Gatekeeping vital to a best practice organization

Gatekeeping should be viewed as a first line of defense, protecting not only a healthcare organization, but the patients as well. In a Health Care Compliance Association (HCCA) webinar titled “Gatekeeping & Monitoring – Developing Sound Processes for Screening, Removal & Reinstatement,” Amy Andersen, Director of Operations at Verisys Corp., noted that every organization can be sorted to a risk aversion spectrum. On one end, the most risk-averse organizations use best practice compliance to achieve stellar outcomes. On the other end, non-compliant organizations risk fines and loss of reputations. The greatest cost to organizations in terms of monetary impact to establish gatekeeping measures is the change management and system implementation. Regardless, best practices organizations need to be proactive about gatekeeping and monitoring, not after the fact.

Gatekeepers

The best way to protect organizations is to implement a gatekeeping strategy. Gatekeeping is ensuring that information is properly disseminated among an organization and its association. Thus, the first consideration for an organization is which parties are being let into the organization. Organizations should not only focus on the healthcare professionals within their organizations, but the vendors and contractors employed by the organization. Andersen noted that the vendor space was one of the most overlooked areas in protecting an organization.

Secondly, once an organization permits vendors or individuals into the organization, it must readily identify any gaps. In essence, Andersen said that the organization should understand what it knows and does not know about the admitted vendor or individual.

Finally, the organization should establish criteria for admittance of these vendors or individuals. Thus, an organization’s gatekeeping strategy should include three parts: (1) identification, (2) communication, and (3) remediation.

Identification, communication, and remediation

At a most basic level, identification starts with screening and monitoring. Some barriers to gatekeeping include data “hoarders,” those entities who do not share what they know or require you to go through a gate itself. These entities can be threats to the organization.

Andersen advised that organizations should examine and avoid unconsidered risks. In terms of credentialing, Andersen stressed “verify, verify, verify.” These risks are created when an organization silos information within itself. She cautioned against this, noting that organizations should do holistic reviews to determine whether the departments within the organization are communicating any risks effectively.

Access to information is vital. Once identification generates data for the organization, relevant information must be made visible. After policy and procedure access occurs, the organization must take action in a consistent manner. This is includes removal of individuals from the organization or vendor from a business relationship, expectations should be laid out clearly. Any auditing that is done should be unbiased and adhere to industry standards.

Covered entities should report cybersecurity threats, but no PHI disclosures

Cyber threats are becoming more and more common, both in general and specifically in the health sphere. The Department of Homeland Security operates the National Cybersecurity and Communications Integration Center (NCCIC), with four branches dedicated to protecting the right to privacy in the government, private sector, and international defense network communities. The US Computer Emergency Readiness Team (US-CERT) develops information on immediate threats and analyzes data gleaned from cybersecurity incidents.

As part of these efforts, health entities can report any suspicious activity or cybersecurity incidents to US-CERT. Disclosing cyber threat indicators, which includes information such as malicious reconnaissance, security vulnerabilities, methods of defeating controls or exploiting vulnerabilities, is intended to alert other entities of possible issues. This type of information sharing allows the federal government to better protect information systems, and maintain current alerts and reports on vulnerabilities on the US-CERT site.

HIPAA concerns

HHS recently clarified that entities subject to the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) may not disclose protected health information (PHI) for the purpose of sharing cyber threat indicators. This also applies to business associates. PHI may only be released under these circumstances if the disclosure is permitted under the Privacy Rule.

HHS noted that PHI is generally not included in cyber threat indicators, so prohibiting PHI disclosure in cyber threat reporting will typically not be an issue. Under the Privacy Rule, an entity could disclose PHI to law enforcement without the individual’s written authorization in order to comply with a court order or to alert and inform law enforcement as necessary regarding criminal activity. In some instances, an entity may report limited PHI. Entities may disclose to federal officials authorized to conduct national security activities or to protect the President. In all other circumstances that are not expressly included and permitted in the Privacy Rule, the entities must obtain authorization from the individual whose PHI is to be disclosed.

Highlight on New York: Insurers subject to first-in-nation cybersecurity regulations affecting financial institutions

The nation’s first cybersecurity regulations governing financial institutions–including insurers–take effect March 1, 2017 in New York state. Noting that  “New York is the financial capital of the world,” Governor Andrew Cuomo (D) stressed the necessity of protecting consumers and financial systems from cyberattacks. The regulations require institutions to implement a cybersecurity program that includes regular assessments of information systems and the use of effective controls, requires compliance by third party vendors, and includes more stringent governmental reporting requirements than the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

The regulations apply to anyone operating under the Banking Law, Insurance Law, or Financial Services Law and specifically pertain to “nonpublic information.” Only electronic information qualifies as nonpublic information, which can be protected health information (PHI) as it is understood under HIPAA; business-related information that could materially and adversely impact the entity’s business, operations, or security; or any information concerning an individual that, when combined with specific data elements, including but not limited to Social Security and drivers’ license numbers, could identify the individual.

