You know that you have to secure your Protected Health Information. You also know that you should encrypt your PHI. But, do you know how expensive not having your PHI encrypted can be? Do you know the steps you should take to encrypt your devices and systems?
The University of Texas MD Anderson Cancer Center (MD Anderson) knows exactly how expensive it is to fail to encrypt. MD Anderson experienced multiple HIPAA violations recently:
- Theft of an unencrypted laptop from a private residence of an employee
- Two losses of unencrypted USB thumb drives
Because of these violations, MD Anderson was ordered to pay $4.35 Million in penalties to the Office for Civil Rights (OCR). The OCR news release on this case can be viewed here.
A History of Risk
In 2006, MD Anderson implemented written encryption policies. Even though they had formal a formal policy in place, MD Anderson had not implemented their policy. In fact, their risk analysis found that a lack of device-level encryption posed a high level risk. MD Anderson did not actually begin to implement encryption of ePHI until 2011. Even then, they still failed to encrypt its devices containing ePHI between March 24, 2011 and January 25, 2013.
They were penalized for each day of non-compliance and for each record breached. HIPAA allows for fines up to $1.5 Million per record per calendar year when assessing penalties for breaches.
MD Anderson was hoping to reduce the penalty. They argued that they were not obligated to encrypt their devices. They argued that because the ePHI disclosed was for research it was not subject to HIPAA. MD Anderson also believes that the penalties were unreasonable. The judge ruling on the case determined that there is a “high risk to MD Anderson’s patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
Encrypt Your PHI
So, what can you learn from this incident? Encrypt your PHI! Encryption sounds much more difficult than it actually is. You can easily encrypt your devices using tools already built into them. If it is not easy to encrypt a device, such as a USB drive, simply disallow the use in your organization. The risk is simply too great for you not to encrypt all devices with PHI.
The HIPAA Security Rule is confusing. There are two types of steps identified in the Security Rule: Required and Addressable. The encryption rules for HIPAA are specified as “Addressable.” This confuses many organizations, just like MD Anderson. Addressable sounds like it should be optional. However, the definition of Addressable is not synonymous with optional.
If a HIPAA rule is Addressable, you must adopt a similar solution. So, if you determine that encryption is not an option for your organization, you must adopt similar solution to secure your PHI. In addition, you must have a strong justification as to why you are not able to implement the encryption rule.
The encryption and decryption standard can be found here.
Steps You Should Take
Just knowing that you have to encrypt your devices and stored PHI is not enough. You need to take steps to implementing encryption practices in your organization. The first step is conducting a risk analysis. You can’t protect what you don’t know is at risk.
Secondly, you need to take an inventory of all your assets that store or transmit PHI. Be careful not to forget personal devices that are used to access your PHI (Bring Your Own Device – BYOD). During this step, determine if you need to apply encryption on the device or system.
You also need to create a policy and procedures for encrypting your PHI. Just having a policy in place is not sufficient. You have to IMPLEMENT your encryption procedures. In addition, you need to train your employees on the proper use and security of devices and systems containing PHI.
For more on how HIPAAtrek can help you with your HIPAA privacy and security program, please contact us!
Secure your Workstations! Workstation security is an important step in the overall health of your HIPAA Security program. You want to protect your patient’s sensitive information; so, you must secure the tools you use to access, transmit, and store their information.
Secure Your Workstations
Secure workstations through a few simple steps.
- Ensure each workstation has access controls enabled. This will to restrict unauthorized users and programs from accessing ePHI.
- Ensure workstations should have automatic logoff or screensavers at low intervals (less than 15 minutes).
- Patch and manage software regularly to ensure the highest level of security. This also helps to prevent breaches due to gaps in security updates.
- Position your workstations to protect from public view.
- Ensure you have physical security safeguards in place
- Workstations should be secured at their stations.
- Laptops can be attached to a desk or otherwise secured when possible.
- Disable the ability for your employees to turn off your anti-virus software.
- Use enterprise-level (not home version) anti-malware software.
