- Effectively monitoring and managing potential risk is a key area for any covered entity or business associate. No organization wants to lapse in staying HIPAA compliant, as the ramifications could be detrimental to patients and the business itself.
The proliferation of mobile devices, the increase in healthcare ransomware threats, and the most recent round of OCR HIPAA audits are all examples of why organizations need to be diligent in their risk analyses. Just one small lapse or oversight could lead to a data breach and lengthy – and expensive – recovery process.
Elizabeth Warren, a healthcare attorney at Bass, Berry & Sims told HealthITSecurity.com that the recent OCR guidance on ransomware is helpful, and clarifies how organizations should approach ransomware attacks in terms of HIPAA compliance and PHI exposure.
The ransomware that most people are accustomed to dealing with, or have been dealing with is the kind that comes in and then locks down data, Warren said. This is where the data stays in one location and a third party doesn't have a copy.
“In that situation, a lot of people had assumed it’s not a breach because no one has actually gotten ahold of the data,” she explained. “Organizations had though there has to be an impermissible access use or disclosure for there to possibly be a breach. That’s Step 1.”
However, OCR clarified that it views the act of third parties locking down the data, encrypting it, as an improper disclosure because someone has gotten control of the data. Even if the third party don't have a copy that they can use themselves, there is an impermissible use or disclosure access, she stated.
“Now, organizations have to move on to Step 2, which would be evaluating whether it is a breach or not,” said Warren. “Under the rules, there's a presumption that an incident like that is a breach. However, if you can demonstrate and overcome the presumption that there's a low risk of compromise, organizations could still conclude that it wasn't a breach, and they have to look at the four factors outlined in the Rule.”
The four factors relate to the type of PHI involved, did the recipient actually access it, what has the organization done to mitigate it, has the organization fixed it or not, and has the organization stopped the problem sufficiently so that the risk factor is low. Covered entities have to look through those and then evaluate whether they feel comfortable saying, "Okay, we don't have a breach."
It is also important to consider the nature of the data that’s involved, Warren added. That would be one key factor if perhaps someone used ransomware and turned the data loose. For example, if a database that does not contain PHI is locked down, or if an organization has a backup copy of information, then the impact to the organization or to patient care may not be as great.
“It's still possible to conclude it's not a breach, it's just harder to do than it was before we had the OCR guidance,” said Warren.
Staying HIPAA compliant with ransomware threats
Under the HIPAA Security Rule, there is an overall obligation for covered entities to have a good risk analysis, which includes going through all potential risks and knowing where their sensitive data is located, Warren explained.
One potential risk currently would be ransomware, she said. For example, what if an organization has malware that gets installed? There has always been a risk of malware, but now there are instances of healthcare organizations being attacked. Perhaps now it is being viewed as a higher risk than before.
“There is no way to 100 percent eliminate any risk,” Warren said. “There's always going be some – you have to access your data, there's always human beings involved – but it definitely would be a priority item to look through your systems and figure out where are the highest risks and what is being done to reduce that and manage it. From there you hope that you don't end up on the wrong side of an incident.”
Potential healthcare ransomware threats are making threats because of previous attacks and through the recent OCR guidance. That does put more pressure on the risk analysis, according to Warren. Organizations do not want to be caught flat-footed and need to ensure that there are thinking about these issues.
“For some entities, it can be helpful when OCR hands out that kind of guidance,” she stated. “And we're seeing more enforcement, which is scary, but also can be helpful if you're internally trying to get more resources and more focus on security issues to help demonstrate the need for it. It can also be helpful in showing why this expense should be a high priority, stay on the budget, and get addressed.”
OCR HIPAA audits also a lesson in monitoring risk
The second phase of the OCR HIPAA audits can also be an important lesson for healthcare organizations to ensure that they are properly monitoring their areas of potential risk. Anna Spencer, a partner at Sidley Austin LLP told HealthITSecurity.com in an email that findings from the Phase One audit program and OCR settlements suggest that many covered entities fail to conduct risk assessments.
Other common compliance issues involve identifying and reporting breaches, which is why breach reporting is one of OCR’s three major areas of focuses under the Phase Two audits.
“Even if they are not selected, regulated entities should familiarize themselves with the audit protocols which offer a great window into the types of documentation and activities OCR expects to see when it assesses compliance with HIPAA,” Spencer said.
“For example, in addition to policies and procedures and risk assessments, OCR has requested evidence in the form of screen shots, meeting minutes or otherwise that risk assessments, which are comprehensive reports on the risks to ePHI, and system vulnerabilities are circulated to management and personnel in IT whose job it is to ensure that appropriate actions are taken to reduce risks identified in the risk assessment to a reasonable level.”
Connected medical devices, BYOD policies affect risk management
The increase in connected medical devices and BYOD strategies can definitely complicate how covered entities need to approach their data security measures, Warren said.
“It obviously brings in a lot more variables versus you having everyone on the same exact equipment, where you know all the different things that can happen,” she stated. “It makes the life of the security professional much more complicated and then obviously elevates the human risk factor and all the possible threats that can happen if it's your own device and it's mobile.”
Organizations should consider how to implement realistic policies as well. For example, it can be said in theory that banning a certain type of device is the right approach. However, it’s not necessarily realistic.
Covered entities and their security teams need to find ways to keep daily operations running smoothly while still effectively managing potential risk.
Spencer agreed that having more connected devices presents multiple risks to ePHI.
“For example, there is the risk that any PHI saved to the device could be compromised if the device is lost or stolen,” she said. “There is the risk that malware could infect the device which could compromise the security of any EMR or other system to which the mobile device can connect. OCR expects that these and other risks are identified in the entity’s risk assessments and that risk management plans address how the entity has taken steps to reduce the risks (e.g., using remote wipe software to delete data if the device is lost or stolen).”
There are many ways covered entities may become the target of an OCR inquiry and these are the types of things all regulated entities should be doing to comply with HIPAA, Spencer maintained.
Organizations could be investigated for numerous reasons, including the OCR HIPAA audit program, as a result of a data breach, a complaint by a patient or a plan enrollee, or even because a news article raises concerns at the agency.
Maintaining awareness of potential risk areas to stay secure in 2016
There has definitely been an increase in OCR enforcement, Warren pointed out. The key takeaway from the majority of those cases is that they typically involve a lack of a strong risk analysis, or just having a risk analysis in the first place.
“There’s still a focus and a need to have a good risk analysis, determine how thorough it is, know if it picks up things like ransomware, all of the data locations, and if it is current or not,” she said. “That’s a continual process. Obviously, if you buy a new program, you will need to update the risk analysis and take that into account.”
Organizations have lots of things they're trying to accomplish, and it can be hard to stay on top of all those things, Warren added. However, making sure there is a solid and well thought out risk analysis is one of the most important things to be done.