Chat with us, powered by LiveChat

A Balance of Trust: New Guidelines for Business Associates Under HIPAA

trusted partner seal business associate guidelines

The relationship between a covered entity and business associate requires a delicate balance of trust. This balance of trust works because each is invested in the security and protection of personal health information. As a covered entity, it is important to partner with business associates that have a strong security posture with safeguards and controls in place to prevent HIPAA violations and fines.

As a covered entity, there is a heavy responsibility to know how your trusted business associates are using and protecting ePHI. To help better distribute the responsibility between a covered entity and business associate, an update was made to the Final Rule to outline the responsibilities of a business associate and their liable.

On May 24, 2019, the Department of Health and Human Services Office of Civil Rights released a fact sheet that, “Provides a clear compilation of all provisions through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach notification and Enforcement Rules, “HIPAA Rules.””

What changes were made?

In the new fact sheet, there are ten guidelines outlined that business associates can now be held directly liable for if a breach occurs. Below is a summary of the violations:

  1. Failure to provide records and compliance reports, cooperate with investigations and reviews, and permit access to information to determine compliance
  2. Taking retaliatory action against individuals filing a HIPAA complaint
  3. Failure to comply with the Security Rule requirements
  4. Failure to provide breach notification to a covered entity or another business associate
  5. Impermissible use and disclosures of PHI
  6. Failure to disclose a copy of PHI to the covered entity
  7. Failure to make reasonable efforts to limit PHI to minimum necessary
  8. Failure to provide an accounting of disclosures
  9. Failure to enter into business associate agreement with subcontractors that create or receive PHI, and failure to comply with the implementation specifications for such agreements
  10. Failure to take reasonable steps to address a material breach or violation of the subcontractors’ business associate agreement.

What does this mean moving forward?

Because covered entities are responsible for notifying both the Federal Government and those individuals involved in the breach caused by a business associate, it is understandable some anxiety results in trusting others with ePHI. The way a vendor handles ePHI can greatly impact goals for any healthcare organization.

Having a proper HIPAA Security Risk Analysis performed covers basic requirements on how to manage business associates for the covered entity.

More covered entities today are requiring business associates to complete a HIPAA Security Risk Analysis or data security checklist with similar policies, procedures and evidence (e.g. screenshots showing proof of encryption, firewall configuration, data loss prevention and log/alert settings) to be sent for approval prior to signing an agreement and allowing access to ePHI.

These assurances protect the covered entity, the business associate and most importantly the individual’s rights to privacy and security.

How can HIPAA One support the balance of trust?

The complexity of managing multiple business associate agreements and contracts can quickly become unmanageable. However, HIPAA One will be releasing a new tool to help healthcare organizations better manage and track, automate and update these agreements all in one place.

This new Vendor Management System (VMS) is built on HIPAA One’s existing BAA contracting software which was designed to allow healthcare providers better organize contracts and reduce the time, effort, and administrative overhead. Below are the key features of the VMS tool:

  • Automated reminders, tracking, and updates with the option to bulk upload vendor information
  • Straight forward, ready-to-use contract templates (CE-friendly). Edits are easy to perform, and all fields are pre-filled for simpicity
  • Flexible and customizable templates can be grouped by purpose or department. VMS also allows edits to existing legal contracts
  • VMS satisfies security requirement standards by requiring the business associate, vendor or recipient of the contract to upload proof of compliance prior to sending the BAA contract
  • Built-in electronic signatures file the agreements upon signing making it easy to find during audits or contract reviews. All files, communications and actions are logged automatically
  • This tool can integrate with EHR or ERP financial platforms. Additionally, in subsequent HIPAA One Security Risk Analysis, users will have their inquiries pre-filled for questions related to Business Associates

We understand that it takes a lot of trust to partner with business associates and share critical data across the continuum of care. Ensuring each vendor has a standard of security that satisfies requirements is important before allowing a BAA to be signed. If you would like to know more about our Business Associate Agreement tool, or would like to be notified when we release our Vendor Management Solution, please contact us at info@hipaaone.com

Don’t Get Caught! Five Ways to Avoid a Phishing Scam

Bobby Seegmiller Blog Image - Phishing

I love to spend time with my family. Some of our favorite outdoor activities include skiing and mountain biking. Unfortunately, this time of year it is hard to do either activity because the snow is too slushy to ski and the canyon trails are too muddy to mountain bike. However, there’s one activity that my family can enjoy this time of year… fishing!

