As we continue through October 2017 and National Cybersecurity Awareness Month (NCSAM), we continue to focus on going back to the basics. Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce. Last week we looked at some basic tips about patch management and how a major organization failed to patch a vulnerability leading to the exposure of financial information of 145.5 million individuals. This week’s third installment of cybersecurity tips by HIPAAtrek will focus on multi-factor authentication.
Multi-factor Authentication: Multi-factor authentication is the security procedure of using two or more independent credentials to allow someone access to your information systems and e-PHI. You may have first seen this on the big screen where a James Bond type character enters a password followed by their thumb print or scan of their eye to access a classified area. This is not just movie stuff anymore. This is an example of multi-factor authentication and it provides the most secure method of ensuring the individual attempting to access the system is the person they report to be. Here are the three credentials in multi-factor authentication you need to understand:
Something you know (Knowledge Factor). This is a password, passcode, or passphrase that only you know.
Something you have (Possession Factor). This is a special hardware token which could be a key, or smart card with a unique Personal Identification Number or (PIN) assigned only to you. When you use the token, the information system recognizes your entry through this token and you authenticate it by entering the PIN.
Something you are (Inherence Factor). This is the method of identifying yourself by one of your biological traits. Unique biological identifiers include finger prints, hand geometry, retina and iris scans, or voice recognition. No one else has your biological traits and therefore cannot use them to authenticate.
The advantage of using a multi-factor authentication process is that if one credential is compromised, unauthorized access is still denied because the second credential is still needed to gain access. In other words, I may learn your password, but I don’t have your smart card or your thumb print. The attempted access is stalled or prevented without both credentials. These credentials can be used in any combination, smart card and password, password and thumb print, smart card and iris scan, etc. The key of multi-factor authentication is to establish a layered approach to allowing access to your information systems and thereby securing your e-PHI.
Multi-factor authentication is a basic security principle which should be considered whenever possible as it provides a more secure method for authenticating access to only those who are authorized. In addition to multi-factor authentication, HHS has provided a short list of tips to discuss with your staff during NCSAM and others as you see are appropriate. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf.
Contact our Lead Account Executive, Theresa Zemcuznikov at firstname.lastname@example.org who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location. In the meantime, happy HIPAA trekking.
Health and Human Services (HHS) Office for Civil Rights has made October 2017, National Cybersecurity Awareness Month (NCSAM). As such, they are asking organizations to go back to the basics in applying HIPAA privacy and security principles. Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce. Last week we looked at some basic tips in applying password management strategies. In this week’s second installment of a four-part series on cybersecurity tips by HIPAAtrek, we will examine the importance of updating and patching your information systems and applications.
Patch Management: Patch management is the process that helps acquire, test, and install multiple patches (code changes which are fixes) on existing applications and software in your information systems. This is a process that is accomplished by your system’s administrator or HIPAA security officer. You may have been notified that a specific application will be down for a few hours or overnight. This is most likely the result of testing for vulnerabilities, after which, patches are applied to “plug up” the vulnerabilities that were found. Patch management is a basic concept of HIPAA security and must be accomplished on a periodic basis to keep your e-PHI secured. Oftentimes, software patches are provided by the major providers such as Microsoft and other vendors, to update the software. In addition, a system administrator can purchase a Patch Management Software Program that schedules testing and patching periodically.
To bring this basic concept of patching closer to home, let’s examine the recent privacy breach at the Equifax Credit monitoring company where financial information of 145.5 million individuals was exposed. Under testimony to a Congressional panel, CEO Richard Smith explained how the breach occurred. In March 2017, the Department of Homeland Security notified Equifax of the requirement to patch a vulnerability in their Apache Struts software. Apache Struts is used by Equifax as an online portal for customers to dispute errors on their credit reports. According to Mr. Smith, the Equifax security team was to notify the technical team responsible for finding the vulnerability and applying the patch. But the human error here is that the patch was never applied. In addition, subsequent technical scans just didn’t work, and so the vulnerability that they were warned about by DHS was never found. As a result, the hackers accessed the data on May 13, 2017. The public was not notified until Sept 7, 2017. Needless to say, this nightmare scenario should not occur at your organization. Take a moment to discuss patch management with your HIPAA security officer.
Patch management is a basic security principle which can be managed by scheduling periodic scanning of your information systems as well as checking with vendors that provide your applications you use to manage your e-PHI which could include your EMR/EHR. In addition to patch management, HHS has provided a short list of tips to discuss with your staff during NCSAM and others as you see are appropriate. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf. Let me also recommend you contact our Lead Account Executive, Theresa Zemcuznikov at email@example.com who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location. In the meantime, happy HIPAA trekking!
Health and Human Services (HHS) Office for Civil Rights has made the month of October 2017, Cybersecurity Awareness Month (NCSAM). As such, they are asking organizations subject to the HIPAA privacy and security rule to go back to the basics. The Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce. Today, the security of electronic health information is more critical than ever and it’s everyone’s obligation to protect e-PHI from unauthorized access. In this first installment of a four-part series on cybersecurity tips by HIPAAtrek, we will examine some tips for implementing a good password management program.
Password Management: Passwords can be viewed as the keys to the kingdom. Every user’s access point into your information systems that hold or lead to e-PHI, begin with a unique user log-in and password. With properly managed passwords, access is reserved to only those who are authorized to enter the system or application. Therefore, it is imperative that you implement appropriate password rules and consider some of these tips:
Password makeup: Consider making them at least 10 characters long consisting of an uppercase letter, lower case letter, number and a special character such as $%& (Alphanumeric). Use paraphrases such as “I love to golf on Saturdays and Sundays” which equates to an alphanumeric password of Iltg0sas.
