Search Results for: Security Management Process

Why You Need A Current HIPAA Risk Analysis

HIPAA Security / By

Why You Need A Current HIPAA Risk Analysis Conducting a HIPAA risk analysis is the first step in identifying the risks in your organization. The Department of Health and Human Services (HHS) requires healthcare organizations and their third-party vendors that create, receive, maintain or transmit identify risks and vulnerabilities that effects electronic protected health information (e-PHI).  Once the risks have been identified it is imperative to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Failure to implement the appropriate security measures leaves your organization vulnerable and that’s not a good place to be. https://youtu.be/QWRn2r5R7ts HIPAA Risk Analysis Audit Results In December 2020, HHS Office of Civil Rights released their 2016 – 2017 HIPAA Audit Industry Report. The audit included 150 healthcare organizations (55% were provider) and 41 third-party vendors (14% were billing & claims). The results for healthcare [organizations and third-party vendors audited were:  Security Risk Analysis – OCR found less than 20% fulfilled their regulatory responsibilities to safeguard electronic PHI (ePHI) through risk analysis activities.  Risk Management Standards – OCR found that because both healthcare providers and their third-party vendors failed to conduct appropriate risk analyses, they were then unable to connect their security plans to the management of identified risks. An overwhelming percentage of healthcare providers (94%) and third-party vendors (88%) failed to implement appropriate risk management activities. Clues Found in the Audit Report OCR found that both providers and third-party vendors failed to implement effective risk analysis and risk management activities to safeguard ePHI. As a result of these findings likely to draw closer scrutiny from investigators during breach and individual complaint investigations. Providers and third-party vendors should consider the following takeaways from OCR’s audit findings:  Conduct a security risk analysis of the potential risks and vulnerabilities to ePHI – Providers and their third-party vendors are responsible for maintaining an appropriate and current risk analysis consistent with policies, procedures, and changes in their environment, operations, or security incidents.  Implement appropriate risk management strategies – providers and their third-party vendors must focus on their security risk analysis findings to inform and link their security plans to the management of identified risks.  Why Does It Matter? Your HIPAA Risk Analysis helps you measure the impact of threats and vulnerabilities that pose a risk to the PHI in your organization. While there is no single method or “best practice” that guarantees compliance; however, most HIPAA Risk Analysis and risk management processes have these steps in common. Your HIPAA Risk Analysis should include, but is not be limited to, the following activities: Evaluate the likelihood and impact of potential risks to your ePHI. Implement appropriate security measures to address the risks identified in your HIPAA Risk Analysis. Implement appropriate security measures to address the risks you identified in your HIPAA Risk Analysis. Document the chosen security measures and, where required, the rationale for adopting those measures. Maintain continuous, reasonable, and appropriate security protections. The results of your HIPAA Risk Analysis will be used to determine reasonable and appropriate security measures for your organization. Remember: ANY change made to the hardware, software and/or medical devices used to create, receive, maintain, or transmit, an organization’s PHI requires an update to the HIPAA Risk Analysis.

HIPAA Workstation Use

HIPAA Privacy / By

Workstation Use In this week’s “Know The Rules!,” I am diving into the second standard of Physical Safeguards of the Health Insurance Portability and Accountability Act (HIPAA) Security Standards: Workstation Use, 45 CFR § 164.310(b). Physical security is an important component of the HIPAA Security Rule that is often overlooked. What constitutes appropriate physical security controls will depend on each organization and its risk analysis and risk management process. A workstation is defined in the Rule as: “an electronic computing device, for example, a laptop or desktop computer, or any other device (including mobile) that performs similar functions, and electronic media stored in its immediate environment.” The Workstation Use standard requires Covered Entities (CEs) and Business Associates (BAs) specify the proper functions to be performed by electronic computing devices. Inappropriate use of computer workstations expose CEs and/or BAs to risks, such a virus attacks, malware, compromise of information systems, and possible breaches of confidentiality. This standard does not have corresponding implementation specifications. However, compliance with the standard itself is required (R). For this standard, CEs and BAs must: “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information (ePHI).” Many CEs and BAs may have existing policies and procedures that address appropriate business use of workstations. In this case, it may be possible for you to update your existing documentation to address security issues. CEs and BAs must assess their physical surroundings to ensure that any risks associated with a workstation’s surroundings are known and analyzed for any possible negative impacts. The Workstation Use standard also applies to CEs and BAs with workforce members that work off-site using workstations that can access ePHI. This includes your workforce member who work from home, in satellite offices, or in another facility, don’t forget about your temporary and volunteer workforce members too! Your workstation policies and procedures must specify the proper functions to be performed, regardless of where the workstation is located. NOTE: The Workstation Use and Workstation Security standards have no implementation specifications, but like all standards must be implemented.   Some common practices that may already be in place include logging off or locking the workstation before leaving a workstation for an extended period of time, as well as using and continually updating antivirus software.       Sample questions for CEs and BAs to consider: Are policies and procedures developed and implemented specifying the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of specific workstations or class of workstation(s) that can access ePHI? Do your policies and procedures identify workstations that access ePHI and those that do not? Do your policies and procedures specify where (and how) to place and position workstations to only allow viewing by authorized individuals? Do your policies and procedures specify the use of additional security measures to protect workstations with ePHI, such as using privacy screens, enabling password protected screen savers, locking or logging off the workstations? Do your policies and procedures address workstation use for users that access ePHI from remote locations (i.e., satellite offices or telecommuters)? NOTE: At a minimum, all safeguards required for office workstations must also be applied to workstations located off-site. Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks?     For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.

