Kusserow on Compliance: Defending against ransomware threat

Cyber attacks have risen to dramatic levels over the last two year and are likely averaging one attack a day, with the most disturbing trend involving ransomware. A survey by the American Health Lawyers Association indicated that virtually all healthcare lawyers believe they will be involved with cyber security matters with their client and the threat will continue to increase over the coming years. Data breaches include actions by those inside the organization, as well as external attacks including phishing, hacking, and ransomware. Ransomware typically involve a sophisticated computer virus introduced into a victim’s system that encrypts the system’s data.  The attackers threaten to delete the private key needed to decrypt the files unless the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin. The healthcare industry, particularly hospitals, have proven to be a soft target, as they need to have immediate access to their patient information and many have paid the ransom to regain control over it. The healthcare sector is considered a “soft target” for Ransomware attacks, particularly hospitals that are the perfect mark for this kind of extortion in that they provide critical care and rely on up-to-date information from patient records. As such, compliance officers need to consider this a compliance high-risk area where ongoing monitoring and auditing applies.  Simply assuming that someone in IT is addressing this problem area can be a big mistake. At the same time, the compliance office is not responsible for the program, but is responsible to ensure that those that have that responsibility are doing their job, including IT and human resource management (HRM).

According to new studies reported, healthcare now ranks as the second highest sector for data security incidents, after business services. The “2017 Internet Security Threat Report” found that in healthcare (a) over half of emails contained spam; (b) one in 4,375 emails being a phishing attempt; and (c) email-borne ransom-ware spiked 266% over the previous year.  The Ponemon Institute further found breaches could be costing the healthcare industry $6.2 billion annually. All these studies indicate that the biggest vulnerability to cyber attacks is employees that let-down their guard when opening or responding to emails from unknown sources. Often “scammers” create the appearance of legitimate sites, including using similar names, emblems of companies and even government agencies, etc. (including the OIG and IRS). Once someone opens the door, all kinds of bad things can happen.

Practical Tips

  1. Implement policies and procedures on taking precautions against malware and train all covered persons on them.
  2. Ensure ongoing (repeated) training of employees to keep them aware and being on guard against allowing software breaches by clicking on an email link or attachment, or responding to “pfishing” inquiries.
  3. Don’t entirely rely upon employees to always do the right thing and provide assistance by configuring email servers to block zip or other files that are likely to be malicious.
  4. Restrict permissions to areas of the network by limiting the number of people accessing files on a single server, so that if a server gets infected, it won’t spread to everyone.
  5. Limit employee access to systems on a need to know standard.
  6. Security efforts should focus on those files that are most critical, patient records.
  7. Conduct a risk analysis to identify ePHI vulnerabilities and ways to mitigate or remediate these identified risks.
  8. Maintain disaster recovery, emergency operations, and frequent data backups to permit restoring of lost data in case of an attack.
  9. Move quickly on any report of an attack to prevent the malware from spreading, by disconnecting infected systems from a network; disabling Wi-Fi, and removing USB sticks or external hard drives connected to an infected computer system.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

Kusserow on Compliance: New analysis of OCR reports found 1800 large breaches over 7 years

In presentation at the Health Care Compliance Association (HCCA) entitled “OCR Enforcement Update,” HHS Office for Civil Rights (OCR) Senior Adviser Iliana Peters reported that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (P.L. 104-191) (HIPAA) violations of an increasing number. To date, the OCR has received 150,507 complaints, with 24,879 being resolved with corrective action measures or technical assistance.  She estimated that the OCR will receive about 17,000 complaints in 2017.

A new study published in JAMA Internal Medicine found since 2009 that 1,798 “large data breaches” involving patient information since 2009 had been reported by health care providers to the OCR.  Out of that number, 216 hospitals reported 257 data breaches, while 33 hospitals were found to have experienced multiple data breaches.  Of 141 acute care hospitals reporting breaches, 52 were major academic medical centers.  These numbers are misleading in that they represent only a small fraction of the total number of breaches, as indicated by Peters.  The reason is that smaller breaches are not required to be reported, and many breaches may not have been voluntarily reported.  The need for increased vigilance and internal controls are needed.

Latest OCR resolution

The OCR announced a resolution agreement based on the lack of a security management process to safeguard electronic protected health information (ePHI). Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $400,000 and implementing a corrective action plan. MCPN filed a breach report with the OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. As with many of the reported large breaches, the OCR found that prior to the breach incident, there was no risk analysis to assess the risks and vulnerabilities in its ePHI environment and a corresponding failure to implement any associated risk management plans to address the risks and vulnerabilities identified in a risk analysis.