The regulations require covered entities to maintain a cybersecurity program based upon a required risk assessment. Risk assessments must be conducted on a “periodic” basis and “updated as reasonably necessary.” Entities must implement and maintain written cybersecurity policies, including policies governing vendor and third party service provider management and recurrent assessments and policies that allow for secure and periodic disposal of nonpublic information that is no longer necessary for business operations or other legitimate business purposes. They must also designate a chief information security officer (CISO) who is employed by the entity, an affiliate, or a third party service provider, and who will provide a written report to the covered entity’s board of directors at least annually.

While HIPAA does not require penetration testing, the New York regulations require annual testing and biannual vulnerability assessments, unless covered entities have in effect some other type of continuous monitoring or other system to detect changes in information systems that could create or suggest vulnerabilities. The regulations specifically require entities to limit user access privileges to nonpublic information and to periodically review those privileges. They also require multi-factor authentication whenever an individual accesses the entity’s internal network from an external network, unless the CISO has approved controls in writing that are at least reasonably equivalent. Encryption is required for all nonpublic information held or transmitted by the entity; if encryption is not feasible, the CISO must review and approve “alternative compensating controls” and review them at least annually.

Certain requirements do not apply to entities with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end total assets.

The regulations define a “cybersecurity event” as an act or attempt, successful or not, to gain unauthorized access to, or to disrupt or misuse an information system or the information stored in the system. Written incident response plans to cybersecurity events must detail the response process and its goals, including “the definition of clear roles, responsibilities and levels of decision-making authority.” Requirements for reporting to government entities are much stricter than those under HIPAA Breach Notification Rule, which requires entities to report breaches affecting 500 or more individuals to the HHS Secretary “without unreasonable delay,” but no more than 60 days since discovery of a breach, or, if affecting fewer than 500 individuals, within 60 days of the end of the calendar year in which the breach occurred.  The New York regulations, in contrast, require entities that are otherwise required to provide notice to the government or other self-regulatory agency or supervisory body, or who believe that a cybersecurity event is reasonably likely to materially harm the entity’s normal operations, to notify the Superintendent of the New York Department of Financial Services as soon as possible, but no more than 72 hours after determining that the event occurred.

 

OCR shows no signs of slowing HIPAA enforcement

The HHS Office for Civil Rights (OCR) is on pace to have another record-breaking year for enforcement actions against covered entities (CEs) and business associates (BAs) accused of Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) violations. As of February 13, 2017, it had already entered into two resolution agreements with CEs and imposed civil monetary penalties (CMPs) on another for only the third time in its history. Prior to 2016, the OCR had not entered into more than six resolution agreements with CEs or BAs in single year. As of December 2016, the OCR had entered into twice that number. As of February 13, 2016, the OCR had just imposed its second CMP, but had not yet entered into any resolution agreements.

The agency kicked off the year by entering into a $475,000 resolution agreement with Presence Health. Unlike past agreements that settled potential violations of the HIPAA Privacy and Security Rules, the Present Health resolution represented the OCR’s first agreement to resolve potential violations of the HIPAA Breach Notification Rule. Presence failed to notify the OCR, affected individuals, and the media that paper-based operating schedules containing the protected health information (PHI) of 836 individuals had gone missing in the statutorily-required 60-day timeline for breaches affecting more than 500 individuals; instead, it waited more than 100 days.

Eight days later, the OCR announced a $2.2 million resolution agreement with MAPFRE Life Insurance Company of Puerto Rico for Security Rule violations affecting the data of 2,209 individuals. The OCR determined that MAPFRE failed to perform a risk analysis, implement risk management plans, and encrypt data stored in removable storage media led to a breach caused when a thief stole a USB data storage device containing electronic PHI (ePHI).

In early February, the OCR announced that it had issued a final determination and imposed a $3.2 million CMP on Children’s Medical Center of Dallas due to a pattern of noncompliance with the Security rule. Children’s suffered a breach in 2010 due to the loss of an unencrypted, non-password-protected BlackBerry device containing the ePHI of 3,800 individuals.  It suffered a second breach in 2013; despite the first breach, Children’s had failed to encrypt a laptop containing the ePHI of 2,462 individuals that was later stolen. The agency determined that the CMP was merited based on Children’s failure to implement risk management plans, in contravention of prior recommendations to do so, and its failure to encrypt mobile devices, storage media, and workstations. The OCR also imposed CMPs against Lincare, Inc., a home health company, in 2016 and against Cignet Health in Prince George’s County, Maryland, in 2011.

The agency stepped up enforcement efforts in 2016, in part due to negative reports regarding its performance from the HHS OIG and the Government Accountability Office (GAO). It began the Phase 2 audit process, targeting both CEs and BAs, and announced its intention to allocate resources for the first time to investigate complaints of breaches affecting 500 individuals or fewer. It appears geared to continue, if not ramp up, its enforcement efforts, but the impact of newly appointed HHS Secretary Thomas E. Price, M.D.–who will appoint a new OCR director–remains to be seen. Price, a physician and former Congressional representative has historically opposed government regulatory activity of physicians. However, Adam H. Greene, Partner at Davis Wright Tremaine, suggests that, although Price the physician may dislike HIPAA, “his personal views will [not] necessarily lead to a significant change in enforcement.”