You know that you have to secure your Protected Health Information. You also know that you should encrypt your PHI. But, do you know how expensive not having your PHI encrypted can be? Do you know the steps you should take to encrypt your devices and systems?
The University of Texas MD Anderson Cancer Center (MD Anderson) knows exactly how expensive it is to fail to encrypt. MD Anderson experienced multiple HIPAA violations recently:
- Theft of an unencrypted laptop from a private residence of an employee
- Two losses of unencrypted USB thumb drives
Because of these violations, MD Anderson was ordered to pay $4.35 Million in penalties to the Office for Civil Rights (OCR). The OCR news release on this case can be viewed here.
A History of Risk
In 2006, MD Anderson implemented written encryption policies. Even though they had formal a formal policy in place, MD Anderson had not implemented their policy. In fact, their risk analysis found that a lack of device-level encryption posed a high level risk. MD Anderson did not actually begin to implement encryption of ePHI until 2011. Even then, they still failed to encrypt its devices containing ePHI between March 24, 2011 and January 25, 2013.
They were penalized for each day of non-compliance and for each record breached. HIPAA allows for fines up to $1.5 Million per record per calendar year when assessing penalties for breaches.
MD Anderson was hoping to reduce the penalty. They argued that they were not obligated to encrypt their devices. They argued that because the ePHI disclosed was for research it was not subject to HIPAA. MD Anderson also believes that the penalties were unreasonable. The judge ruling on the case determined that there is a “high risk to MD Anderson’s patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
Encrypt Your PHI
So, what can you learn from this incident? Encrypt your PHI! Encryption sounds much more difficult than it actually is. You can easily encrypt your devices using tools already built into them. If it is not easy to encrypt a device, such as a USB drive, simply disallow the use in your organization. The risk is simply too great for you not to encrypt all devices with PHI.
The HIPAA Security Rule is confusing. There are two types of steps identified in the Security Rule: Required and Addressable. The encryption rules for HIPAA are specified as “Addressable.” This confuses many organizations, just like MD Anderson. Addressable sounds like it should be optional. However, the definition of Addressable is not synonymous with optional.
If a HIPAA rule is Addressable, you must adopt a similar solution. So, if you determine that encryption is not an option for your organization, you must adopt similar solution to secure your PHI. In addition, you must have a strong justification as to why you are not able to implement the encryption rule.
The encryption and decryption standard can be found here.
Steps You Should Take
Just knowing that you have to encrypt your devices and stored PHI is not enough. You need to take steps to implementing encryption practices in your organization. The first step is conducting a risk analysis. You can’t protect what you don’t know is at risk.
Secondly, you need to take an inventory of all your assets that store or transmit PHI. Be careful not to forget personal devices that are used to access your PHI (Bring Your Own Device – BYOD). During this step, determine if you need to apply encryption on the device or system.
You also need to create a policy and procedures for encrypting your PHI. Just having a policy in place is not sufficient. You have to IMPLEMENT your encryption procedures. In addition, you need to train your employees on the proper use and security of devices and systems containing PHI.
For more on how HIPAAtrek can help you with your HIPAA privacy and security program, please contact us!
Secure your Workstations! Workstation security is an important step in the overall health of your HIPAA Security program. You want to protect your patient’s sensitive information; so, you must secure the tools you use to access, transmit, and store their information.
Secure Your Workstations
Secure workstations through a few simple steps.
- Ensure each workstation has access controls enabled. This will to restrict unauthorized users and programs from accessing ePHI.
- Ensure workstations should have automatic logoff or screensavers at low intervals (less than 15 minutes).
- Patch and manage software regularly to ensure the highest level of security. This also helps to prevent breaches due to gaps in security updates.
- Position your workstations to protect from public view.
- Ensure you have physical security safeguards in place
- Workstations should be secured at their stations.
- Laptops can be attached to a desk or otherwise secured when possible.
- Disable the ability for your employees to turn off your anti-virus software.
- Use enterprise-level (not home version) anti-malware software.
- Remove access to your network and softwares after an employee resigns or is terminated (within 24 hours).
In addition to these easy steps, you need to review your audit logs of connected workstations are required. Try using automated tools to aid in the audit log process will ensure your organization stays on top of workstation security.
Train Your Employees
Employees are responsible for more than half of all healthcare breaches. It is important to train your staff on their role in securing their workstations.
Most employees cringe at the thought of compliance training. When employees are not engaged in the training process or they are simply bored, your training programs are not effective. Therefore, STOP the long BORING training sessions! Incorporate training in ways that is easy for your employees to digest. Security reminders are not only required by HIPAA; but, they are also incredibly effective training tools.
What is a security reminder? I am glad you asked! A security reminder is any communication, in any media, used to communicate important security information to your staff. Examples of security reminders include:
- Placing a poster or flyer in common areas such as an employee break room
- Sending short emails or memos
- Conducting staff meetings to impart vital security information
- Implementing screensaver messages
Training your staff in a meaningful way increases learning retention and improves staff productivity and engagement. Your employees won’t remember an hour long training seminar. However, they will remember a note taped to the employee fridge or on the back of the bathroom stall!