Early spring is one of the best times to go fishing because of ice-off. Ice-off is when the warm weather of spring melts the ice from the shore causing the ice to recede rapidly. Because the fish have been dormant for six months, they begin to move to the shallow water to feed, taking almost any bait you throw at them. As the weather continues to warm, the ice disappears and the fish swim to deeper water for safety. As the season progresses, the fish are more aware of the lures being thrown at them and it becomes more difficult to catch a fish.

What is Phishing?

Like fish during ice-off, we can quickly be caught in a “phishing” scam if we don’t have the correct training to identify these “deceptive lures” and the security in place to protect our data.

Phishing is the art of sending mass emails with a common theme attempting to trick users into clicking a link allowing access to personal information and data. You might notice these phishing attacks look like they come from a reputable source but that is a tactic used to persuade individuals to reveal personal information. As technology evolves, so does the sophistication of these phishing attacks. It is no longer a matter of if you receive a phishing email but when you receive a phishing email.

Nobody wants to fall prey to a phishing scam. Fortunately, there are safeguards you can put in place to avoid becoming a victim. Here are three quick “gut check” guidelines to spot a phishing email.

How to spot a phishing email:
  1. Check for any spelling, punctuation, or grammatical errors.
  2. Does the email ask for personal information or request a quick favor?
  3. Is the email unexpected? Does it ask you to do something out of the ordinary?

If you receive an email that fits any of the categories above or the email just doesn’t seem to add up, it is likely a phishing email. Once you have identified the email as phony, you should blacklist the sender and delete it immediately.

This last month I received an email from someone claiming to be the President of HIPAA One and requested that I purchase Amazon gift cards as a bonus for our employees. Even though the email looked like it came from Steven Marco, our President, the email address did not actually match his email. Additionally, there were multiple spelling, punctuation, and grammatical errors in the email. This email was easy to spot as a phony but I might not be so lucky next time. It is important to be aware of current phishing techniques and have a plan in case an email link is accidentally opened possibly compromising data.

In addition to being able to spot a phishing attack, below are four steps you can do to keep your personal information secured.

How to avoid an email phishing attack:
  1. Be suspicious of emails, messages, texts, etc. that urgently request a favor or asks to share personal information.
  2. Think before you click any link in an email. If possible, type the web address directly into your browser instead of clicking links directly from an email.
  3. Regularly update your computer, email, and applications to ensure the latest security patches are applied.
  4. Never share personal information online or through email. If you do need to submit personal data online, make sure the website always starts with “https”. Also, where possible, turn on multi-factor authentication to further secure your account information.
Further secure your office:

For small practices using Microsoft Office 365 and Teams, you can leverage the built-in security and compliance features to combat the constantly evolving cyber security attacks everyone faces in healthcare and beyond. You can read our latest whitepaper HIPAA Compliance for Microsoft Office 365 on what you can do to implement these security features to prevent against attacks.

Like the fish caught during ice-off season, it is my hope that the more phishing attacks you see coming your way, the better you will be able to identify them as fake and not take the bait. It can cost you and your employer a significant amount of money and it could cost you your job.

Am I A Business Associate Under HIPAA? Why Should I Care?

Am I A Business Associate

Back in 2013, when Edward Snowden was in Hong Kong revealing he leaked documents detailing mass-surveillance programs by the U.S. government, the Department of Health and Human Services (HHS) was creating the Final Omnibus Rule. This rule extended its regulatory reach beyond covered entities (e.g. healthcare providers, health plans, and clearinghouses) to business associates who would now need to comply with additional HIPAA rules.

If I’m a healthcare organization, I already answer questions about Business Associate Agreements (BAA’s) in my annual HIPAA Security Risk Analysis and I understand that if my Business Associate experiences a breach, I am responsible for notifying the individuals and HHS (along with my State in many cases). As a healthcare organization, I would also want to ensure my partners have a strong security posture which include controls and safeguards to prevent them from falling victim to HIPAA violations and fines where patient health information, financial, and reputational risk are all at stake.