- Remove access to your network and softwares after an employee resigns or is terminated (within 24 hours).
In addition to these easy steps, you need to review your audit logs of connected workstations are required. Try using automated tools to aid in the audit log process will ensure your organization stays on top of workstation security.
Train Your Employees
Employees are responsible for more than half of all healthcare breaches. It is important to train your staff on their role in securing their workstations.
Most employees cringe at the thought of compliance training. When employees are not engaged in the training process or they are simply bored, your training programs are not effective. Therefore, STOP the long BORING training sessions! Incorporate training in ways that is easy for your employees to digest. Security reminders are not only required by HIPAA; but, they are also incredibly effective training tools.
What is a security reminder? I am glad you asked! A security reminder is any communication, in any media, used to communicate important security information to your staff. Examples of security reminders include:
- Placing a poster or flyer in common areas such as an employee break room
- Sending short emails or memos
- Conducting staff meetings to impart vital security information
- Implementing screensaver messages
Training your staff in a meaningful way increases learning retention and improves staff productivity and engagement. Your employees won’t remember an hour long training seminar. However, they will remember a note taped to the employee fridge or on the back of the bathroom stall!
Wrapping it Up
Workstation use is a standard in the security rule because it is the main avenue to your organization’s ePHI. Without appropriate workstation procedures and proper staff education, the workstation can become a risk to the confidentiality, integrity, and availability of your ePHI.
For more on how HIPAAtrek can help you with your HIPAA program, contact our us! Happy HIPAAtrekking
As a Covered Entity (CE) or a Business Associate, you will likely have ePHI located in mobile devices and media. ePHI is no longer regulated to your desk top computer, but in many portable devices throughout your organization. Examples include laptops, external hard drives, thumb drives, tablets, smart phones, back up disks or tapes, and digital memory cards. What they all have in common is that they are all mobile and may leave your organization by design or by accident. Managing your mobile media is paramount to maintaining the confidentiality, integrity, and availability of your ePHI as required by the HIPAA security rule. To do so, you need to have policies and procedures to account for your mobile media, as well as procedures for reuse and disposal.
Accountability: The security rule requires you to account for all mobile devices and media that maintains ePHI. This includes controlling where your media moves within your organization as well as outside of it. Imagine a scenario where mobile media could not be found or accounted for in your large facility? Does that mean it is still in your facility or has an employee taken it home? Is it lost? Worse yet, imagine if the mobile device is leaving your organization without your knowledge, thus placing your organization at risk of a privacy breach. To establish an accountability program, you must first have a full and correct inventory of all your mobile assets (laptops, tablets, smart phones, etc.). The next step is to establish a check out/in log for the mobile media. Anyone who wants to remove mobile media from the organization, must check it out first and sign it back in upon return. There must be a business justification to remove the device/media. As for those few individuals who have been approved to use mobile media outside the facility on a routine basis, they should also sign the media out initially as a long-term checkout, so a record of its whereabouts is documented. Staff should be trained about this policy and it should be followed every time. Periodic review of the sign out log will help prevent further concerns of missing mobile devices and media.
Reuse: Mobile devices and media are sometimes reused within an organization. Additionally, many organizations provide their used or outdated hardware/software to local charities, such as churches or elementary schools. Whether the media stays in house or is donated, you need to ensure the media is sanitized of all ePHI.
There are several different software cleaning solutions on the market. These types of software require that you run the software through the memory drive to eliminate all the data. They are sometimes called “Disk Wipe” software. Look closely at the software instructions which will direct you to run the software three times or up to seven times. This is commonly known as a “pass”. The Department of Defense (DoD) 5220.22-M data sanitization method, overwrites existing information on the storage device. The wipe sequence writes zero on the first pass, writes number one on the second pass, and adds a random character over the data on the third pass thus making any previous information unrecognizable and unretrievable. When cleaning smart phones, review the manufacturer’s instructions for wiping the memory clean or restoring the smartphone to factory settings. The objective is to clean your mobile media such that it will be free of all EPHI and the mobile device can be reused internally or externally. Finally, document and tag the item as being sanitized and make a record of who it is signed out to.
