- The increase in connected medical devices and the reportedly upcoming second round of OCR HIPAA audits are some of the top areas to watch next year in terms of healthcare data privacy and security, according to lawyers who specialize in the industry.
In the aftermath of several large-scale data breaches, it is also important for covered entities to ensure that they are properly adhering to the HIPAA Security Rule as it relates to a risk assessment, according to Brad Rostolsky, partner at Reed Smith.
“If you’re looking at your global security on a regular basis, and really using that as the tool that it was intended to be, you’re going to be in a better position to prevent things from happening,” Rostolsky told HealthITSecurity.com. “That being said, breaches happen. Even to entities that are very proactively compliant. Incorporating a strong breach response program to your compliance program, well in advance of something happening, is critical.”
Moreover, organizations need to “go beyond” simply having a policy. A comprehensive approach to data security will have the insurance in place and all necessary business associate agreements in place. It is also important to make sure everyone is on the same page in terms of encryption, and on the same page in terms of all of the high level and “in the weeds” technology protection that can be utilized.
Making smart HR decisions will also be essential to data breach prevention, especially in relation to insider breaches, Rostolsky maintained. For example, organizations should have strong policies and procedures with respect to tracking use and passwords. Additionally, if somebody is being let go from the company, make sure their access is turned off.
“I’ve seen a lot of hacking incidents in healthcare, more so now, and that’s concerning,” he said. “It’s going to be difficult to always get in front of that, but ultimately, if there’s a strong CIO or security officer, just insuring you’ve got the right folks giving you the right advice in terms of your security protocols, is really important.”
Daniel Gottlieb, a partner at McDermott Will & Emery LLP, also underlined the importance of having an ongoing data security assessment and risk management program. It will also be beneficial to have a change management process that considers security before making changes to an organization’s IT environment.
“Breaches are a matter of ‘when’ and not ‘if’ so advance assessment and planning are essential,” Gottlieb cautioned. “Another important development is that foreign governments and sophisticated hackers are focused on the health care industry. For example, we understand that recent data breaches targeting large health plans were looking for personal information for espionage purposes and not only for financial identity theft schemes.”
Finding the right balance with connected medical devices
Gottlieb explained that connected medical devices raise significant concerns because they raise both privacy and security issues as well as serious patient safety risks.
“In the most dire cases, a hacker could change a patient’s therapy by connecting to a medical device and changing how it functions either within a health care facility, at a patient’s home or any other location where the device is connected to the Internet,” he said.
However, security should not interfere with patient care and actually using the devices and equipment.
“Instead, it is essential for developers and manufacturers to consider security during the device and equipment design process and for health care providers to consider security before implementing the devices in their IT environments,” Gottlieb stated. “If the devices and equipment go-live without a careful risk assessment, then the devices and equipment may have security vulnerabilities that make them susceptible to hackers and other threats to data security and patient safety.”
Rostolsky had similar misgivings, adding that with respect to HIPAA, it gets a little convoluted “because a lot of those devices, at least the way they’re being utilized now, are not connected so to speak, to a regulated entity.”
“By and large, this somewhat new phenomena is really just an example of technology pushing forward and the industry needing to ensure that a lot of the same considerations under HIPAA that have always been looked at are given proper attention,” he urged. “It may be that there will be situations that arise that no one could have anticipated in regulations. I suspect there will be some gray issues, and issues where if you look at the rules, you don’t have a clear answer.”
Key areas in BYOD implementation
Along with connected medical devices, BYOD strategies have also been on the rise in many healthcare organizations.
When implementing BYOD programs, Gottlieb continued to underline the importance of a comprehensive security risk assessment – before implementing the programs. From there, a reasonable balance must be found between data protection and the information’s availability to authorized users.
“Once the organization has identified the appropriate controls, solutions that include business rules that automate security requirements are best because they minimize data loss from human error or noncompliance,” he explained.
Rostolsky added that it really comes down to whether a strategy fits the business model of the company. Furthermore, the organization and all employees need to be comfortable with how control of the strategy is exerted.
“I’ve seen some pretty strict requirements in terms of passwords, encryption, etc.,” Rostolsky said. “These days, the more control that an entity has over the PHI it’s got out there, the better.”
Looking ahead to OCR HIPAA audits
Rostolsky and Gottlieb agreed that 2016 will see an increase in OCR enforcement activity, as well as other federal regulators, when it comes to the next round of HIPAA audits.
According to Gottlieb, federal government agencies have data and intellectual property security high on their agendas.
“OCR has made numerous statements publicly and privately that it intends to increase enforcement activity as well as roll out the delayed phase two HIPAA audit program,” he stated.
Along with conducting a risk assessment, it is also important for covered entities to have a breach notification policy that meets the Breach Notification Standards and have compliant Notice of Privacy Practices.
“Unlike the audits of the past, the government has been pretty clear that they are going to utilize what they find in the audits to facilitate enforcement,” Rostolsky added. “Its audits now are less about purely helping people do better, and they’re also now about ‘Let’s find some problems and set an example.’”