How To Identify Your HIPAA Risk Analysis Scope

HIPAA Security / By

The HIPAA Security Rule adopts national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is created, received, maintained, or transmitted by a Covered Entity (CE) or Business Associate (BA). As a CE or BA, you are required to have in place reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the confidentiality, integrity and availability of the ePHI you are entrusted with. Confidentiality: ePHI is not available or disclosed to unauthorized people Integrity: ePHI is not altered or destroyed in an unauthorized manner Availability: ePHI is accessible and usable on demand by authorized persons   CEs, BAs and their subcontractors of ALL sizes or complexities MUST conduct and document a comprehensive enterprise-wise risk analysis of their computer and other information systems used to create, receive, maintain, or transmit ePHI to identify potential risks and respond accordingly; 45 CFR §164.308(a)(1). Yes, this means you too solo practitioner & solo BA! Some of you may be solo practitioners in single physician’s offices. Others of you work in clinics, and others of you work in large healthcare organization or even hospitals; the rule will operate differently in each of these environments. For that reason, the rule does NOT prescribe ANY particular technology, technique, or practice for performing the required risk analysis. The HIPAA Security Rule is designed to be scalable and flexible. What does heck does that mean? There are many ways of performing a risk analysis. There are certain key elements of the risk analysis process; the first thing is to identify your HIPAA Security Risk Analysis scope. Compliance is different for each organization and no single strategy will serve every CE or BA. There are many ways of performing a risk analysis. However, determining the scope of your risk analysis should be the very first thing completed, otherwise how will you know which elements are completed and which ones have yet to be done? Scope involves getting information required to start a project, and the features the project would need to meet its stakeholder’s requirements.* Your HIPAA Security Risk Analysis should encompass the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all the ePHI your organization creates, receives, maintains, or transmits. This includes ePHI on all kinds of electronic media, not just PCs and servers. In simple terms, this includes performing a risk analysis; including ALL devices which may contain ePHI, implementing reasonable and appropriate security measures; and documenting and maintaining policies, procedures and other required documentation. Compliance is not a one-time goal, but an ongoing process. Your risk analysis is part of an ongoing process to provide YOU with a detailed understanding of the potential risks to the confidentiality, integrity, and availability of your patients’ information. Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?       Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!           * Source: https://en.wikipedia.org/wiki/Scope_(project_management)

Ransomware: What is it & What to do about it?

HIPAA Security / By

What is ransomware? Ransomware is a type of malicious software, known as malware, designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key. How to detect if your computer systems are infected? Unless ransomware is detected and propagation halted by your malicious software protection or other security measures, you would typically be alerted to the presence of ransomware only after the ransomware has encrypted the user’s data and alerted the user to its presence to demand payment. HIPAA requires Covered Entity’s (CEs) and Business Associates (BA’s) workforce receive suitable security training, this includes detecting and reporting instances of malicious software. Indicators of an attack could include: • A user’s realization that a link they clicked on, a file attachment opened, or a website visited may have been malicious in nature • An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason (example: ransomware searching for, encrypting and removing data files) • An inability to access certain files as the ransomware encrypts, deletes and re-names and/or re-locates data • Detection of suspicious network communications between the ransomware and the attackers’ command and control server(s) (this would most likely be detected by IT workforce member via an intrusion detection or similar solution) If you believe you’re under a ransomware attack you should immediately activate your security incident response plan. Ensure your plan includes measures to isolate the infected computer systems in order to halt further propagation of the attack. Additionally, it is recommended that if you’re infected with ransomware contact their local FBI or United States Secret Service field office. These agencies work with federal, state, local and international partners to pursue cyber criminals globally and assist victims of cyber crime. What to do if your computer systems are infected? The presence of ransomware (or any malware) on a CE’s or BA’s computer system is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. See the definition of security incident at 45 C.F.R. 164.304. Once the ransomware is detected, the CE or BA must initiate their security incident and response and reporting procedures. See 45 C.F.R. 164.308(a)(6). HIPAA CE’s and BA’s are required to develop and implement security incident procedures and response and reporting processes that they believe are reasonable and appropriate to respond to malware and other security incidents, including ransomware attacks. An entity’s security incident response activities should begin with an initial analysis to: • Determine the scope of the incident to identify what networks, systems, or applications are affected • Determine the origination of the incident (who/what/where/when) • Determine whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment • Determine how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited) These initial steps should assist the entity in prioritizing subsequent incident response activities and serve as a foundation for conducting a deeper analysis of the incident and its impact. Subsequent security incident response activities should include steps to: • Contain the impact and propagation of the ransomware • Eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation • Recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations Part of a deeper analysis should involve assessing whether or not there was a breach of Protected Health Information (PHI) as a result of the security incident. The presence of ransomware (or any malware) is a security incident under HIPAA that may also result in an impermissible disclosure of PHI in violation of the Privacy Rule and a breach, depending on the facts and circumstances of the attack. See the definition of disclosure at 45 C.F.R. 160.103 and the definition of breach at 45 C.F.R. 164.402. Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks? Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!   Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!

Data Encryption

HIPAA Security / By

What is encryption? Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text. Is the use of encryption mandatory in the Security Rule? Answer: No The HIPAA Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after an enterprise-wise risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic protected health information (ePHI). If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the Covered Entity (CE) or Business Associates (BAs) may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. You need to decide whether and how to use encryption. Let’s talk for a second about what we mean by encryption. Encryption is a way of scrambling electronic information so that it is unreadable to someone who does not have the authority to read that information. Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks? Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!