If I’m a business associate, I want to demonstrate to my covered entity partner(s) that I take security and privacy seriously. I want to show that my organization can be trusted.

All it takes is one employee clicking on a phishing email, one unhappy “whistle blower” to trigger an audit, or one mistreatment of protected health information (PHI) and the Office of Civil Rights (OCR) is knocking on your door ready to do its job.

What is a Business Associate?

A business associate is defined as, “a person or entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access to protected health information (PHI).” A business associate is also considered a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.

Three items required of a Business Associate

  1. Perform and document a security risk assessment (45 CFR 164.308)
  2. Implement specified physical, administrative and technical safeguards to protect ePHI (45 CFR 164.300)
  3. Report security incidents and privacy breaches to the Covered Entity (45 CFR 164.314(a), 165.410, and 164.502(e))
What is a HIPAA Security Risk Analysis?

When the Security Rule was added to HIPAA, we learned it, “identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve.”

Essentially, the HIPAA security risk analysis (SRA) is meant to identify potential risks and vulnerabilities to your organization. Once the risks are identified, using NIST standards, a plan can be put in place to properly prioritize the level of risk to your organization (Likelihood x Impact = Level of Risk). Then, it is time to remediate and complete your SRA.

How often do I need to do a Security Risk Analysis?

The U.S. Department of Health & Human Services (HHS) says the risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Security Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)

Per HHS, the Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. However, nearly all covered entities and business associates may perform these processes at least annually depending on circumstances of their environment.

Can we get away without performing a Security Risk Analysis?

Just like there are motorists on the road without car insurance, I’m sure there are healthcare organizations and business associates conducting business without performing their SRA. These motorists hope they don’t get pulled over or get in an accident. Comparatively speaking, everyone hopes they don’t have an employee that mistakenly clicks the wrong link in an email and creates a breach related incident.

In Summary

If you are a business associate, you are required to comply with HIPAA rules like a covered entity before signing your BAA. This is done by completing a full HIPAA security risk analysis which should be updated at least every 3 years, or when significant changes happen to your computing environment. It is important to always implement policies and procedures that satisfy HIPAA compliance.

It’s good for your organization and those with whom you do business and can save millions in an audit.

HIPAA Compliance for Microsoft Office 365

Organizations in every industry are upgrading to Microsoft Office 365 to improve security. A common concern among healthcare professionals is that using Office 365 and Microsoft Teams exposes an organization to HIPAA violations. If Office 365 is implemented without the correct security configurations, that is likely true. However, Office 365 and Teams can easily be configured to support HIPAA security and privacy requirements. HIPAA One and Microsoft have collaborated on a groundbreaking whitepaper in an effort to outline HIPAA-compliant configurations as applicable in an over-arching security architecture.

A key component of HIPAA compliance is the demonstration of appropriate IT-related internal controls. These controls are designed to mitigate fraud and risk and create safeguards for legally protected health information (PHI) stored and transmitted in electronic form. In addition to internal controls, any user that accesses PHI is required to meet specific IT compliance standards.

With the proliferation of information security threats, the complexity of meeting HIPAA regulatory mandates, healthcare organizations need as many built-in compliance and security features as possible. Fortunately, the Microsoft Office 365 Information Protection Suite provides organizations integrated, turn-key security controls not previously available. Never before has it been easier to meet the technical and administrative safeguards required by today’s HIPAA Security mandates while also enabling modern cyber-security controls.

Previously, data loss prevention, security incident event management, data classification and encryption for data-at-rest were only achievable by leveraging expensive, off-the shelf vendors. Now, these tools are centrally built-in when using Microsoft’s Cloud services.

The HIPAA One and Microsoft whitepaper provides healthcare executives, management and administrative teams the necessary information to satisfy HIPAA compliance and cybersecurity diligence using Microsoft Office 365 and Microsoft Teams. By implementing the controls found in the whitepaper, healthcare organizations may significantly reduce the likelihood of breaches while working towards meeting US and Global regulatory standards such as HIPAA, GDPR, new consumer privacy laws and HITRUST Certification requirements.

To learn more, please read the full whitepaper, HIPAA Compliance: Microsoft Office 365 and Microsoft Teams.

