The HIPAA security rule is full of various requirements to help you protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). One of those rules addresses how you will manage the workstation which is important because it is the most direct route to your PHI. With that in mind, let’s review some steps you should take today regarding your workstations and protecting your ePHI.
- Ensure that each workstation has the necessary access controls to restrict unauthorized users and programs from accessing ePHI
- Ensure that software on each workstation and on the network, is compatible and will not lead to the degradation of the system.
- Ensure workstations are turned away from public view
- Provide physical access controls to the workstations and laptops
- Workstations should be secured at their stations
- Laptops can be tethered to their desks when necessary
- Ensure workstations have virus protection that cannot be disabled by users
- Ensure operating systems receive critical updates and patches
- Remove network access soon after individual is terminated
While these are action that can be performed by your IT department or security officer, end users also need to be educated regarding their responsibilities when working at the workstation.
- Do not leave passwords on sticky notes on the computer
- Do not share passwords with fellow employees
- Engage the screensaver when leaving the workstation unattended
- Use control-alt-delete or depress Windows key and press L
- Do not remove the plastic privacy screen from the monitor
Workstation use is a standard in the security rule because it is the main avenue to your organization’s ePHI. Without appropriate workstation procedures and proper staff education, the workstation can become a risk to the confidentiality, integrity, and availability of your ePHI. For more on how HIPAAtrek can help you with your HIPAA program, contact our CEO, Sarah Badahman at email@example.com. Happy HIPAAtrekking
As a Covered Entity (CE) or a Business Associate, you will likely have ePHI located in mobile devices and media. ePHI is no longer regulated to your desk top computer, but in many portable devices throughout your organization. Examples include laptops, external hard drives, thumb drives, tablets, smart phones, back up disks or tapes, and digital memory cards. What they all have in common is that they are all mobile and may leave your organization by design or by accident. Managing your mobile media is paramount to maintaining the confidentiality, integrity, and availability of your ePHI as required by the HIPAA security rule. To do so, you need to have policies and procedures to account for your mobile media, as well as procedures for reuse and disposal.
Accountability: The security rule requires you to account for all mobile devices and media that maintains ePHI. This includes controlling where your media moves within your organization as well as outside of it. Imagine a scenario where mobile media could not be found or accounted for in your large facility? Does that mean it is still in your facility or has an employee taken it home? Is it lost? Worse yet, imagine if the mobile device is leaving your organization without your knowledge, thus placing your organization at risk of a privacy breach. To establish an accountability program, you must first have a full and correct inventory of all your mobile assets (laptops, tablets, smart phones, etc.). The next step is to establish a check out/in log for the mobile media. Anyone who wants to remove mobile media from the organization, must check it out first and sign it back in upon return. There must be a business justification to remove the device/media. As for those few individuals who have been approved to use mobile media outside the facility on a routine basis, they should also sign the media out initially as a long-term checkout, so a record of its whereabouts is documented. Staff should be trained about this policy and it should be followed every time. Periodic review of the sign out log will help prevent further concerns of missing mobile devices and media.
Reuse: Mobile devices and media are sometimes reused within an organization. Additionally, many organizations provide their used or outdated hardware/software to local charities, such as churches or elementary schools. Whether the media stays in house or is donated, you need to ensure the media is sanitized of all ePHI.
There are several different software cleaning solutions on the market. These types of software require that you run the software through the memory drive to eliminate all the data. They are sometimes called “Disk Wipe” software. Look closely at the software instructions which will direct you to run the software three times or up to seven times. This is commonly known as a “pass”. The Department of Defense (DoD) 5220.22-M data sanitization method, overwrites existing information on the storage device. The wipe sequence writes zero on the first pass, writes number one on the second pass, and adds a random character over the data on the third pass thus making any previous information unrecognizable and unretrievable. When cleaning smart phones, review the manufacturer’s instructions for wiping the memory clean or restoring the smartphone to factory settings. The objective is to clean your mobile media such that it will be free of all EPHI and the mobile device can be reused internally or externally. Finally, document and tag the item as being sanitized and make a record of who it is signed out to.