Wrapping it Up
Workstation use is a standard in the security rule because it is the main avenue to your organization’s ePHI. Without appropriate workstation procedures and proper staff education, the workstation can become a risk to the confidentiality, integrity, and availability of your ePHI.
For more on how HIPAAtrek can help you with your HIPAA program, contact our us! Happy HIPAAtrekking
Password security is the bane of most healthcare organizations’ existence! Employees and providers groan every time they are required to change their passwords. Remembering complex passwords is also difficult, especially when you have multiple passwords to remember for all the programs and networks required to manage patient care. Writing passwords down and sharing passwords are common temptations to ease the pain of password management. However, not taking password security seriously is leaving your patients’ information vulnerable.
The Password Security Conundrum
Many organizations struggle with password security. Providers and nurses often share login credentials with staff to make it their workflows easier. However, sharing passwords IS a real security threat.
If you share your password, you are responsible for ALL activity under your login credentials! It is difficult, if not impossible, to monitor someone else’s activity on your login. This is particularly true if you are not closely watching them as they are logged in as you. The person you share your password with can purposefully or accidentally change patient data. As a result, you can face serious disciplinary actions, including fines or termination.
In addition, to password sharing, password security is another major concern. If you write your passwords down on a sticky note or notebook, STOP! Because, this leaves passwords extremely vulnerable. Passwords that are written down can be lost or stolen. Also, it is impossible to determine who has accessed passwords that are written down on paper. If you must write down your passwords, consider the use of a password vault.
You and your staff are busy! As a result, these seem to be reasonable shortcuts to make his workflow more manageable. However, due to the possible monetary penalties or even loss of employment, they are really dangerous practices.
Not only is password security important for your security program, HIPAA actually REQUIRES it!
- Password Management: Procedures for creating, changing, and safeguarding passwords.
- Unique User ID: Assign a unique name and/or number for identifying and tracking user identity.
First, establish unique user IDs. This means, that every user should have their own user name or identifier to log into sensitive programs or your network. Because, having generic user IDs such as “Nurse Station 1” to login does not meet the requirement.
Second, make sure that every user ID has its own secure and complex password. This might, and probably does, mean that each employee will have multiple passwords that match up with each account.
Most importantly, TRAIN your staff on your security practices around securing and managing their passwords!
Security Beyond HIPAA
Just meeting the HIPAA requirements may not be enough to protect your patients’ information. Beyond HIPAA, it is important to protect passwords in order to secure your network and all of its data. A rogue, or even well-intentioned, employee can change a patient’s chart causing great harm to the patient.
Your HIPAA Tip on sharing passwords, is simply don’t.
If you have any questions on how to meet these requirements, contact us!
Texting patient orders is easy. However, due to patient safety, security and privacy concerns, CMS and the Joint Commission prohibit it! Not only is texting patient information a gray area of the HIPAA law, it is also does not meet Medicare requirements.
Texting and HIPAA
Despite how tempting and convenient texting patient information may seem, it is a legal gray area. Therefore, if you are wanting to go down this path, consult with an attorney that is well versed in HIPAA.
HIPAA is pretty serious about how Electronic Protected Health Information (ePHI) must be transmitted and stored. The transmission must be secure. This can be a tedious and expensive undertaking. Text messaging needs to be securely transmitted and archived. This becomes increasingly difficult with Bring Your Own Device (BYOD) that naturally comes when texting. As most organizations do not provide cell phones to their staff, texting will be done on their personal devices.
All transmissions of ePHI, including texts, must be taken into account when an organization conducts its risk analysis. In the risk analysis process, the organization must consider:
- WHAT ePHI is being transmitted
- HOW the ePHI is being transmitted
- WHICH devices are permitted to send ePHI
- IF the organization has a BYOD policy, that it is calculating those devices in the risk analysis
In addition, the impact to the organization in the event of a breach must also be calculated. Events such as theft, loss, improper disposal of the device, as well as the likelihood of the ePHI being intercepted by an unauthorized individual, must all be considered in the risk analysis.
So How Do I Communicate?
You may be tempted to stop all electronic transmissions. However, eliminating electronic transmissions is not reasonable. Consider that 73% of all health care professionals are already texting ePHI, whether it is permissible or not. Also consider, 98% of all health care professionals rely on routine email messages to communicate between internal staff and referring providers as well as business associates. Eliminating electronic transmissions altogether could, and probably will, have an immense burden on the efficiency in your organization.
Because of the need for electronic communication, the idea of mutual consent comes into play. Mutual consent is where both the HIPAA covered entity or business associate enter into an agreement with the patient whose data is being transmitted. HIPAA seemingly allows for insecure transmissions IF:
- The individual is clearly informed of the security risks of that and a secure option is recommended.
- The individual indicates in writing that it is OK to send them ePHI via insecure email.
- The Covered Entity keeps explicit records of all of these “mutual consent” cases, including the content of the risk warnings and the written approval from the individual.
