Calling all healthcare organizations, providers, hospitals and business associates - are you ready for the HIPAA security audits coming in 2017?
The governing body that enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Office for Civil Rights (OCR) will be conducting a small number of onsite and desk audits, and has contacted 167 healthcare providers and 48 business associates last year, according to HealthcareITNews.com.
Business associates include vendors that provide services to healthcare organizations, and may be held liable for a breach of healthcare patient data or security. A few examples of business associate services include legal, actuarial, consulting, accounting, data aggregation, financial, etc. Learn more about business associates.
The OCR will launch its full audit program to help assess HIPAA compliance efforts and discover new security risks in order to provide better guidance for healthcare organizations and business associates.The OCR is looking for policies and procedures related to the HIPAA Privacy, Security and Breach Notification rules. See specifics about each area, and what the OCR is looking for in its audit protocol.
Two major problem areas the OCR has seen in past audits are the implementation of risk analysis and risk management.
Risk Analysis for Healthcare
According to HHS.gov, the risk analysis process identifies threats and vulnerabilities to systems containing electronic protected health information (ePHI).
HHS.gov references the National Institute of Science and Technology (NIST) Special Publication (SP) 800-30 when it comes to guidance for different types of threats:
- Human: Incidents enabled or caused by humans. They can be unintentional (inadvertent data entry) or deliberate (malicious software, network-based attacks, unauthorized access, etc.).
- Natural: Disasters that may affect systems containing data or networks, including floods, earthquakes, electrical storms, etc.
- Environmental: Long-term power failure, pollution, chemicals, and liquid leakage.
Vulnerabilities may fall in the Human category, and are defined in NIST SP 800-30 as a “flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”
A risk analysis includes:
- Taking inventory of all systems and applications used to access and store data
- Classifying systems and apps by level of risk
- An assessment of current security measures
- The likelihood and potential impact of threat occurrence
- Anticipated consequences of lost or damaged data and corrupted data systems
This guide, HIPAA Security Series: Basics of Risk Analysis and Risk Management provides some more in-depth guidance for step-by-step example risk analyses and risk management plans that both healthcare organizations and their business associates can use to customize to their needs.
Risk Management for Healthcare
Risk management is the actual implementation of security measures to reduce an organization’s risk of losing or compromising its patient data, as well as to meet general security standards, according to the HHS.
According to NIST, the risk management framework includes:
- Categorizing information systems
- Selecting, implementing and assessing security controls
- Authorizing information systems
- Monitoring security controls
One way to protect against known system and software vulnerabilities is to keep your applications up to date, and select an endpoint security solution that detects out-of-date and risky devices logging into your systems containing patient data. This can ensure only trustworthy devices can access confidential information.
Old vulnerabilities are often leveraged by malicious hackers seeking to gain unauthorized access to your data and systems. By keeping your software and devices updated, you can ensure you have the latest security patches necessary to prevent successful attacks.
Another essential security control is related to access controls and authentication to systems containing patient data. Implementing two-factor authentication across your organization can ensure only trusted and legitimate users can access applications and patient data by verifying their identity via a second factor.
Strong access controls can help prevent breaches due to threats like phishing, which may have been the root cause of a 2015 data breach at Anthem, the second largest healthcare insurer in the U.S. Stolen employee credentials gave malicious hackers access to their database, affecting 80 million patients.