HHS SRA Tool Version 3.0 – The Good, Bad and Ugly

Good Bad Ugly Blog Image

Earlier this month, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) released an updated version of their Security Risk Assessment Tool (SRAT). We have been following the development of this toolkit since its inception in 2011 as the HSR toolkit and reviewed V2.0 in early 2014. Each time a new version is released, HIPAA One gathers with a few trusted industry partners to review the changes and updates so that we may accurately counsel healthcare providers, payers and business associates on the pros and cons of utilizing this free, government-issued application.

Before diving into our review of V3.0, it is important to note that HHS in no way states that by using SRAT, healthcare providers are assured compliance with the Security Risk Analysis requirement under HIPAA. Per the Health IT.gov website: “Disclaimer: The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws.”

This is not to say that SRAT does not have its merits. At HIPAA One, we firmly believe that SRAT can be an effective training tool for compliance professionals as well as a guideline for certified auditors. Despite being a time-consuming process, SRAT does provide step-by-step instructions similar to a bona fide HIPAA Security Risk Analysis. Healthcare professionals should merely be cautioned that without the guidance of a trained auditor, SRAT may or may not hold up in an audit scenario.

The Good

In short, the newly updated Security Risk Assessment Tool (SRAT) has made improvements mainly related to the user experience and follows the HIPAA Audit Protocol and NIST-based methodologies for calculating risk. One update, although mostly a file repository, is the bulk asset upload feature. This has been added along with a multi-location option for larger entities.

ONC/HHS Report Screen

Furthermore, organizations seeking assistance with Business Associate Agreement (BAA) management will find that HHS has added a BAA-type function. However, it is important to note that this does not actually produce a BAA agreement.

Having the ability to enter asset type and status at different stages of the ePHI systems is great but, without having the ability to track or assign these questions, an inexperienced user may not be able to identify where some of the gaps came from.

As users work through the tool, they will find that questions now map back to the HIPAA citations (similar to our software). There are also “tips” added throughout the tool. That being said, the most significant update is the production of a Final Report (arguably the most crucial component in completing a risk analysis.) Much like the rest of the tool, the newly created Final Report has a flag attached as the results of this report are fairly arbitrary with a large margin of error based on how the user responds to the risk calculation.

The Bad

Although SRAT it is a free tool (albeit funded by our taxpayer dollars) and updates have been made to create a better user experience, compared to other software solutions in the market place today, the tool still falls short. We frequently use the term “free like a puppy is free”. Aside from the tool being labor-intensive, mundane and error-prone; each measure results in multiple questions that need to be individually selected by one who knows how to estimate impact and likelihood year-over-year.

SRAT takes a single-user approach which means there is no way to collaborate on the assessment with others in the organization. This approach can result in the need for additional committee meetings to oversee remediation of identified risks. Also, because there is no option to delegate survey questions to employees in different roles, you may have someone in IT trying to answer HR related questions. Lastly, should users desire to go back to a previous section or revise an answer, navigation is difficult. Past sections are merely available through <BACK> and <NEXT>.

Being that SRAT does not save any historical data related to previous assessments, organizations who have completed risk assessments in past years are unable to import their old assessments and simply make updates reflective of the past year. Healthcare providers focused on creating a sustainable and long-lasting HIPAA compliant office, should seek out a tool that allows for year after year imports to decrease the amount of administrative work in completing a risk analysis each year.

The Ugly

When evaluating the accuracy and comprehensive nature of the tool, there are a few glaring issues that we would be remiss not to address. These are the aspects of SRAT that would require either the experience of a certified auditor or compliance professional in training to ensure the assessment is completed accurately.

Some of the issues not remedied by the V3.0 update include:

  • No Calculation of Risk – Without an experienced Auditor who is qualified to answer and assess risk, the average user is required to assign a risk score to each question without guidance or training. For example, the generated gaps from the SRAT do not have a correlation or identify which HIPAA control requirement those policies need to be addressed.
  • No Remediation Planning or Guidance – One critical component to completing a risk analysis is addressing and remediating the deficiencies and findings after the fact. The remediating planning process gives providers a framework for next steps and continued compliance.
  • The Final Report – A component missing from the final report is an executive, high-level overview. Additionally, in the final report there is an inability to see if you have met partial requirements or if there is a policy that needs to be edited or changed. Lastly, there is no prescriptive recommendations for addressing any of the identified risks.
  • No Included Policies and Procedures – SRAT does not include PnP templates nor does it review any current, existing PnP’s. This leaves providers at risk for continuing to use potentially outdated PnP templates and minimizes the possibility for a yearly review of these templates.