Be very careful when using this loophole in the HIPAA law. Seek the advice of an attorney well versed in HIPAA BEFORE sending any insecure transmissions. With such a legal gray area, and with many secure options for securely transmitting ePHI on the market that are quite affordable, it is my recommendation that you still seek the secure transmissions.
Texting Patient Orders and CMS
The reason CMS and The Joint Commission prohibit texting patient orders goes far beyond just HIPAA. In fact, texting patient orders is considered out of compliance with several Conditions of Participation and Conditions of Coverage for CMS. Most importantly, the retention of record and content of record requirements.
If you participate in Medicare, you are required to main records in their original or legally reproduced form. Texts are not able to accomplish this. Additionally, some messaging platforms struggle with this requirement. Check with your messaging provider to see if they are able to integrate with your EMR’s Computerized Physician Order Entry (CPOE) function. If so, you may be able to continue to use your messaging application and remain in compliance with CMS.
As a Covered Entity (CE) or a Business Associate, you will likely have ePHI located in mobile devices and media. ePHI is no longer regulated to your desk top computer, but in many portable devices throughout your organization. Examples include laptops, external hard drives, thumb drives, tablets, smart phones, back up disks or tapes, and digital memory cards. What they all have in common is that they are all mobile and may leave your organization by design or by accident. Managing your mobile media is paramount to maintaining the confidentiality, integrity, and availability of your ePHI as required by the HIPAA security rule. To do so, you need to have policies and procedures to account for your mobile media, as well as procedures for reuse and disposal.
Accountability: The security rule requires you to account for all mobile devices and media that maintains ePHI. This includes controlling where your media moves within your organization as well as outside of it. Imagine a scenario where mobile media could not be found or accounted for in your large facility? Does that mean it is still in your facility or has an employee taken it home? Is it lost? Worse yet, imagine if the mobile device is leaving your organization without your knowledge, thus placing your organization at risk of a privacy breach. To establish an accountability program, you must first have a full and correct inventory of all your mobile assets (laptops, tablets, smart phones, etc.). The next step is to establish a check out/in log for the mobile media. Anyone who wants to remove mobile media from the organization, must check it out first and sign it back in upon return. There must be a business justification to remove the device/media. As for those few individuals who have been approved to use mobile media outside the facility on a routine basis, they should also sign the media out initially as a long-term checkout, so a record of its whereabouts is documented. Staff should be trained about this policy and it should be followed every time. Periodic review of the sign out log will help prevent further concerns of missing mobile devices and media.
Reuse: Mobile devices and media are sometimes reused within an organization. Additionally, many organizations provide their used or outdated hardware/software to local charities, such as churches or elementary schools. Whether the media stays in house or is donated, you need to ensure the media is sanitized of all ePHI.
There are several different software cleaning solutions on the market. These types of software require that you run the software through the memory drive to eliminate all the data. They are sometimes called “Disk Wipe” software. Look closely at the software instructions which will direct you to run the software three times or up to seven times. This is commonly known as a “pass”. The Department of Defense (DoD) 5220.22-M data sanitization method, overwrites existing information on the storage device. The wipe sequence writes zero on the first pass, writes number one on the second pass, and adds a random character over the data on the third pass thus making any previous information unrecognizable and unretrievable. When cleaning smart phones, review the manufacturer’s instructions for wiping the memory clean or restoring the smartphone to factory settings. The objective is to clean your mobile media such that it will be free of all EPHI and the mobile device can be reused internally or externally. Finally, document and tag the item as being sanitized and make a record of who it is signed out to.
Disposal: Not all mobile devices and media are reused. More often it is slated for disposal at the end of its life cycle. Disposal requires you to permanently remove all ePHI, AND, permanently destroy the device such that it cannot be used again. A common method to destroy the memory of a hard drive is to use a degausser (will not work with flash memory-based devices). This method removes all ePHI and makes the memory unusable. If you don’t have a degausser, you can wipe the media clean (see reuse method above), and then physically destroy the hard drive platter with a hammer. You can also use these options for mobile media as listed in NIST publication 800.88r1, Guidelines for Media Sanitization: Shred, Disintegrate, Pulverize, or Incinerate by burning the device in a licensed incinerator. Afterwards, document the destruction in your inventory so that it includes:
- Name of media destroyed
- Method of destruction
- Date of destruction
- Person or organization destroying media
As a Covered Entity (CE) or a Business Associate you will undoubtedly have mobile devices and media to manage. Today, mobile media seems to be ubiquitous. To ensure you protect ePHI from unauthorized access and prevent a data breach, implement device and mobile media accountability, reuse, and disposal procedures. Staff should understand they must report to you (security officer/office) with questions and concerns about mobile media, including use of their own mobile media if your policy allows it. The HIPAA security rule addresses the requirements for device and media control at 45 CFR §164.310(d)(1) Physical Safeguards; Device and media controls. For further questions on this topic or assistance with your HIPAA compliance program, please contact our Chief Executive Officer, Sarah Badahman at email@example.com Until then, happy HIPAA trekking!