that “boards are not actively addressing cyber-risk management.” Only 25 percent of the study’s re- spondents (drawn from Forbes Global 2000 companies) review and approve top-level policies on privacy and infor- mation technology risks on a regular basis, while 41 percent rarely or never do so. T ese fi gures indicate a need for boards to be more proactive when it comes to overseeing cyber-security risk management. T e growing risk of cyber attacks is
the new normal, and cyber risk manage- ment should be a C-suite responsibility.
Kurt Long, founder and CEO, FairWarning Inc. Time to reconsider audit readiness Care providers will
face more healthcare privacy regulatory enforcement in 2013 than ever before. In late 2011, Health and Human Services’ Of- fice of Civil Rights (OCR) initiated the fi rst-ever, wide-scale HIPAA audits. In June 2012, OCR announced the results of the fi rst 20 audits. In July, OCR stated that HIPAA audits will continue in 2013. T e 2012 audits revealed the top HIPAA Security Rule compliance issues, which included: monitoring user activity, planning for contingencies, au- thentication/integrity, media reuse and destruction, assessing conduct risk and granting/modifying user access. In the 2012 audits, many care pro- viders failed to demonstrate the use of systemic and automated user activity monitoring. Meaningful-use certifi ed EHRs must produce audit trails and, un- der HIPAA, care providers must review audit trials of systems that touch pro- tected health information (PHI). When patient privacy monitoring is conducted across centralized data – which includes user data, application data and event data specifics – the information al- lows for stronger correlations between privacy breach analytics, accounting of disclosures and enhanced incident investigation workfl ow. In response to 2013’s ramped-up
enforcement practices, leading care providers must reconsider their audit readiness. Care providers must examine how to effi ciently address any material gaps and shortfalls in achieving HIPAA compliance. Care providers with com- pliance programs that include training, periodic risk assessments, targeted and integrated technologies, and proactive user activity monitoring of EHRs will be well prepared for a potential audit. Care providers who rely on shelf-ware or breach-detection solutions that do not involve user-activity monitoring, are without an established repository for audit trails, lack privacy breach monitor- ing and detection, or rely on manual processes are likely to be non-compliant with the HIPAA Security Rule and risk a failed audit in 2013.
Danny Creedon, managing director, Kroll Advisory Solutions Getting the most from a HIPAA risk analysis
As 2013 gets
underway, it’s critical that healthcare orga- nizations understand the complexity of the data security chal- lenges they’ll face in the coming years, and the important role that HIPAA risk analyses play in addressing them. What follows are best practices for getting the most out of your HIPAA risk analysis, which equates to protecting the integrity of the data you keep. Cast a wide net. Ensure that proper stakeholders from cross-functional areas are involved in the assessment – IT, hu- man resources, compliance, legal and other key area supervisors. Fully scope the risk assessment.
Recognize the full range of your orga- nization’s compliance obligations. T is means ensuring that each assessment stage is clearly defi ned and that your team understands the objectives. Take stock of your data. Determine
how PHI and EPHI are received, stored, transmitted, accessed and disclosed. Be sure to include data that might be stored with third parties or on removable/ portable devices.
HEALTH MANAGEMENT TECHNOLOGY
John Klimek, R. Ph., SVP, industry information technology, NCPDP Hackers and slackers and thieves!
Oh my! Safeguarding the security and privacy of protected health information (PHI) is a journey that must evolve over time. Since Congress passed HIPAA in 1996, covered entities, in- cluding providers and health plans, have taken steps to protect patient health information; yet data breaches still take top headlines and instill a sense of fear in patients and consumers. U.S. Department of Health and
Human Services (HHS) recorded one of the largest data breaches to date in 2012, putting the protected health information of more than 780,000 patients in jeopardy. Increased adop- tion of electronic health records and cloud-based and mobile computing technologies compounds the risk. So it begs the question: What can covered entities do better to secure PHI and make patients confident that their information is safe?
February 2013 19
Address known vulnerabilities.
Document potential vulnerabilities that you’ve already identifi ed (provided they fall into the scope of your assessment). This will help in navigating various requirements stated in the HIPAA Security Rule. Document thoroughly. Make sure
you’ve employed meticulous documen- tation practices throughout the assess- ment process. T e material you’ve gath- ered throughout the assessment will be critical in meeting HHS requirements. Be prepared for follow up. Make
sure you’re ready to address any secu- rity defi ciencies that you’ve identifi ed. Failing to do so could leave your or- ganization subject to corrective action by HHS.
Check on your progress. Perform periodic risk assessments to ensure you’re eliminating new vulnerabilities that might have developed, particularly after a change in technology or business operations.