In summary

2018 HIPAA SRAT v3.0 tool

Pros:

  • Bulk asset upload
  • Multiple location option
  • Basic Business Associate Agreement (BAA) utility
  • Questions map to HIPAA citation
  • Guidance through on screen “tips”
  • Simple Final report
  • User guide

 Cons:

  • No specified roles. One person is left to answer questions they may not be qualified to answer, from IT to HR.
  • No auto calculation of risk. Without a certified auditor, answering and assessing risk for each of the questions is arbitrary.
  • Does not provide an actual Business Associate Agreement (BAA).
  • Navigation is difficult. Past sections are only available through <BACK> <NEXT>.
  • Lots of clicks
  • No remediation planning or guidance
  • No review by an auditor to keep impartiality. No ongoing updates
  • No policies and procedures provided or review of the providers policies. Could be older than 3 years
  • No vulnerability scan for free linking back to software
  • Graphs near the end that are not updatable and have a questionable purpose
  • No importing assessments year after year
  • Use of the SRAT tool will not guarantee you will pass an audit

Bottom line, this solution would work for compliance-in-training individuals or those who have the time but no funding to run a stand-alone SRA solution.

If your workplace is considering using the SRAT tool for your 2018 risk analysis, we would encourage you to take a look at our industry-leading automated software before doing so. At HIPAA One our software scales seamlessly based on your role and size of the organization. And with tiered pricing accessible for even single-doc physician practices, HIPAA One is the only choice for a guarantee to pass an audit using a simple, automated and affordable approach to conducting the annual HIPAA assessment.

Cloud Email Phishing Attacks: A Practical Guide

Email Phishing Blog Image Ed

Attention CIOs, CISOs and IT Administrators!

A quick review of the HHS Breaches Over 500 list paints a pretty grim picture of the number of breaches affecting 500 or more individuals. Breaches have been steadily increasing and the culprit is clear: Hacking/IT incidents, namely email phishing attacks. Fraudsters and criminals are exploiting vast databases of compromised user credentials to make payroll. These accounts are publicly available for lookup. Anyone can access these credentials and they are available for as little as $45 for 1000 account/password pair.

According to a recent Proofpoint study, 72% of all cloud users have been targeted at least once for an attack and of those, 44% were successful. That’s right, almost 1-in-2 targeted attacks were successful. This number includes organizations using Multi-Factor Authentication (MFA).

Why are these attacks so successful?

Internet Message Access Protocol (IMAP) is a legacy email protocol which is turned-on by default when email is enabled for users and is not integrated with MFA. It was originally designed to give people a way to connect via electronic mail.

Unfortunately, IMAP is being used by Hackers to test email address and password combinations to see if they can login and bypass MFA. Once they are in, they can use that same login and password to connect via VPN and gain full access into the network allowing them to forge emails and download email attachments.


In today’s Office365, IMAP is turned on by default (for backward compatibility) and unless it is needed, it must be turned off in order for MFA to be effective.

Three Steps to control email phishing attacks and more effectively use MFA

First, turn off IMAP and POP3  in Office365

  1. Launch the Exchange Administrator Console
  2. Open User Mailbox
  3. In each User’s Mailbox, go to Mail Features, scroll-down, and disable IMAP and POP3

Second, turn on Multi-Factor Authentication

  1. Go to Multi-Factor Authentication Controls
  2. Use prompts, guides or just highlight users and turn on MFA for multiple users.

Third, set passwords to never expire and require a longer, easy-to-remember but hard-to guess passphrase. You could also encourage each user to install an encrypted password program i.e. Keepass to secure and store all passwords.

By implementing the above changes, it will help comply with HIPAA Security §164.308(a)(3)(i) (Implement P&P to ensure appropriate ePHI access) and §164.312(a)(2)(i) (Assign unique IDs to support tracking) while blocking hackers from bypassing MFA. Take steps today to turn off your IMAP and POP3 and capitalize on your Office 365 and Exchange investments.