Reminder tips on HIPAA compliance

As a reminder, entities should perform the following recommended steps in order to comply with HIPAA.

  1. Perform a complete a security risk analysis that addresses ePHI vulnerabilities.
  2. Engage an outside expert to independently verify that Privacy/Security Officers are meeting obligations.
  3. Properly address identified risks with corrective action measures.
  4. Follow the basics in reviewing compliance for information security risks and PHI breaches.
  5. Verify that the Code of Conduct covers reporting HIPAA violations.
  6. Ensure that policies and procedures govern receipt and removal of laptops containing ePHI.
  7. Train the workforce on HIPAA policies and procedures, including reporting violations
  8. Ensure that all business associates (BAs) have signed BA agreements (BAAs), with contact information on file.
  9. Verify that controls cover gaining access to ePHI by workforce members and users.
  10. Encrypt and password protect all laptops and mobile devices.
  11. Implement safeguards to restrict access to unauthorized users.
  12. Validate effectiveness of internal controls, policies, and procedures
  13. Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
  14. Ensure that a hotline is set up to receive HIPAA-related calls.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OCR enforcement update at the HCCA Compliance Institute

“OCR Enforcement Update” was the topic of the presentation by Iliana Peters, HHS Office for Civil Rights (OCR) Senior Adviser for HIPAA Compliance and Enforcement at the Health Care Compliance Association (HCCA) Compliance Institute. She provided an update on enforcement, current trends, and breach reporting statistics.  Peters stated that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191)  violations of an increasing number.  She cited that OCR has received 150,507 complaints to date, with 24,879 being resolved with corrective action measures or technical assistance.  At the rate of reports being received, the OCR is estimating receiving 17,000 complaints in 2017.  She said that this year OCR has placed a major priority on privacy issues and will be issuing guidance on this, ranging from social media privacy, certification of electronic health record technology, and the rationale for penalty assessment. She spoke about OCR’s Phase 2 audits that are underway, involving 166 covered entities (CEs) and 43 business associates (BAs). These audits are to ensure CEs’ and BAs’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules that include mobile device compliance.  They address privacy, security, and breach notification audits. It is expected that among the results of this effort will be increases in  monetary penalties this year.  Phase 3 will follow the same general approach currently being used, which includes review of control rules for privacy protection, breach notification, and security management.

In her comments about what the OCR has learned from its audits and investigations, Peters made the point that most HIPAA breaches still commonly occur as a result of poor controls over systems containing protected health information (PHI). A particular vulnerability has been mobile devices, such as laptops computers, that failed to be properly protected with encryption and password.

OCR advice

 Peters provided in her slide presentation considerable advice as what CEs and BAs should do to prevent breaches and other HIPAA-related problems. CEs and BAs should:

  • ensure that changes in systems are updated or patched for HIPAA security;
  • determine what safeguards are in place;
  • review OCR guidance on ransomware and cloud computing;
  • conduct accurate and through assessments of potential PHI vulnerabilities;
  • review for proliferation of electronic PHI (ePHI) within an organization;
  • implement policies and procedures regarding appropriate access to ePHI;
  • establish controls to guard against unauthorized access;
  • implement policies concerning secure disposal of PHI and ePHI;
  • ensure disposal procedures for electronic devices or clearing, purging, or destruction;
  • screen appropriately everyone in the work area against the OIG’s List of Excluded Individuals and Entities (LEIE);
  • ensure departing employees’ access to PHI is revoked;
  • identify all ePHI created, maintained, received or transmitted by the organization;
  • review controls for PHI involving electronic health records (EHRs), billing systems, documents/spreadsheets, database systems, and all servers (web, fax, backup, Cloud, email, texting, etc.);
  • ensure security measures are sufficient to reduce risks and vulnerabilities;
  • investigate/resolve breaches or potential breaches identified in audits, evaluations, or reviews;
  • verify that corrective action measures were taken and controls are being followed;
  • ensure when transmitting ePHI that the information is encrypted;
  • ensure explicit policies and procedures for all controls implemented; and
  • review system patches, router and software, and anti-virus and malware software.

Expert tips to meet HIPAA compliance requirements

Carrie Kusserow, MA, CHC, CHPC, CCEP, is a HIPAA expert with over 20 years of compliance officer and consultant experience. She pointed out that the OCR finds that most HIPAA breaches still commonly occur as a result of poor or lapsed controls over systems with PHI.  She noted that Iliana Peters stated that the OCR often encounters situations where established internal controls were not followed; in many cases, discoveries of breaches within organizations were not promptly investigated.  Also, most of the breaches currently being reported involve mobile devices, specifically laptop computers, and a failure to properly encrypt and password protect PHI. Kusserow offered additional tips and suggestions to those offered in the OCR presentation, particularly as it relates to mobile devices.

