- HIPAA technical safeguards are an important part of any covered entity or business associate’s data security plan. However, that security measure by itself is not enough to ensure that a health data breach will never occur, according to Kate Borten, president and founder of The Marblehead Group.
In an interview with HealthITSecurity.com, Borten discussed how covered entities and their business associates need to take a more comprehensive approach to health data security, and why workers at all levels must understand the roles that they play.
Why all three HIPAA safeguard categories must work together
There is often a tendency for healthcare organizations to focus on technology, in terms of healthcare security, according to Borten. Typically, security is based in the IT department and the new gadgets and technologies take much of the attention. However, it’s important to “not let the tail wag the dog,” Borten said. Essentially, all three HIPAA safeguard categories are critical and need to be able to work together.
“Ideally, you should start with your policies,” Borten said. “It’s important to understand what’s going on in an organization and on a particular risk or risky area. For example, what is the organization’s stance on a risk? That’s reflected in a policy.”
From there, organizations need to figure out how to actually implement that policy, and how do they make it affect the organization. Healthcare entities need to determine the technical tools and supplemental controls needed to support their security policies. It can be difficult, Borten said, because it is very easy to get caught up in the excitement of new technology. However, covered entities or their business associates could inadvertently overlook an extremely high risk in their organization.
“It’s about always making sure that the physical and technical controls are used to support, implement and carry out the policies that the organization has settled on that are very specific to each organization,” she said.
Borten gave an example of how all three safeguards need to work together. With more healthcare facilities looking toward mobile devices, organizations need to decide if workers can use their own devices.
“So they need to understand first and foremost, that there’s a set of risks associated with using personal devices,” Borten said. “Some might say there’s too much of a risk, and no matter what security measures we put around it, it’s not worth it. So they will have a policy saying workforce members are never allowed to use your own device for work and they instead will supply everything.”
However, that option might not be financially feasible for every organization. In that case, the organization will need to look at what kind of policy would work. Employees might be able to use their own devices, but there could be limitations. Entities will therefore need to write polices and have training that outline restrictions on who can have access to the device or banning use when traveling. Or perhaps the device needs additional security measures such as encryptions or privacy filters.
Physical controls can also be implemented, by explaining to workers that the device should be locked away safely when not in use, or a privacy filter should be added to all mobile workstations.
“It’s all of those: physical, technical, and administrative controls have to be working,” Borten said. “They have to be considered and brought into play when you’re creating a holistic privacy and security program.”
The importance of workforce training
It’s up to the security, privacy, and compliance leaders to translate all regulations, terms, and expectations into specific security and privacy policies, and then to create the necessary training content that is meaningful to individual workers in their day to day roles, according to Borten.
“To me, workforce training is probably where you get the biggest bang for the buck,” she said. “It’s not usually very expensive, especially when compared to technology, yet it’s essential and it can help compensate for other areas where controls are weak. It can also raise awareness of issues such as visual privacy, and provide instructions for reducing the risk of visual privacy breach among workers wherever they are.”
Borten called back to her previous example of a provider letting workers use their own mobile devices, saying that an important administrative control is teaching workers the risks of using handheld devices both onsite and out in the world. Moreover, organizations need to tell workers, “We’re going to trust you to understand those risks and your responsibility in terms of protecting data,” Borten said.
“You can’t expect an organization’s employees to follow their own policies without training,” she added. “[Training] doesn’t mean handing people a copy of the policies once a year and then having them sign something saying, ‘Yes, I got the policies.’”
By breaking regulations and policies down and turning them into little stories, sound bites, lessons, or messages, they are easy to grasp and to learn, according to Borten. Then, organizations need to reinforce those policies with regular reminders. Borten recommends monthly reminders, but added that the HIPAA Security Rule does not specifically state how often those updates should occur.
“Organizations and the workforce should be really encouraging, and receptive to this,” she said. “A strong security awareness and training program is only a good thing.”
Overcoming common mistakes and misconceptions
Borten said that one of the more common oversights she has seen healthcare organizations make when it comes to health data security is not being fully aware of how PHI is accessed, used, and transferred in non-traditional ways. This is an increasingly common issue as individual’s lives have become more mobile.
“Security officers need to consider a comprehensive approach to information security to make sure information is protected at its endpoints, as well as when the data is in use,” she said.
When individuals work offsite, there especially need to be proper procedures in place dictating health data security and visual privacy, Borten added. Everything from locking up devices to ensuring that family members or even wandering eyes in a coffee shop cannot “shoulder surf” are critical things to consider.
“Understanding those risks and what protections we can put in place to prevent private, confidential and sensitive data from being exposed to unauthorized viewers is important,” Borten explained.
What healthcare organizations can learn
It’s important for covered entities and business associates to remember that security risk assessments are not optional and are not one-time things. They must be done periodically, Borten said.
A common oversight she sees in those assessments in particular is that their scope is not sufficiently broad.
“I see some organizations strictly looking at the computer systems and their technical controls, she explained. “These are really critical things. For example, what are my password standards? Is there an activity log? Is there an inactivity timeout and what is it set to? Those are all really important, and pretty much mandated by HIPAA, but there is so much more to security. There are physical controls, administrative policies and procedures, training, and additional processes.”
Whether it’s a risk assessment or a compliance audit, you have to make it comprehensive, according to Borten.
Another common pitfall is that organizations overly rely on security risk assessment checklists, she said. While HHS has said that checklists can be beneficial, they are not good enough by themselves.
“Maybe if you’re a two-doctor office with three people on staff, a checklist would be sufficient,” Borten stated. “But I think for any other organization, you have to do more than just go through a checklist to actually perform an adequate security risk assessment or compliance audit.”