations, agreements, and policies.

HIPAA landscape

HIPAA privacy continues to grow in importance for the health care sector, for both covered entities and their vendors. Roberts said that health IT vendors face two challenges: managing covered entity customers that have concerns about HIPAA compliance, a “major undertaking” when a vendor has thousands of covered entity customers, and a regulatory and enforcement landscape that is shifting its focus from covered entities to vendors (see 2017 OCR resolution agreements off to a strong start, June 30, 2017; Business associates no longer second to covered entities as OCR increases focus, November 22, 2016). He pointed out that 60 percent of business associates have suffered a data breach, and in 2016 HHS imposed a $650,000 penalty in the first HIPAA enforcement action against a business associate (see $650K payment, 6 year CAP resolve nursing home ePHI loss, July 1, 2016).

Pitches

A vendor should already have developed a formal HIPAA compliance program before reaching out to potential customers, and HIPAA compliance should be at the forefront of a vendor’s pitch or response to a request for proposals. The vendor should provide a summary of its HIPAA compliance policies, including its establishment, review, security, and training. A policy summary, said Roberts, is preferable to disclosing the policies themselves, which would be a “roadmap to being hacked.” Roberts also advised vendors to highlight certifications and set forth clear expectations for the privacy aspects of the proposed relationship.

Business associate agreements

The business associate agreement is a vendor’s first opportunity to make a good impression regarding its commitment to privacy. Vendors should have at least one template agreement, or more than one for different types of customers. Roberts advised knowing what a vendor can and cannot agree to before a negotiation and educating the sales team to avoid later back-pedaling on a promise. He also suggested empowering the customer by providing a “menu” of choices that are acceptable to the vendor—for example, barebones breach notice within five days or a more thorough notice at 15 days.

If customers are or might someday be substance abuse treatment providers, the vendor should consider this same approach for qualified service organization agreements. The vendor should review its customers and potential targets for the application of the “Part 2” confidentiality rules and include a provision in the agreement requiring the customer to notify the vendor of the customer’s status as a Part 2 program.

Data breach response

No human or service is perfect, and a vendor will probably have a data breach at some point, said Roberts, which makes a detailed data breach response plan “vital.” He identified the following elements of a breach response plan:

  • Develop an incident intake procedure.
  • Identify the leaders and members of the response team.
  • Rely on standard templates and standard works.
  • Consider a “playbook” and/or a breach reporting decision tool.
  • Develop a customer relations strategy before the breach occurs.
  • Have support vendors ready to act.

The vendor should not simply notify the customer that a breach has occurred; it should have a plan and proposal that it can offer the customer. The process should:

  • provide the covered entity the information it needs to fulfill its own legal obligations;
  • reassure the customer that the situation is under control and being handled properly;
  • inform the customer of steps the vendor has taken and is willing to take on behalf of the covered entity;
  • provide a “menu” of services available to the customer; and
  • create a plan for the future—a holistic look at what the company is doing, not just boilerplate language.