  • Conduct a complete security risk analysis that addresses ePHI vulnerabilities.
  • Ensure the Code of Conduct covers reporting of HIPAA violations.
  • Validate effectiveness of internal controls, policies, and procedures.
  • Maintain an up-to-date list of BAs that includes contact information.
  • Ensure identified risks have been properly addressed with corrective action measures.
  • Develop corrective action plans to promptly address any weaknesses or breaches identified.
  • Follow the basics in prevention of information security risks and PHI breaches.
  • Ensure policies/procedures  govern receipt and removal of laptops containing ePHI.
  • Verify workforce member and user controls for gaining access to ePHI.
  • Verify laptops and other mobile devices are properly encrypted and password protected.
  • Implement safeguards to restrict access to unauthorized users.
  • Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
  • Ensure the hotline is set up to receive HIPAA-related calls.
  • Verify that all BAs have signed business associate agreements.
  • Train the workforce on HIPAA policies/procedures, including reporting violations.
  • Investigate complaints, allegations, and reports of non-compliance promptly and thoroughly.
  • Engage outside experts to independently verify controls are adequate and being followed.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

OCR shows no signs of slowing HIPAA enforcement

The HHS Office for Civil Rights (OCR) is on pace to have another record-breaking year for enforcement actions against covered entities (CEs) and business associates (BAs) accused of Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) violations. As of February 13, 2017, it had already entered into two resolution agreements with CEs and imposed civil monetary penalties (CMPs) on another for only the third time in its history. Prior to 2016, the OCR had not entered into more than six resolution agreements with CEs or BAs in single year. As of December 2016, the OCR had entered into twice that number. As of February 13, 2016, the OCR had just imposed its second CMP, but had not yet entered into any resolution agreements.

The agency kicked off the year by entering into a $475,000 resolution agreement with Presence Health. Unlike past agreements that settled potential violations of the HIPAA Privacy and Security Rules, the Present Health resolution represented the OCR’s first agreement to resolve potential violations of the HIPAA Breach Notification Rule. Presence failed to notify the OCR, affected individuals, and the media that paper-based operating schedules containing the protected health information (PHI) of 836 individuals had gone missing in the statutorily-required 60-day timeline for breaches affecting more than 500 individuals; instead, it waited more than 100 days.

Eight days later, the OCR announced a $2.2 million resolution agreement with MAPFRE Life Insurance Company of Puerto Rico for Security Rule violations affecting the data of 2,209 individuals. The OCR determined that MAPFRE failed to perform a risk analysis, implement risk management plans, and encrypt data stored in removable storage media led to a breach caused when a thief stole a USB data storage device containing electronic PHI (ePHI).

In early February, the OCR announced that it had issued a final determination and imposed a $3.2 million CMP on Children’s Medical Center of Dallas due to a pattern of noncompliance with the Security rule. Children’s suffered a breach in 2010 due to the loss of an unencrypted, non-password-protected BlackBerry device containing the ePHI of 3,800 individuals.  It suffered a second breach in 2013; despite the first breach, Children’s had failed to encrypt a laptop containing the ePHI of 2,462 individuals that was later stolen. The agency determined that the CMP was merited based on Children’s failure to implement risk management plans, in contravention of prior recommendations to do so, and its failure to encrypt mobile devices, storage media, and workstations. The OCR also imposed CMPs against Lincare, Inc., a home health company, in 2016 and against Cignet Health in Prince George’s County, Maryland, in 2011.

The agency stepped up enforcement efforts in 2016, in part due to negative reports regarding its performance from the HHS OIG and the Government Accountability Office (GAO). It began the Phase 2 audit process, targeting both CEs and BAs, and announced its intention to allocate resources for the first time to investigate complaints of breaches affecting 500 individuals or fewer. It appears geared to continue, if not ramp up, its enforcement efforts, but the impact of newly appointed HHS Secretary Thomas E. Price, M.D.–who will appoint a new OCR director–remains to be seen. Price, a physician and former Congressional representative has historically opposed government regulatory activity of physicians. However, Adam H. Greene, Partner at Davis Wright Tremaine, suggests that, although Price the physician may dislike HIPAA, “his personal views will [not] necessarily lead to a significant change in enforcement.”