Experts comment on the HIPAA Security Rule and discuss solutions designed to help ensure the integrity of protected health information (PHI).
By Phil Colpas, Editor, February 2013
Just because we’re paranoid doesn’t mean they’re not out to get us.
In fact, Accellion, a provider of secure file-sharing solutions, estimates data breaches cost the healthcare industry approximately $6 billion a year.
From augmenting security through a plethora of means to exploring various ways of fending off cyber attacks; from maximizing audit readiness to the challenges of securing mobile media, keeping protected patient information safe has become of paramount importance to the healthcare industry.
According to the U.S. Department of Health and Human Services (HHS), The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information.
Health Management Technology asked select industry experts to comment on the HIPAA Security Rule and discuss some state-of-the-art solutions designed to help keep patient information secure.
Pietro Parravicini, senior vice president, area manager - Americas, Anoto
Digital pens provide protection
With the growing emergence of wireless technologies in healthcare, the need for HIPAA privacy-compliant solutions is more critical than ever. Many health organizations are turning to digital pen-and-paper technology, which is Bluetooth enabled, very easy to use and fulfills all of the necessary security requirements.
With digital pen-and-paper technology, each individual piece of paper has unique identifiers in the microdot pattern that make it distinct. The digital pen’s strokes also have a unique ID, enabling hospital staff to identify which individuals made which pen strokes at what time. This results in a highly secure system for gathering HIPAA consent form signatures. Additionally, users are not only able to capture the forms digitally for electronic health record (EHR) purposes; they are also provided a hard-copy record of the patient’s consent.
When it comes to security, digital pens provide greater protection than many other data capture devices. If the pen is lost or stolen, the information that is on the pen cannot be decoded because it is encrypted with undecipherable “x” and “y” coordinates. The solution also captures time and date information, which can reduce fraudulent paperwork activities. In fact, digital pens have a much lower risk of theft in general compared to tablets or laptops. Since it looks like an ordinary pen, it doesn’t draw as much attention to itself, lowering its overall risk of being stolen.
Bud Michael, president and CEO, eSoft
Cyber attacks: The new normal in healthcare
Healthcare providers of all sizes are now attractive targets of cyber thieves because of the types and sheer volume of patient data stored. Not only can a data breach cost your company money, breaches made public under HIPPA regulations can expose your company to litigation, damage its image and impact shareholder value.
For years, cyber security has been thought of as an IT issue. This mindset needs to change.
Cyber security should be an issue of importance to the C-suite, elevating the need for boards of directors, general counsels, chief risk officers and chief information security officers to understand and monitor their organization’s level of planning and preparedness to address cyber risks.
A recent study by Corporate Board Member/FTI Consulting Inc. found that one-third of the general counsel surveyed believe that their board is not effective at managing cyber risk. Only 42 percent of directors in that study said that their company has a formal, written crisis-management plan for dealing with a cyber attack; yet 77 percent of directors and general counsel believe that their company is prepared to detect a cyber breach, statistics that reveal a “disconnect between having written plans and the perception of preparedness.” Indeed, a 2012 governance survey by Carnegie Mellon CyLab concluded that “boards are not actively addressing cyber-risk management.”
Only 25 percent of the study’s respondents (drawn from Forbes Global 2000 companies) review and approve top-level policies on privacy and information technology risks on a regular basis, while 41 percent rarely or never do so. These figures indicate a need for boards to be more proactive when it comes to overseeing cyber-security risk management.
The growing risk of cyber attacks is the new normal, and cyber risk management should be a C-suite responsibility.
Kurt Long, founder and CEO, FairWarning Inc.
Time to reconsider audit readiness
Care providers will face more healthcare privacy regulatory enforcement in 2013 than ever before. In late 2011, Health and Human Services’ Office of Civil Rights (OCR) initiated the first-ever, wide-scale HIPAA audits. In June 2012, OCR announced the results of the first 20 audits. In July, OCR stated that HIPAA audits will continue in 2013. The 2012 audits revealed the top HIPAA Security Rule compliance issues, which included: monitoring user activity, planning for contingencies, authentication/integrity, media reuse and destruction, assessing conduct risk and granting/modifying user access.
In the 2012 audits, many care providers failed to demonstrate the use of systemic and automated user activity monitoring. Meaningful-use certified EHRs must produce audit trails and, under HIPAA, care providers must review audit trials of systems that touch protected health information (PHI). When patient privacy monitoring is conducted across centralized data – which includes user data, application data and event data specifics – the information allows for stronger correlations between privacy breach analytics, accounting of disclosures and enhanced incident investigation workflow.
In response to 2013’s ramped-up enforcement practices, leading care providers must reconsider their audit readiness. Care providers must examine how to efficiently address any material gaps and shortfalls in achieving HIPAA compliance. Care providers with compliance programs that include training, periodic risk assessments, targeted and integrated technologies, and proactive user activity monitoring of EHRs will be well prepared for a potential audit. Care providers who rely on shelf-ware or breach-detection solutions that do not involve user-activity monitoring, are without an established repository for audit trails, lack privacy breach monitoring and detection, or rely on manual processes are likely to be non-compliant with the HIPAA Security Rule and risk a failed audit in 2013.
Danny Creedon, managing director, Kroll Advisory Solutions
Getting the most from a HIPAA risk analysis
As 2013 gets underway, it’s critical that healthcare organizations understand the complexity of the data security challenges they’ll face in the coming years, and the important role that HIPAA risk analyses play in addressing them. What follows are best practices for getting the most out of your HIPAA risk analysis, which equates to protecting the integrity of the data you keep.
Cast a wide net. Ensure that proper stakeholders from cross-functional areas are involved in the assessment – IT, human resources, compliance, legal and other key area supervisors.