Like our blog? You can watch our webinar for an in depth look at controls you can implent today to avoid an email phishing attack: “Confessions from a HIPAA Auditor: Breaches Surge Due to Email Phishing”  

“In this webinar session, we discuss the most common data breached we see happening in the industry, namely email hacking. We explore the anatomy of an email phishing breach and how to leverage the HIPAA Security Risk Analysis to cover this threat. We also highlight three practical steps you can take to prepare for a data breach and avoid being the next target.”

State Departments Conducting Audits?!?

In recent years, healthcare audits have been a trending topic within the compliance world. Following the Phase II launch of the HHS Office for Civil Rights (OCR) Audit Protocol in March 2016, many members of the healthcare community equate audits with either the federal government or other large accounting firms such as Figliozzi & Company. All too often, providers assume that due to their size, they can fly under the radar. After all, why would OCR audit a single physician practice?!? Unfortunately, as one of our clients recently learned, it is not just the federal government that is checking on gaps in compliance or incentive program participation, state departments are getting in on the action too.

Earlier in the summer, one of our clients reached out as that they had received a letter from Connecticut’s Department of Social Services. The letter explained that due to ongoing program monitoring efforts, Connecticut’s Department of Social Services would be conducting a review of Connecticut Medicaid Electronic Health Record (EHR) Incentive Program payments made to participating providers. Per the notice, federal regulations governing the Medicaid EHR Incentive Program requires States to conduct post-payment reviews. Much to the shock of our client, they were informed they had been selected for a Program Year 2014 desk review and they had just five business days to submit the requested documentation in a PHI secure manner.

Naturally, receiving such a letter would invoke a certain amount of panic in anyone, especially when considering the Program Year in question was FOUR years ago. As you can imagine, a trail of fears and concerns ran through their minds: “Did we conduct a risk analysis that year?” “What if we are unable to produce all the documentation required for this audit?” “How do we best respond?” To protect our client’s privacy, we will not share the results of the audit, however, all providers should heed this cautionary tale if they have ever participated in past or current government incentive programs.

So, what’s the takeaway from this story? Regardless of whether you performed risk analyses every year for the past six years (per HIPAA Citation 45 CFR 164.316(b)(2)(i)) or not, it is never too late to get your house in order. Auditing bodies respond much better to providers who have performed a risk analysis at least once rather than never.  The majority of settlements and fines site either failure to have completed a risk analysis OR failure to take action on high-risk findings.

At HIPAA One, we are deeply experienced at responding to a vast array of industry audits and resolutions (now we can add State Department audits to that long list!) and frequently step in to hold our clients’ hands through the experience. One of the benefits of being a HIPAA One client is the assurance that we will stand by any HIPAA risk analysis performed using our software so your organization is not shouldering that burden alone. Contact Us today to learn more.

Healthcare Continues to Dominate Breach Related Costs

A new study conducted by the Ponemon Institute on behalf of IBM Security confirmed the fears of so many healthcare information security professionals, no other personal information yields a higher value than compromised patient records.

Across the country, healthcare organizations have a Goliath size security problem. For an eight-straight year, healthcare has the highest breach-related costs of any industry at $408 per lost or stolen record, nearly three times the cross-industry average of $148. Without a commitment to cyber-security, healthcare entities and their valuable databases containing vast amounts of electronic patient health information (ePHI) are sitting ducks for hackers.

We all know that data breaches can cost organizations millions in lost business, reputation management, recovery remediation and year over year that number is exponentially rising. In 2018, the average cost of a data breach globally is roughly $3.86 million, up 10% from 2014. The Ponemon study, 2018 Cost of a Data Breach, is an extensive compilation of data based on interviews with 500 organizations that experienced data breaches.

Along with providing staggering breach stats, the study also referenced a new category of breaches, mega data breaches which refers to the theft or exposure of more than 1 million records. The number of mega data breaches has more than doubled in the past five years from 9 in 2013 to 16 in 2017. As you can imagine, these mega breaches are both extremely costly to resolve and can take up a year to detect and contain. The average cost of a mega data breach involving a “modest” 1 million records is hovering around $40 million.

