[BreachExchange] AHIMA Notes Cybersecurity Prep, HIPAA Compliance as Focus Areas

[Audrey McNeil]

https://healthitsecurity.com/news/ahima-notes-cybersecurity-prep-hipaa-
compliance-as-focus-areas

All healthcare organizations can work on improving their privacy and
security by focusing on their cybersecurity preparation, HIPAA compliance,
and staying people-oriented, according to a recent blog post on the Journal
of AHIMA.

AHIMA’s 11th annual Privacy and Security Institute highlighted several ways
that entities can focus on the larger trends and apply lessons to their
daily operations, wrote contributor Kathryn Ayers Wickenhauser, MBA, CHPC,
CHTS-TR.

For example, Boston Children’s Senior Vice President for Information
Services and Chief Information Officer Daniel J. Nigrin, MD, MS, explained
in a session that cybersecurity preparation is essential. Organizations
need to incorporate appropriate preventative measures into their daily
operations.

“He highlighted that when [Boston Children’s] discovered the possibility of
an attack, they were not sure if the threat was legitimate or not, but
decided not to let the validity of the threat stop the organization from
preparing in the event an attack happened,” the post explained. “After
three weeks of silence, they thought their organization was ‘out of the
woods’, but low and behold, an attack did start.”

“Because the organization had taken the threat seriously and implemented
contingency plans in case of an attack, they were able to execute their
plan and minimize organizational impact when the attack did pick up.”

Cybersecurity preparation, such as backing up data, has also been
underlined by OCR. A data backup plan, a disaster recovery plan, and an
emergency mode operation plan are not only required elements under the
Security Rule, but are greatly beneficial, OCR wrote in a September 2017
release.

Sensitive data needs to remain protected during times of crisis, such as in
the aftermath of a hurricane or following a cybersecurity attack, but ePHI
also needs to be accessible to ensure proper patient care.

“The Privacy Rule is carefully designed to protect the privacy of health
information, while allowing important health care communications to occur,”
OCR said. “The HIPAA Security Rule’s requirements with respect to
contingency planning also help HIPAA covered entities and business
associates assure the confidentiality, integrity and availability of
electronic PHI (ePHI) during an emergency such as a natural disaster.”

The blog post also stressed that covered entities need to understand that
HIPAA has grey areas, and is not a “one-size-fits-all black-and-white
experience.”

For example, what is considered a “reportable breach” will likely differ
from one organization to the next.

Ransomware is one increasingly debated issue, with organizations
questioning whether or not a ransomware attack is considered a HIPAA data
breach. HHS states a breach is “an impermissible use or disclosure under
the Privacy Rule that compromises the security or privacy of the protected
health information.”

Under ransomware guidance released in July 2016, OCR said each situation
must be treated individually, as it is a “fact-specific determination.”

“When electronic protected health information (ePHI) is encrypted as the
result of a ransomware attack," OCR said. "A breach has occurred because
the ePHI encrypted by the ransomware was acquired (i.e., unauthorized
individuals have taken possession or control of the information), and thus
is a 'disclosure' not permitted under the HIPAA Privacy Rule.”

People will always remain at the center of the healthcare industry, the
AHIMA blog post added. This aspect covers organization needing to
incorporate regular and comprehensive employee training, and also includes
entities having to ensure patients can access their own PHI.

“Even with the advent of health information exchanges (HIEs), enterprise
data warehouses (EDWs), and health information service providers (HISPs),
technology does not mean an automated patient experience,” the post
explained. “Compliance will still be involved to verify authorizations in
the case of third-party PHI disclosure or in cases of mental health,
behavioral health, and substance abuse treatment.”

The healthcare industry – and its associated technologies – will only
continue to change, Wickenhauser continued. Organizations must remain
educated on any federal or state changes, which will help entities maintain
compliance.

“Compliance and healthcare professionals alike can expect many changes with
interoperability and the increasing frequency and methods of data
exchange,” she wrote. “As the healthcare industry changes and evolves, so
will healthcare compliance.”

Finally, the AHIMA Institute showcased how stakeholders can continue to
learn from one another, and that working with one another will help
organizations stay educated and engaged. This further instills the growing
need for information sharing, and how organizations can benefit from
joining an information sharing and analysis organization (ISAO).

“One of the most helpful and powerful parts of the Privacy and Security
Institute was hearing from other people who had been there, such as
Nigrin’s Hacktivists presentation and April Carlson’s session on her
experience going through an OCR audit,” the post said. “When we participate
in conversation, pursue education, and share our experiences, we all help
advance healthcare and compliance.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171115/0b4904d1/attachment.html>