Password history: Specify the number of times a different password must be selected before a user can reuse a previous password.
Password expiration: Set a date or time period after which the user must establish a new password. No user should have the same password to access e-PHI for an unlimited period. Consider forcing a password change every 180 days or once a year.
Password defaults: Default passwords which are issued to a user after initial access that is provided or an application/software that is brought on line, must be changed by the user.
Password protection: Passwords should be protected from viewing by others. They should not be written down on sticky notes or on paper left under the keyboard. Commit the password to memory or use a password vault or manager program.
HHS has provided a short list of tips to discuss with your staff during NCSAM and there are many more topics you can include at your organization as you see is needed. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf. Let me also recommend you contact our Lead Account Executive, Theresa Zemcuznikov at firstname.lastname@example.org who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location. In the meantime, happy HIPAA trekking.
In a recent court case in of the state of Kentucky, Hereford v. Norton Healthcare, Inc. d/b/a Norton Audubon Hospital and Phyllis Vissman, (Ky. Ct. App. July 21, 2017) a nurse sued her employer after being fired for a HIPAA violation. A patient filed a complaint against the nurse because she was speaking too loudly and other patients could hear what she was saying. This case is about incidental disclosures and only using the minimum necessary to accomplish a job.
In this scenario, the nurse was helping other technicians prepare for a medical procedure. She told them to wear gloves because the patient had Hepatitis C. A patient filed a complaint because they felt she was too loud and other patients could hear her. This is considered a privacy violation. However, if she had kept her voice down so no one could hear her except the technicians, she would have been working within the rule.
To be clear, the HIPAA rule does allow for incidental disclosures that occur when you are doing your job correctly. For example, a couple of patients can be checking in at a front desk with partitions or dividers, and conversations may be heard. If the clerks are taking reasonable safeguards to speak quietly, then anything a patient hears would be considered an incidental disclosure and not a violation. In addition, when conducting business, only disclose the minimum amount of medical information you need to get the job done.
In contrast, if reasonable safeguards or the minimum necessary standard is not used, a violation of the privacy rule will occur. The courts ruled that the nurse did not take reasonable safeguards of speaking quietly to warn her colleagues to wear the gloves. Additionally, the courts found she did not use the minimum amount of protected health information to accomplish the necessary purpose. In other words, she could have simply reminded the colleagues to wear gloves without using the term Hepatitis C.
The best way to prevent these situations from occurring is to train your staff. A well-trained staff will be able to maneuver through different situations including what this nurse encountered without compromising a patient’s privacy. Therefore, ensure all staff are provided initial HIPAA training when they begin employment. You can also conduct periodic training and send out privacy reminders. While patient privacy is important, protecting the organization from litigation is important also. We at HIPAAtrek believe training is paramount to a robust HIPAA compliance program and have created a compliance software program to provide you all the tools you need, including HIPAA training. I invite you to look at how we can help your organization by contacting our Senior Account Representative, Theresa Zemcuznikov at email@example.com and let her know you want to see our training platform. Until then, happy HIPAA trekking.
In our last blog, we wrote about the policies and procedures you needed to develop for your Rural Health Clinic (RHC) or Federally Qualified Health Center (FQHC). The policies and procedures are developed after you have conducted your all-hazards risk assessment. CMS wants you to have at minimum, policies for:
- Safe Evacuation
- Shelter in Place
- Preservation of Medical Documentation
- Using Volunteers
Your next step is to develop your communications plan. This is critical as “communication” is often severely hampered during an emergency. This can be a personnel problem caused by lack of training and preparation, or it can be a structural problem where communication systems are degraded or destroyed by the emergency or disaster. Preparing a plan and ensuring all understand it will lead to success should you have to implement it for an emergency.
In developing your communications plan, CMS wants you to have the names and contact information for:
- Individuals providing services under arrangement
- Patient’s physicians
- Other RHCs or hospitals
- State or local emergency agencies
You must also develop a system to correctly provide the general condition and location of patients under your care while still meeting the HIPAA privacy rules. Your plan should include the ability to notify the Incident Command Center about your needs and status during the emergency. You should have a recall roster so you can notify off duty personnel to report to duty as needed or to stay away. Your plan should also include a listing of communication avenues that have been tested and are compatible with other agencies you may need to contact. Remember, during an emergency, regular land lines or cell phones may not be operational, so you must plan ahead and consider other communication options such as HAM radios, Walkie-Talkies, or Radio Amateur Civil Emergency Services (RACES) to name a few.
CMS understands how critical it is for an RHC/FQHC to have a well thought out communications plan where staff have been trained and the plan has been tested. Don’t wait until the emergency is upon you. Develop your plan now and test it so you will be ready when a disaster strikes. Oh yes, don’t forget, someone must be in charge of activating your emergency communications plan. This is usually the clinic administrator or someone else you have designated in writing.
Remember to review your current HIPAA policies for areas where there is commonality or where you have already addressed some of the requirements of the Emergency Preparedness Communications Plan. We at HIPAAtrek are developing an RHC/FQHC Emergency Preparedness Plan Package that includes a HIPAA/Emergency Preparedness Crosswalk, Emergency Plan Checklist, Risk Assessment Form, Policies and much more, so stayed tuned to HIPAAtrek for future updates. In the meantime, start working on that Communications Plan!