Disposal: Not all mobile devices and media are reused. More often it is slated for disposal at the end of its life cycle. Disposal requires you to permanently remove all ePHI, AND, permanently destroy the device such that it cannot be used again. A common method to destroy the memory of a hard drive is to use a degausser (will not work with flash memory-based devices). This method removes all ePHI and makes the memory unusable. If you don’t have a degausser, you can wipe the media clean (see reuse method above), and then physically destroy the hard drive platter with a hammer. You can also use these options for mobile media as listed in NIST publication 800.88r1, Guidelines for Media Sanitization: Shred, Disintegrate, Pulverize, or Incinerate by burning the device in a licensed incinerator. Afterwards, document the destruction in your inventory so that it includes:
- Name of media destroyed
- Method of destruction
- Date of destruction
- Person or organization destroying media
As a Covered Entity (CE) or a Business Associate you will undoubtedly have mobile devices and media to manage. Today, mobile media seems to be ubiquitous. To ensure you protect ePHI from unauthorized access and prevent a data breach, implement device and mobile media accountability, reuse, and disposal procedures. Staff should understand they must report to you (security officer/office) with questions and concerns about mobile media, including use of their own mobile media if your policy allows it. The HIPAA security rule addresses the requirements for device and media control at 45 CFR §164.310(d)(1) Physical Safeguards; Device and media controls. For further questions on this topic or assistance with your HIPAA compliance program, please contact our Chief Executive Officer, Sarah Badahman at firstname.lastname@example.org Until then, happy HIPAA trekking!
As a Covered Entity (CE) you disclose protected health information (PHI) throughout the day for treatment, payment, and health care operations (TPO). These TPO disclosures do not require you to obtain an authorization from the patient. Examples of treatment disclosures include when you draw a patient’s blood work at your clinic or practice, but you send the specimen to a reference lab to obtain the results. Similarly, you see a patient who needs to see a specialist, so you refer the patient to another provider. This is also viewed as a treatment disclosure. Payment disclosures occur when you bill an insurance provider for care rendered. This includes when payment for care is obtained by billing Medicare, Humana, TRICARE, or any other healthcare insurance provider. Healthcare operations disclosures are those management actions you take to administer your overall healthcare program. Examples of healthcare operations disclosures include reviewing the competence or qualifications of your health care professionals, licensing or credentialing activities, conducting or arranging for medical review or legal services, as well as customer support to name a few. Bottom line, you are permitted to use and disclose PHI for TPO without the patient’s authorization.
You are also permitted to disclose PHI without a patient’s authorization, or opportunity to agree or object, to avert a serious threat to health or safety. As a CE, you may, consistent with your state law or other applicable laws, disclose PHI if you believe the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and, the person you notify is reasonably able to prevent or lessen the threat. The following two examples demonstrate how this provision in the rule can be used.
A clinic learns that a child has tested positive for tuberculosis. Upon learning that the child attends a local day care center, the clinic contacts the center immediately to have the child removed from the other children and isolated until the child can be picked up by his parents. The threat to health of the other children is the contagious disease the child had, and the person(s) notified of this PHI have the ability to lessen the threat by isolating the child from the other children. In another example, a post-partum mother contacts the clinic and tells the front desk clerk that she feels depressed and is having thoughts of harming her newborns. After the mother ends the phone call, the clerk contacts the neo-natal ward where the newborns are located, notifies them of their mother’s psychological condition, and contacts the police. When the mother arrives at the hospital where her newborns are, the police and a doctor are there to meet her at the door and assist the mother through her temporary crisis. The threat to the safety of the newborns is the mother’s ideation about harming them and the PHI is the mother’s post-partum depressed condition.