Disposal: Not all mobile devices and media are reused. More often it is slated for disposal at the end of its life cycle. Disposal requires you to permanently remove all ePHI, AND, permanently destroy the device such that it cannot be used again. A common method to destroy the memory of a hard drive is to use a degausser (will not work with flash memory-based devices). This method removes all ePHI and makes the memory unusable. If you don’t have a degausser, you can wipe the media clean (see reuse method above), and then physically destroy the hard drive platter with a hammer. You can also use these options for mobile media as listed in NIST publication 800.88r1, Guidelines for Media Sanitization: Shred, Disintegrate, Pulverize, or Incinerate by burning the device in a licensed incinerator. Afterwards, document the destruction in your inventory so that it includes:
- Name of media destroyed
- Method of destruction
- Date of destruction
- Person or organization destroying media
As a Covered Entity (CE) or a Business Associate you will undoubtedly have mobile devices and media to manage. Today, mobile media seems to be ubiquitous. To ensure you protect ePHI from unauthorized access and prevent a data breach, implement device and mobile media accountability, reuse, and disposal procedures. Staff should understand they must report to you (security officer/office) with questions and concerns about mobile media, including use of their own mobile media if your policy allows it. The HIPAA security rule addresses the requirements for device and media control at 45 CFR §164.310(d)(1) Physical Safeguards; Device and media controls. For further questions on this topic or assistance with your HIPAA compliance program, please contact our Chief Executive Officer, Sarah Badahman at firstname.lastname@example.org Until then, happy HIPAA trekking!
As a Covered Entity (CE) you disclose protected health information (PHI) throughout the day for treatment, payment, and health care operations (TPO). These TPO disclosures do not require you to obtain an authorization from the patient. Examples of treatment disclosures include when you draw a patient’s blood work at your clinic or practice, but you send the specimen to a reference lab to obtain the results. Similarly, you see a patient who needs to see a specialist, so you refer the patient to another provider. This is also viewed as a treatment disclosure. Payment disclosures occur when you bill an insurance provider for care rendered. This includes when payment for care is obtained by billing Medicare, Humana, TRICARE, or any other healthcare insurance provider. Healthcare operations disclosures are those management actions you take to administer your overall healthcare program. Examples of healthcare operations disclosures include reviewing the competence or qualifications of your health care professionals, licensing or credentialing activities, conducting or arranging for medical review or legal services, as well as customer support to name a few. Bottom line, you are permitted to use and disclose PHI for TPO without the patient’s authorization.
You are also permitted to disclose PHI without a patient’s authorization, or opportunity to agree or object, to avert a serious threat to health or safety. As a CE, you may, consistent with your state law or other applicable laws, disclose PHI if you believe the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and, the person you notify is reasonably able to prevent or lessen the threat. The following two examples demonstrate how this provision in the rule can be used.
A clinic learns that a child has tested positive for tuberculosis. Upon learning that the child attends a local day care center, the clinic contacts the center immediately to have the child removed from the other children and isolated until the child can be picked up by his parents. The threat to health of the other children is the contagious disease the child had, and the person(s) notified of this PHI have the ability to lessen the threat by isolating the child from the other children. In another example, a post-partum mother contacts the clinic and tells the front desk clerk that she feels depressed and is having thoughts of harming her newborns. After the mother ends the phone call, the clerk contacts the neo-natal ward where the newborns are located, notifies them of their mother’s psychological condition, and contacts the police. When the mother arrives at the hospital where her newborns are, the police and a doctor are there to meet her at the door and assist the mother through her temporary crisis. The threat to the safety of the newborns is the mother’s ideation about harming them and the PHI is the mother’s post-partum depressed condition.
In both examples above, the threat to the children and newborns is imminent and the individuals contacted were reasonably able to prevent or lessen the threat. To make a disclosure under this part of the HIPAA rule, the threat must be imminent, not just a probability or it could happen situation. In addition, the individual(s) contacted must be able to lessen or eliminate the threat. It is important to understand that when you make this type of disclosure, the rule recognizes you are doing so in “good faith” based on your reasonable belief at the time that an imminent threat to health and safety exists. As explained in the HIPAA rule preamble, this approach is consistent with the “duty to warn” third persons at risk, which had been established through case law. In Tarasoff v. Regents of the University of California (17 Cal. 3d 425 (1976)), the Supreme Court of California found that when a therapist’s patient had made credible threats against the physical safety of a specific person, the therapist had an obligation to use reasonable care to protect the intended victim of his patient, against danger, including warning the victim of the danger. In the Tarasoff case, the patient told the doctor of his desire to kill Tarasoff, but the victim was never warned and subsequently murdered. To be clear, the HIPAA rule is not intended to create a duty to warn or disclose, rather it permits the CE to make a disclosure to avert a serious and imminent threat to health and safety.
As a CE, it is important to understand how this part of the HIPAA rule works and to ensure your staff have been trained to recognize this type of situation. The specific citation that addresses this type of disclosure can be found at 45 CFR 164.512 (j)(i). Uses and disclosures for which an authorization or opportunity to agree or object is not required: Standard: Uses and disclosures to avert a serious threat to health or safety. This type of disclosure is also accountable and should be added to the Accounting of Disclosure list. For further questions on this subject or how HIPAAtrek can help you with your HIPAA compliance program, please contact our Account Executive Theresa Zemcuznikov at email@example.com.
