● Thought Leaders: Security
Identifying the most vulnerable devices to HIPAA compliance
By Derek Brost, eProtex S
ince the enforcement of the HIPAA Privacy Rule in 2003 and the Security Rule in 2005, the Department of Health and Human Services Offi ce of Civil Rights has investigated and resolved more than 18,000
violations. T e latest Ponemon Institute study estimates more than 21 million patients have been aff ected by data breaches, with a staggering 94 percent of hospitals experiencing a patient data breach. As the healthcare industry moves toward a fully automated system featuring electronic protected health information (ePHI) and clinical data warehousing, even more data is at risk and more breaches are imminent. A challenge to HIPAA compliance is determining which systems and equipment are vulnerable and understanding the risks involved. Basically, any medical device that stores, generates or transmits ePHI can be vulnerable to viruses, security breaches or other issues that result in non-compliance. T is article will shed light on the most vulnerable devices in the healthcare system and off er simple solutions. T e following is a list of the most vulnerable devices in a given healthcare environment:
1. Any device not identified in risk assessment. If a connected medical device hasn’t been included in a legally required HIPAA risk assessment, then it’s already in violation of an administrative safeguard. Failure to adhere to HIPAA guidelines, as they relate to risk assessment, can lead to signifi cant fi nes for willful negligence. A risk assessment equips your facility with an accurate blueprint of where you stand with regard to compliance so you can make wise decisions about the risk level acceptable to you. It also reveals steps you can take toward compliance, which may be as simple as tweaking your password policy, turning a computer monitor away from public view and educating staff on responsibilities.
2. A device infected with a Trojan. Just like a personal computer, an attached workstation could be infected with malware if appropriate antivirus or detection systems are inactive or not present. Plus, if the infected device is connected to the network in such a way that is it is permitted to scan
28 February 2013
and communicate with others on the network, it could infect them as well. Meanwhile, a spyware/Trojan type of malware could take numerous screenshots or log keystrokes of patient data and transmit them to an unknown party.
3. Information not coordinated across departments. T e hospital network administrator may only know of a certain device as an active network port. Meanwhile, the clinical service technician only becomes familiar with this device when it requires repair or service. T e PACS (picture archiving and communication system) administrator only cares about this device as an image source. Yet few consider the crippling risks to patient data and care that this device presents in its current state.
4. A device with no unique login or access log. One of the easiest yet most overlooked tasks to reduce risk on a device is unique login and access logs. Unless a unique login is required to access the acquisition station, clinicians could access years’ worth of locally stored patient data with a few clicks. In addition, if no log is kept tracking which clinician accessed which records or when, information breaches become far more likely because it’s harder to identify who, what, when and where it happened. It can be as simple as creating a policy and procedure for developing and updating unique passwords, and being disciplined enough to enforce it.
5. Social media apps. Social media sites can cause serious disruption of patient data. For example, if a clinical user has a game on a favorite social media site running in the background between patient studies, it may cause funny pop-ups to occur for days, slowing the image acquisition and retrieval process. T e best solution is to prevent the device from accessing the Internet unless absolutely necessary for clinical operations.
The bottom line Make an upfront investment of time and resources to become compliant, or eventually pay the costs to recover from a violation of the compliance code.
HMT HEALTH MANAGEMENT TECHNOLOGY www.healthmgttech.com
For more on eProtex: www.rsleads. com/302ht-206