In both examples above, the threat to the children and newborns is imminent and the individuals contacted were reasonably able to prevent or lessen the threat. To make a disclosure under this part of the HIPAA rule, the threat must be imminent, not just a probability or it could happen situation. In addition, the individual(s) contacted must be able to lessen or eliminate the threat. It is important to understand that when you make this type of disclosure, the rule recognizes you are doing so in “good faith” based on your reasonable belief at the time that an imminent threat to health and safety exists. As explained in the HIPAA rule preamble, this approach is consistent with the “duty to warn” third persons at risk, which had been established through case law. In Tarasoff v. Regents of the University of California (17 Cal. 3d 425 (1976)), the Supreme Court of California found that when a therapist’s patient had made credible threats against the physical safety of a specific person, the therapist had an obligation to use reasonable care to protect the intended victim of his patient, against danger, including warning the victim of the danger. In the Tarasoff case, the patient told the doctor of his desire to kill Tarasoff, but the victim was never warned and subsequently murdered. To be clear, the HIPAA rule is not intended to create a duty to warn or disclose, rather it permits the CE to make a disclosure to avert a serious and imminent threat to health and safety.
As a CE, it is important to understand how this part of the HIPAA rule works and to ensure your staff have been trained to recognize this type of situation. The specific citation that addresses this type of disclosure can be found at 45 CFR 164.512 (j)(i). Uses and disclosures for which an authorization or opportunity to agree or object is not required: Standard: Uses and disclosures to avert a serious threat to health or safety. This type of disclosure is also accountable and should be added to the Accounting of Disclosure list. For further questions on this subject or how HIPAAtrek can help you with your HIPAA compliance program, please contact our Account Executive Theresa Zemcuznikov at email@example.com.
As we continue through October 2017 and National Cybersecurity Awareness Month (NCSAM), we continue to focus on going back to the basics. Basics include the safeguards you put in place to ensure the Confidentiality, Integrity, and Availability of electronic protected health information or e-PHI, and the training you provide your workforce. Last week we looked at some basic tips about patch management and how a major organization failed to patch a vulnerability leading to the exposure of financial information of 145.5 million individuals. This week’s third installment of cybersecurity tips by HIPAAtrek will focus on multi-factor authentication.
Multi-factor Authentication: Multi-factor authentication is the security procedure of using two or more independent credentials to allow someone access to your information systems and e-PHI. You may have first seen this on the big screen where a James Bond type character enters a password followed by their thumb print or scan of their eye to access a classified area. This is not just movie stuff anymore. This is an example of multi-factor authentication and it provides the most secure method of ensuring the individual attempting to access the system is the person they report to be. Here are the three credentials in multi-factor authentication you need to understand:
Something you know (Knowledge Factor). This is a password, passcode, or passphrase that only you know.
Something you have (Possession Factor). This is a special hardware token which could be a key, or smart card with a unique Personal Identification Number or (PIN) assigned only to you. When you use the token, the information system recognizes your entry through this token and you authenticate it by entering the PIN.
Something you are (Inherence Factor). This is the method of identifying yourself by one of your biological traits. Unique biological identifiers include finger prints, hand geometry, retina and iris scans, or voice recognition. No one else has your biological traits and therefore cannot use them to authenticate.
The advantage of using a multi-factor authentication process is that if one credential is compromised, unauthorized access is still denied because the second credential is still needed to gain access. In other words, I may learn your password, but I don’t have your smart card or your thumb print. The attempted access is stalled or prevented without both credentials. These credentials can be used in any combination, smart card and password, password and thumb print, smart card and iris scan, etc. The key of multi-factor authentication is to establish a layered approach to allowing access to your information systems and thereby securing your e-PHI.
Multi-factor authentication is a basic security principle which should be considered whenever possible as it provides a more secure method for authenticating access to only those who are authorized. In addition to multi-factor authentication, HHS has provided a short list of tips to discuss with your staff during NCSAM and others as you see are appropriate. You can review the NCSAM tips at: https://www.hhs.gov/sites/default/files/hipaa-cyber-awarness-monthly-issue-september-2017.pdf.
Contact our Lead Account Executive, Theresa Zemcuznikov at firstname.lastname@example.org who can provide you a demo of our award-winning HIPAA compliance software where you can manage your entire privacy and security program in one location. In the meantime, happy HIPAA trekking.