As we continue through October 2017 and National Cybersecurity Awareness Month (NCSAM), we continue to focus on going back to the basics. Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce. Last week we looked at some basic tips about patch management and how a major organization failed to patch a vulnerability leading to the exposure of financial information of 145.5 million individuals. This week’s third installment of cybersecurity tips by HIPAAtrek will focus on multi-factor authentication.
Multi-factor Authentication: Multi-factor authentication is the security procedure of using two or more independent credentials to allow someone access to your information systems and e-PHI. You may have first seen this on the big screen where a James Bond type character enters a password followed by their thumb print or scan of their eye to access a classified area. This is not just movie stuff anymore. This is an example of multi-factor authentication and it provides the most secure method of ensuring the individual attempting to access the system is the person they report to be. Here are the three credentials in multi-factor authentication you need to understand:
Something you know (Knowledge Factor). This is a password, passcode, or passphrase that only you know.
Something you have (Possession Factor). This is a special hardware token which could be a key, or smart card with a unique Personal Identification Number or (PIN) assigned only to you. When you use the token, the information system recognizes your entry through this token and you authenticate it by entering the PIN.
Something you are (Inherence Factor). This is the method of identifying yourself by one of your biological traits. Unique biological identifiers include finger prints, hand geometry, retina and iris scans, or voice recognition. No one else has your biological traits and therefore cannot use them to authenticate.
The advantage of using a multi-factor authentication process is that if one credential is compromised, unauthorized access is still denied because the second credential is still needed to gain access. In other words, I may learn your password, but I don’t have your smart card or your thumb print. The attempted access is stalled or prevented without both credentials. These credentials can be used in any combination, smart card and password, password and thumb print, smart card and iris scan, etc. The key of multi-factor authentication is to establish a layered approach to allowing access to your information systems and thereby securing your e-PHI.
Multi-factor authentication is a basic security principle which should be considered whenever possible as it provides a more secure method for authenticating access to only those who are authorized. In addition to multi-factor authentication, HHS has provided a short list of tips to discuss with your staff during NCSAM and others as you see are appropriate. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf.
Contact our Lead Account Executive, Theresa Zemcuznikov at firstname.lastname@example.org who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location. In the meantime, happy HIPAA trekking.
Health and Human Services (HHS) Office for Civil Rights has made October 2017, National Cybersecurity Awareness Month (NCSAM). As such, they are asking organizations to go back to the basics in applying HIPAA privacy and security principles. Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce. Last week we looked at some basic tips in applying password management strategies. In this week’s second installment of a four-part series on cybersecurity tips by HIPAAtrek, we will examine the importance of updating and patching your information systems and applications.
Patch Management: Patch management is the process that helps acquire, test, and install multiple patches (code changes which are fixes) on existing applications and software in your information systems. This is a process that is accomplished by your system’s administrator or HIPAA security officer. You may have been notified that a specific application will be down for a few hours or overnight. This is most likely the result of testing for vulnerabilities, after which, patches are applied to “plug up” the vulnerabilities that were found. Patch management is a basic concept of HIPAA security and must be accomplished on a periodic basis to keep your e-PHI secured. Oftentimes, software patches are provided by the major providers such as Microsoft and other vendors, to update the software. In addition, a system administrator can purchase a Patch Management Software Program that schedules testing and patching periodically.
To bring this basic concept of patching closer to home, let’s examine the recent privacy breach at the Equifax Credit monitoring company where financial information of 145.5 million individuals was exposed. Under testimony to a Congressional panel, CEO Richard Smith explained how the breach occurred. In March 2017, the Department of Homeland Security notified Equifax of the requirement to patch a vulnerability in their Apache Struts software. Apache Struts is used by Equifax as an online portal for customers to dispute errors on their credit reports. According to Mr. Smith, the Equifax security team was to notify the technical team responsible for finding the vulnerability and applying the patch. But the human error here is that the patch was never applied. In addition, subsequent technical scans just didn’t work, and so the vulnerability that they were warned about by DHS was never found. As a result, the hackers accessed the data on May 13, 2017. The public was not notified until Sept 7, 2017. Needless to say, this nightmare scenario should not occur at your organization. Take a moment to discuss patch management with your HIPAA security officer.
Patch management is a basic security principle which can be managed by scheduling periodic scanning of your information systems as well as checking with vendors that provide your applications you use to manage your e-PHI which could include your EMR/EHR. In addition to patch management, HHS has provided a short list of tips to discuss with your staff during NCSAM and others as you see are appropriate. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf. Let me also recommend you contact our Lead Account Executive, Theresa Zemcuznikov at email@example.com who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location. In the meantime, happy HIPAA trekking!