Kusserow on Compliance: Guarding against mobile device breaches: Tips from an expert

Camella Boateng, an expert on HIPAA makes the point that “Most HIPAA breaches involve mobile devices. Such breaches dominate the under 500 patient breaches, which has masked the true number of such breaches is masked.  The publicity of these types of breaches is likely to change as OCR begins implementing their new policy to investigate breaches under 500.  Of particular note, the OCR has announced that in selecting organizations for audit, one factor will be whether or not they reporting minor breaches. From experience, they expect that almost any organization will have a HIPAA breach of some sort or another over time; and therefore those that report no breaches can be considered suspect.”  She offered the following checklist of tips on mobile device security and precaution.

  1. Provide management, accountability, and oversight structures for covered entities.
  2. Establish policies, protocols, processes, and procedures for mobile device use.
  3. Provide training on the bring your own device (BYOD) policy.
  4. Keep an inventory of personal mobile devices authorized to access and transmit electronic protected health information (ePHI).
  5. Use a device key, password, or other user authentication to verify user identity.
  6. Install and/or enable encryption that protects protected health information (PHI) stored on and sent by mobile devices.
  7. Install or enable firewalls and regularly update security software (such as malware).
  8. Install or activate remote wiping and/or disabling.
  9. Reinforce constantly to keep devices under personal control or under lock and key.
  10. Install radio frequency identification (RFID) tags to help locate lost or stolen mobile devices.
  11. Establish remote shutdown tools that can remotely lock lost mobile devices.
  12. Disable or do not install file-sharing applications on devices used for ePHI transmission.
  13. Establish electronic processes to ensure unauthorized parties do not destroy or alter ePHI.
  14. Conduct training on procedures for using mobile devices to access ePHI.
  15. Educate clinicians on the risks of data breaches, HIPAA violations, and fines.
  16. Delete all stored PHI before reusing or discarding a device.

After following all of the above steps, perform an outside independent security risk assessment to determine (a) if personal mobile devices are being used to exchange ePHI; (b) which devices are used on internal networks; (c) what information is accessed, received, stored, and transmitted; (d) whether proper authentication, encryption, and physical protections are in place to secure the exchange of ePHI; and (e) whether users have been properly trained on security procedures.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Tips for protecting data against attacks and breaches

The media is filled with stories of data breaches in all business sectors. Larger organizations are not immune. In fact, the larger the organization, the better the target appears for attackers. The largest breaches have been with the Federal Government. In the health care sector, data breaches involving Protected Health Information (PHI) have been rising at a great rate. Patient records are very valuable and are sold on a per record basis. Providers are also considered “soft targets”, especially by those engaged in “Ransomeware” extortions; and many pay the demands to regain access to their patient records.

No one seems immune to these types of attacks. One can hardly forget that one of the biggest successful penetration attacks on data was with the U.S. Office of Personnel Management, where sensitive information was compromised, including the Social Security Numbers, of 21.5 million individuals, including 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants. Even law firms that provide advice on data security to their clients have been victimized and among those with the weakest controls to protect their data. Survey reporting by Marsh found four out of five of the largest 100 law firms had been hacked. As is common in any business arena, they noted that many don’t know they have been hacked. The following are best practice tips to assist in preventing and/or mitigating attacks and breaches.

  1. Have a dedicated information security officer that has the responsibility as well as the authority to adopt, implement, and enforce adequate security protocols, including ensuring (a) the IT infrastructure and data creation, transmission, and storage protect data from unauthorized disclosure; (b) ensuring legitimacy of data received, source and content; and (c) accessible for auditing and monitoring.
  1. Develop and implement data security policies for:
  • all external drives and mobile devices (including personally owned)
  • location and remote-erase options in case of loss or theft
  • data backup
  • installation of firewalls
  • data encryption
  • password protection
  • how to respond to any data breach
  • disaster recovery
  • records retention
  • business continuity in case of loss to data
  • uses of social media
  • vendors relation requirements
  • use of free public wi-fi
  1. Institute safeguards and device management to protect information, such as encryption and passwords for all devices (USB drives, cell phones, tablets)
  1. Engage in ongoing monitoring to ensure that policies and procedures are being properly followed; and periodic outside auditing of the systems.
  1. Train all covered persons on existing policies and procedure relating to data protection, and report any suspected unusual emails. This is important as most successful attacks are the result of email users opening attachments that give entry to a wrongdoer. Users are often the ones that detect early irregularities occurring as result of an attack and the quicker they report it, the better it is to contain the attack.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.