Fully scope the risk assessment. Recognize the full range of your organization’s compliance obligations. This means ensuring that each assessment stage is clearly defined and that your team understands the objectives.
Take stock of your data. Determine how PHI and EPHI are received, stored, transmitted, accessed and disclosed. Be sure to include data that might be stored with third parties or on removable/portable devices.
Address known vulnerabilities. Document potential vulnerabilities that you’ve already identified (provided they fall into the scope of your assessment). This will help in navigating various requirements stated in the HIPAA Security Rule.
Document thoroughly. Make sure you’ve employed meticulous documentation practices throughout the assessment process. The material you’ve gathered throughout the assessment will be critical in meeting HHS requirements.
Be prepared for follow up. Make sure you’re ready to address any security deficiencies that you’ve identified. Failing to do so could leave your organization subject to corrective action by HHS.
Check on your progress. Perform periodic risk assessments to ensure you’re eliminating new vulnerabilities that might have developed, particularly after a change in technology or business operations.
John Klimek, R. Ph., SVP, industry information technology, NCPDP
Hackers and slackers and thieves! Oh my!
Safeguarding the security and privacy of protected health information (PHI) is a journey that must evolve over time. Since Congress passed HIPAA in 1996, covered entities, including providers and health plans, have taken steps to protect patient health information; yet data breaches still take top headlines and instill a sense of fear in patients and consumers.
U.S. Department of Health and Human Services (HHS) recorded one of the largest data breaches to date in 2012, putting the protected health information of more than 780,000 patients in jeopardy. Increased adoption of electronic health records and cloud-based and mobile computing technologies compounds the risk. So it begs the question: What can covered entities do better to secure PHI and make patients confident that their information is safe?
Follow the pharmacy road. While the Office of the Inspector General, the enforcement arm of HHS, has called for guidance on security standards and best practices, the pharmacy services sector of healthcare has already paved that golden road. Recognizing that there is a technology component to assuring the security of PHI, but that most data breaches are attributable to people – hackers, employees mishandling health information, thieves and the like – the best practice is to engage people, processes and technology.
Pay attention to the pharmacist behind the counter. Patient consults in the pharmacy setting, for example, require utmost attention to privacy and security. Pharmacies provide HIPAA education and training for all employees who step behind the pharmacy counter. Other process and technology safeguards have been successfully addressed – from removing notes with passwords affixed to the pharmacy computer monitor to addressing authentication for e-prescribing controlled substances.
There is no doubt that healthcare organizations need to shift priorities in favor of fortifying privacy and security of PHI. As technology continues to evolve and access expands (as with BYOD, for example), processes, education and standards must keep pace, striking the right balance and enabling more efficient and better quality healthcare while protecting patients’ personal health information.
Dean Wiech, managing director, Tools4ever Inc.
Five reasons to use role-based access control
Role-based access control (RBAC) allows organizations to restrict access to certain systems, allowing only authorized users access to specific information. Though little known among the mainstream, as a tool RBAC is used by the majority of health systems and has the potential to protect the security of information healthcare organizations protect.
Here are five reasons why the use of RBAC is a natural fit in a healthcare environment:
- Improves systems and applications security. Often, when new employees need accounts, a copy of another is made, called a “template user”; this is a security risk since access to applications and systems are also copied and are often never revoked. RBAC allows IT administrators to see what employees have access to given their role in the organization, ensuring access is granted only to those with security clearance.
- Makes security changes easier. Employees frequently change roles and jobs within an organization and subsequently need different access privileges. With RBAC in place, complex changes, such as a part-time employee working in two different departments, are handled without significant effort.
- Meets audit requirements. Employing RBAC makes meeting strict audit requirements easy as healthcare organizations must show that their information is secure. RBAC ensures that secure information remains that way, and organizational leaders can easily access this information for audits, if needed.
- Increases employee productivity. With RBAC, employees don’t have to wait for their privileges to be assigned and are able to immediately begin working with necessary applications, such as word processing and email. RBAC allows for automated access to base systems, and new users can get to work in a more efficient manner than paper-based systems, which can take days to set up and deploy.
- Reduces internal costs and cuts unneeded licenses. With RBAC, an organization can determine which internal applications are being used and how often, and decide which are necessary for their needs. Programs deemed unnecessary can be eliminated or have licensing counts reduced.
Drew Gantt, partner, Cooley LLP
Outlook on data privacy and security in 2013
As 2013 gets underway, we are in the midst of a health information revolution. Ironically, HIPAA, which was intended to address privacy and security in a digital age, stands as a major impediment to digital health. It does so because it assumes that health information rightly resides with providers and payers (HIPAA-covered entities), rather than business associates or consumers. HIPAA requires that any business associate of a HIPAA covered entity either return to the covered entity or destroy patient information when the relationship between the business associate and the covered entity ends. That requirement effectively constrains information from easily following the consumer, a major objective and promise of the health information revolution. For example, HIPAA makes it difficult for a wellness company to continue to serve an individual if that individual changes health plans or the wellness company stops doing business with the individual’s health plan. In 2013, look for increased pressure to reform HIPAA to allow information to be more readily accessed by consumers and digital health companies.
At the same time, increased use of mobile media by health care providers continues to challenge those who are responsible for protecting that health information. Theft or loss of mobile media, including smartphones, laptops, tablets and flash drives, continue to be among the largest source of data breaches, prompting the federal government recently to issue specific guidance on how to use such devices in compliance with HIPAA. (http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf)
That guidance recommends limiting offsite use of mobile media that may contain health information. While this position is understandable, it reflects the old paradigm view that information remains within the control of the providers and payers and ideally does not leave their facilities. Healthcare facilities and other companies that use mobile media containing patient information will continue to face challenges with implementing use of such devices, given the current regulatory regime. HMT