[BreachExchange] Monitoring Risk and Staying HIPAA Complaint

[Audrey McNeil]

http://healthitsecurity.com/news/monitoring-risk-and-staying-hipaa-complaint

Effectively monitoring and managing potential risk is a key area for any
covered entity or business associate. No organization wants to lapse in
staying HIPAA compliant, as the ramifications could be detrimental to
patients and the business itself.

The proliferation of mobile devices, the increase in healthcare ransomware
threats, and the most recent round of OCR HIPAA audits are all examples of
why organizations need to be diligent in their risk analyses. Just one
small lapse or oversight could lead to a data breach and lengthy – and
expensive – recovery process.

Elizabeth Warren, a healthcare attorney at Bass, Berry & Sims
toldHealthITSecurity.com that the recent OCR guidance on ransomware is
helpful, and clarifies how organizations should approach ransomware attacks
in terms of HIPAA compliance and PHI exposure.

The ransomware that most people are accustomed to dealing with, or have
been dealing with is the kind that comes in and then locks down data,
Warren said. This is where the data stays in one location and a third party
doesn't have a copy.

“In that situation, a lot of people had assumed it’s not a breach because
no one has actually gotten ahold of the data,” she explained.
“Organizations had though there has to be an impermissible access use or
disclosure for there to possibly be a breach. That’s Step 1.”

However, OCR clarified that it views the act of third parties locking down
the data, encrypting it, as an improper disclosure because someone has
gotten control of the data. Even if the third party don't have a copy that
they can use themselves, there is an impermissible use or disclosure
access, she stated.

“Now, organizations have to move on to Step 2, which would be evaluating
whether it is a breach or not,” said Warren. “Under the rules, there's a
presumption that an incident like that is a breach. However, if you can
demonstrate and overcome the presumption that there's a low risk of
compromise, organizations could still conclude that it wasn't a breach, and
they have to look at the four factors outlined in the Rule.”

The four factors relate to the type of PHI involved, did the recipient
actually access it, what has the organization done to mitigate it, has the
organization fixed it or not, and has the organization stopped the problem
sufficiently so that the risk factor is low. Covered entities have to look
through those and then evaluate whether they feel comfortable saying,
"Okay, we don't have a breach."

It is also important to consider the nature of the data that’s involved,
Warren added. That would be one key factor if perhaps someone used
ransomware and turned the data loose. For example, if a database that does
not contain PHI is locked down, or if an organization has a backup copy of
information, then the impact to the organization or to patient care may not
be as great.

“It's still possible to conclude it's not a breach, it's just harder to do
than it was before we had the OCR guidance,” said Warren.

Staying HIPAA compliant with ransomware threats

Under the HIPAA Security Rule, there is an overall obligation for covered
entities to have a good risk analysis, which includes going through all
potential risks and knowing where their sensitive data is located, Warren
explained.

One potential risk currently would be ransomware, she said. For example,
what if an organization has malware that gets installed? There has always
been a risk of malware, but now there are instances of healthcare
organizations being attacked. Perhaps now it is being viewed as a higher
risk than before.

“There is no way to 100 percent eliminate any risk,” Warren said. “There's
always going be some – you have to access your data, there's always human
beings involved – but it definitely would be a priority item to look
through your systems and figure out where are the highest risks and what is
being done to reduce that and manage it. From there you hope that you don't
end up on the wrong side of an incident.”

Potential healthcare ransomware threats are making threats because of
previous attacks and through the recent OCR guidance. That does put more
pressure on the risk analysis, according to Warren. Organizations do not
want to be caught flat-footed and need to ensure that there are thinking
about these issues.

“For some entities, it can be helpful when OCR hands out that kind of
guidance,” she stated. “And we're seeing more enforcement, which is scary,
but also can be helpful if you're internally trying to get more resources
and more focus on security issues to help demonstrate the need for it. It
can also be helpful in showing why this expense should be a high priority,
stay on the budget, and get addressed.”

OCR HIPAA audits also a lesson in monitoring risk

The second phase of the OCR HIPAA audits can also be an important lesson
for healthcare organizations to ensure that they are properly monitoring
their areas of potential risk. Anna Spencer, a partner at Sidley Austin LLP
told HealthITSecurity.com in an email that findings from the Phase One
audit program and OCR settlements suggest that many covered entities fail
to conduct risk assessments.

Other common compliance issues involve identifying and reporting breaches,
which is why breach reporting is one of OCR’s three major areas of focuses
under the Phase Two audits.

“Even if they are not selected, regulated entities should familiarize
themselves with the audit protocols which offer a great window into the
types of documentation and activities OCR expects to see when it assesses
compliance with HIPAA,” Spencer said.

“For example, in addition to policies and procedures and risk assessments,
OCR has requested evidence in the form of screen shots, meeting minutes or
otherwise that risk assessments, which are comprehensive reports on the
risks to ePHI, and system vulnerabilities are circulated to management and
personnel in IT whose job it is to ensure that appropriate actions are
taken to reduce risks identified in the risk assessment to a reasonable
level.”

Connected medical devices, BYOD policies affect risk management

The increase in connected medical devices and BYOD strategies can
definitely complicate how covered entities need to approach their data
security measures, Warren said.

“It obviously brings in a lot more variables versus you having everyone on
the same exact equipment, where you know all the different things that can
happen,” she stated. “It makes the life of the security professional much
more complicated and then obviously elevates the human risk factor and all
the possible threats that can happen if it's your own device and it's
mobile.”

Organizations should consider how to implement realistic policies as well.
For example, it can be said in theory that banning a certain type of device
is the right approach. However, it’s not necessarily realistic.

Covered entities and their security teams need to find ways to keep daily
operations running smoothly while still effectively managing potential risk.

Spencer agreed that having more connected devices presents multiple risks
to ePHI.

“For example, there is the risk that any PHI saved to the device could be
compromised if the device is lost or stolen,” she said. “There is the risk
that malware could infect the device which could compromise the security of
any EMR or other system to which the mobile device can connect. OCR expects
that these and other risks are identified in the entity’s risk assessments
and that risk management plans address how the entity has taken steps to
reduce the risks (e.g., using remote wipe software to delete data if the
device is lost or stolen).”

There are many ways covered entities may become the target of an OCR
inquiry and these are the types of things all regulated entities should be
doing to comply with HIPAA, Spencer maintained.

Organizations could be investigated for numerous reasons, including the OCR
HIPAA audit program, as a result of a data breach, a complaint by a patient
or a plan enrollee, or even because a news article raises concerns at the
agency.

Maintaining awareness of potential risk areas to stay secure in 2016

There has definitely been an increase in OCR enforcement, Warren pointed
out. The key takeaway from the majority of those cases is that they
typically involve a lack of a strong risk analysis, or just having a risk
analysis in the first place.

“There’s still a focus and a need to have a good risk analysis, determine
how thorough it is, know if it picks up things like ransomware, all of the
data locations, and if it is current or not,” she said. “That’s a continual
process. Obviously, if you buy a new program, you will need to update the
risk analysis and take that into account.”

Organizations have lots of things they're trying to accomplish, and it can
be hard to stay on top of all those things, Warren added. However, making
sure there is a solid and well thought out risk analysis is one of the most
important things to be done.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160830/773abb34/attachment.html>