So, What’s a Provider To Do?!

The findings from this year’s breach report beg the question, how can healthcare providers across the board strengthen their individual security programs and better protect ePHI? For starters, conduct a bona fide HIPAA Security Risk Analysis (SRA.) If your organization has not completed an SRA in the past calendar year, your data is vulnerable, plain and simple. An SRA does more than just help your office collect the largest amount of MIPS/MACRA reimbursement dollars, by identifying gaps in your organization’s compliance and security settings, the SRA is an invaluable tool in securing the safety of your ePHI. There are many SRA tools out in the marketplace today ranging from free spreadsheet templates to expensive consultants, at HIPAA One, we recommend utilizing our simple, automated and affordable software.

Upon completion of your SRA, there are two additional best-practices that can greatly decease the chance of an ePHI breach due to theft, loss, improper disposal and hacking incidents. Stick with us, we’re going to get a little bit “techy” in this next section and take a deeper dive into data classification and encryption:

STEP 1 –  DATA CLASSIFICATION

Despite the fact that all data does not have PHI identifiers, (e.g. name, address, any other numerical or identifying information) it is paramount to identify where the data is located within your organization.  This effort will involve working directly with the architects and programmers of your data system.

A good place for your programmers to start is by reviewing any and all data mapping and data flow diagrams. To gain further insight into what’s already been completed in this area, a thorough review of existing data cryptography or sequence database schema will be conducted. Following data cyptography, a sensitive data analysis is performed – if using external consultants to augment IT staff, there should be no hands-on access needed as long as the data flow diagram and data mapping is available. It is also important to note that these mappings can also be performed through remote workshops.

The work flow outlined above will result in a data inventory (e.g. email, name, home address and system data such as session ID’s, IP addresses, etc.).  Side note, an analysis at this point should identify any EU-citizens needed for the new GDPR mandates. Any application mapping exercise should augment the data classification by determining why a user or application would need to see information that may or may not be required for the intended purpose.  Sometimes applications will bypass database encryption and give a user excessive access to ePHI that is not necessary, opening the chances for unauthorized-access breaches.

STEP 2 – ENCRYPTION AS REC’S FOR ACTING ON SRA FINDINGS

Disclaimer: We understand that turning on global encryption to databases can be unacceptable – and we do not recommend doing this.

As a best practice, only encrypt data inside specific tables and employ best-practices for key generation, management and entry. For example, at deployment, a password is used for decryption of the master encryption key. The master encryption key is provided on a one-time  basis by a singular person (or portions of the password shared between people) who knows the password.  The master password should also be stored in RAM strictly for performance and security purposes. From an electronic media standpoint (e.g. laptops, desktops, thumb drives, smartphones, tablets, etc.), encryption of the entire hard-drive or volume is recommended. Most SSD drives (high-speed hard drives) and computer hardware come equipped with processors to handle the overhead of encryption/decryption as needed on these devices.

Next Steps

We specialize in HIPAA Security Risk Analysis and data security projects.  If your organization has not yet completed an SRA for this calendar year, Contact Us to get started today.

 

Similar but Different: Gap Assessment vs Risk Analysis

If you’ve heard the terms gap assessment and risk analysis used interchangeably before in privacy or security conversations, you are not alone. At HIPAA One, we have found that there are quite a few misconceptions about these two approaches and how to differentiate between them. So much so that we addressed the topic on a recent webinar with our trusted partners and advisers, Crowe Horwath. Click here for a link to the recorded version. In this post, we’ll define the key characteristics of a gap assessment and risk analysis and debunk a few myths along the way.

High-level overview slide from our webinar with Crowe Horwath 

As the more well known of the two, a HIPAA security risk analysis is a comprehensive assessment of all risks to ePHI (Electronic Protected Health Information) as required by HIPAA for healthcare providers and their business associates. By calculating risk based on threat, vulnerability, likelihood and impact, providers can gauge their compliance with HIPAA’s required administrative, physician and technical safeguards. A risk analysis assesses how ePHI is created, received, maintained and stored within an organization. Every bona fide HIPAA risk analysis will produce a remediation plan which creates a road map for “fixing” any security vulnerabilities as found by the risk analysis. For additional information and guidance on HIPAA risk analyses, visit The U.S. Department of Health & Human Services Office for Civil Rights (OCR) website.

