For organizations in the healthcare sector, implementing and maintaining a comprehensive cybersecurity program is imperative to guard against increased threats of cyberattack and to prepare for Health Insurance Portability and Accountability Act (HIPAA) enforcement audits.
The HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH) outline federal requirements for the privacy and security of protected health information (PHI), whether in printed or electronic form. As part of an enforcement effort, HITECH also commissioned the Department of Health and Human Services (HHS) to perform periodic audits of compliance by both covered entities and business associates. HHS’s Office for Civil Rights (OCR) developed and launched a pilot audit program in 2011 and initially focused on covered entities.
After review and assessment of the pilot audit program, in March 2016 OCR announced planned revisions to the HIPAA compliance audit approach.1 Phase 2 of the audit initiative expands beyond covered entities to examine compliance by business associates – third-party vendors that would have access to protected information. Examples of business associates include third parties that manage a pharmaceutical network, provide accounting services, or assist a covered entity with claims processing. The new audit protocol has been designed to assess compliance with selected requirements of each of the elements of HIPAA – privacy, security, and breach notification. Although audits are intended to identify opportunities for compliance improvement, significant deficiencies may result in additional investigation through a broader compliance review, and fines and penalties may be levied for data breach and compliance violations. In addition, in August 2016 OCR announced a change in its breach investigation approach and will now investigate PHI breaches dealing with fewer than 500 individuals.2
Potential Organization Weaknesses
While covered entities have been hard at work implementing measures to safeguard the security, integrity, and confidentiality of PHI from cyber criminals, attacks against the healthcare sector continue to climb. In 2015, healthcare topped the list of targeted industries for cyberattacks, resulting in the compromise of more than 100 million healthcare records in that year alone.3 The interest in healthcare as a target is due to both the volume and black market sales value of digital patient data – such as names, mailing addresses, phone numbers, birthdates, diagnoses, insurance providers and member identification numbers, and Social Security and credit card information – that often is stored without proper security measures.4
One recent OCR investigation identified several significant HIPAA compliance weaknesses:
- The affected organization did not conduct a comprehensive security risk analysis and risk management plan related to its electronic PHI (ePHI).
- It failed to obtain assurances from business associates, in the form of executed business associate agreements (BAAs), that information handled by the associate would be safeguarded.
- The organization did not implement physical security policies and procedures to limit access to systems and information housed in its data center.
- The organization failed to provide reasonable security for the data stored on unencrypted devices; one of these was a laptop left overnight in an unlocked vehicle.
Although certainly not isolated, this example highlights the need for healthcare systems to implement and maintain a strong and effective cybersecurity program. Doing so is critical to reduce both the likelihood and the impact of a security breach, and at the same time it promotes regulatory compliance and reduces potential negative impacts from HIPAA enforcement audits.
Implementation of an Effective Program
In implementing, maintaining, or enhancing cybersecurity programs, health systems should include the following critical components:
- Conduct and maintain an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI; develop and execute plans to manage or correct identified security weaknesses.
- Develop and implement policies, procedures, and tools to limit physical access to electronic information housed in data centers or other premises within the organization.
- Maintain an accurate inventory of devices, and implement encryption for devices and media that store or process PHI. Educate the workforce on required procedures for physical security over any unencrypted devices and media.
- Identify and maintain a complete inventory of business associates. For business associates that handle PHI, obtain satisfactory assurances in the form of a BAA that all ePHI in their possession will be safeguarded in accordance with HIPAA requirements.
- Document and maintain evidence of policy and procedure implementation to support potential compliance audits.
Implementing and maintaining an effective cybersecurity program is both highly complex and costly, requiring a long-term commitment of resources from an organization’s management and governance functions. Healthcare organizations that put in place and maintain a successful cybersecurity program will go a long way toward protecting themselves from risks of cyberattacks and negative financial impacts as well as preparing for possible regulatory audits.
1 “OCR Launches Phase 2 of HIPAA Audit Program,” Department of Health and Human Services, March 2016, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2announcement/
2 “OCR Announces Initiative to More Widely Investigate Breaches Affecting Fewer Than 500 Individuals,” rel="noopener noreferrer" HHS OCR, Aug. 18, 2016, https://list.nih.gov/cgi-bin/wa.exe?A2=OCR-PRIVACY-LIST;65d278ee.1608
3 “Reviewing a Year of Serious Data Breaches, Major Attacks and New Vulnerabilities,” IBM X-Force rel="noopener noreferrer" Research, 2016 Cyber Security Intelligence Index, http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&htmlfid=SEW03133USEN&attachment=SEW03133USEN.PDF