Risk Analysis Pro

A gap assessment (also commonly called a HIPAA Compliance Program Review or Audit) is a method of assessing the differences in performance between an organization’s information systems or software applications to determine if there are any existing vulnerabilities in their network security settings. This high-level review of an organization’s controls can be completed using various controls and frameworks based on the target objectives of the gap assessment. Essentially a gap assessment compares what safeguards an organization has in place vs the reality of how well those safeguards are working.

Question within the HIPAA One software regarding Gap Assessment and the HIPAA OCR Audit Protocol

HIPAA Gap Assessment IN HIPAA One

While a gap assessment is without question an effective tool at locating vulnerabilities, OCR clearly states that that a gap assessment is never a substitute for a bona fide risk analysis as required by the HIPAA Security Rule. Think of a gap assessment as an introduction, not a replacement to a risk analysis. When facing the decision of whether your workplace should focus on a risk analysis or gap assessment, our recommendation is always to comply with HIPAA first and tackle your HIPAA risk analysis. Then, once your risk analysis has been completed and remediation has begun, HIPAA One presents the gap assessment in the final report (below). Bottom line, never put your organization at risk by not complying with HIPAA or completing a risk analysis.

At HIPAA One, we offer industry-leading, automated HIPAA risk analysis software and professional services to help your organization “check the box” on this mandatory requirement and be audit-ready. Click here to learn more and speak with a member of the team to hear about new software feature, Automated Templates which measure compliance controls at a corporate level then validating and updated by the field office staff.

GDPR and Windows 10 Compliance

This is the second post in a 2-part series on GDPR. Guest post written in collaboration with Microsoft.

On April 14, 2016, the European Union (EU) ratified the final version of the General Data Protection Regulation aka GDPR. The new GDPR regulation has been characterized as the most sweeping and impactful change to privacy and data protection regulations in history. GDPR goes into effect on May 25, 2018 with broad reaching implications for EU-based organizations and multinationals around the globe. It is critical to note that GDPR imposes new rules on organizations that offer goods and services to people in the EU or those that collect and analyze data tied to EU residents, no matter where they are located.  This means that US based healthcare covered entities and organizations defined as controllers or processors of an EU citizen’s or resident’s healthcare data will be directly affected by GDPR and must be prepared to meet these regulatory requirements.

The General Data Protection Regulation (GDPR) sets a new bar for privacy rights, security, and compliance, which will be enforced through heavy penalties. Microsoft has made the commitment that all its online services will be GDPR compliant and backed by contract, providing assurance that any of their personal info is protected and in compliance. With Privacy-by-design as a core guiding principle, Microsoft provides a comprehensive set of software services to enable customers to meet their GDPR requirements.  Microsoft recognizes that end-to-end compliance is required and must be implemented as a holistic process across the organization including (and beginning with) the protection of endpoints. Windows 10 enables organizations to begin their GDPR compliance journey.

GDPR Focus: Data Protection and Security – Not Technology

Like the HIPAA regulations, GDPR makes no direct reference to technical or technology requisites. However, GDPR does require organizations to build a holistic & structured approach to data protection and overall security.

More specifically, GDPR states the following:

(Art. 24.1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary,

(Art. 24.2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller,

(Art. 28.1) Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Microsoft GDPR Readiness and Assessment Tool

Microsoft Windows 10 enables an organization’s GDPR security and privacy requirements with its cloud-enabled security stack that includes device protection, identity protection & management, information protection, threat detection and protection, and security management and operations. For example, beginning with the Windows 10 Anniversary Edition, Microsoft includes the Windows Information Protection (WIP) component that provides integrated protection against accidental data leaks.

With WIP Windows 10 can:

  • Protect data at rest locally and on removable storage
  • Enable corporate versus end user data to be identified wherever it rests on the device with the ability to wipe that data
  • Provide a common experience across all Windows 10 devices and prevent unauthorized apps from accessing business data and users from leaking data with copy and paste protection
  • Enable seamless integration into the Microsoft cloud platform
Additional Resources