Since 2010, the healthcare industry has seen a remarkable increase in the use of technology in the administration and delivery in healthcare. This has led to a mass migration of data from paper charts and isolated systems to Electronic Medical Records (EMRs) and interconnected systems that require ever-evolving privacy and security requirements to safely transmit patient health and financial information across trusted and untrusted networks.
For an overview of the information contained herein access this recorded webinar and companion materials including a transcript and slides for reference.
Why Information Security Teamwork is Important for Health Centers
Resource Context
While the increase in the adoption of health IT across all service levels has been a boon for the healthcare industry in its ability to provide timely information to those who need it the most, this transition has introduced a great deal of risk to the confidentiality and integrity of the information. Coupled with the fact that the information can be quickly monetized by criminals through insurance fraud, extortion, and identity theft, the ecosystem is target-rich.
What this means for health centers is that they are storing and transmitting high-value information in a dangerous environment which adds up to High Risk to the organization. The results of breaches include:
- Reputational
- Breach Notification Laws require public notification of breaches
- Reduced ability to provide care
- Patients may withhold information if they cannot trust that it will be maintained confidentially
- Records that have been breached may contain incomplete or inaccurate information
- Financial
- Fines from the Office for Civil Rights
- Breach Notification costs; administrative and legal
- Remediation costs; technical remediation, staff retraining, Corrective Action Plans (CAPs)
- Legal action from affected patients and third party organizations
- Lost Business
- Loss of reputation may lead patients to seek care elsewhere
Audience
The strategies and tools in this Guide are targeted to all levels of health center staff, and health center partners that support Health IT Privacy & Security goals.
Everyone who actively participates in the guidance and day to day operations of a health center have a responsibility to:
- Increase their awareness of primary healthcare security risk domains and the responsibilities of staff depending on their role within the health center to ensure better information security.
- Improved their ability to recognize security risks within their own organization and better understand how to plan and mitigate for information security risks identified.
Why Using this Guide is Important for Health Centers
Community Health Centers need to continually refine their health IT security and privacy strategy. A lack in a clear strategic direction throughout all levels of health center services are being met with continually rising costs, across factors that include penalties, time expenditure, patient safety,trust and satisfaction, and the overall perception of quality held by related healthcare institutions. Health Centers need to invest in and devise a concrete roadmap and systems development and maintenance lifecycle that is transparent and supported by all levels of health center staff, including clinicial staff, front and back office staff, privacy and security staff, and the board of directors.
Below are a few examples key stakeholders and their respective health IT privacy and security responsibilities
- All Clinical Staff: Even under emergency circumstances be diligent in handling and managing PHI
- Front and Back-Office Staff: Protect the confidentiality, integrity, and availability of electronic PHI at all times
- Health Center Administration: Promote an organization-level committment to upholding best practices in health information privacy & security management.
- Health Center Board of Directors: While a board is generally not involved in the day-to-day operations of cybersecurity, they do have a responsibility to ensure that proper structures are in place and that the organization is taking appropriate steps to identify and address cybersecurity risks
Health IT Privacy & Security Key Factors
Compliance
The HIPAA Privacy and Security Rules provides a set of standards for the Confidentiality, Integrity, and Availability of electronic Protected Health Information (ePHI). Health Centers are required to demonstrate compliance with the HIPAA Privacy and Security Rules through the implementation of Administrative, Technical, and Physical safeguards.
The HIPAA Security Rule is designed as a Risk Management Framework that consists of conducting regular Security Risk Analysis and implementing a Risk Management Process that implements reasonable and appropriate safeguards.
The HITECH Act of 2009 builds on the HIPAA Privacy and Security Rules to include Breach Notification Requirements, increased patient access to their medical records, compliance of Business Associates, and stronger enforcement of compliance.
The Meaningful Use (MU) program (also enacted in the HITECH Act) included requirements to conduct an annual Security Risk Assessment as a prerequisite for collecting incentive moneys. While MU did not add any requirements that were not already a part of the HIPAA Security Rule, it did provide the incentive for many organizations to conduct regular Security Risk Assessment where they previously had not.
Security
While the HIPAA Security Rule does provide the foundation for information security, it is important for organizations to understand that being compliant does not necessarily equate to having good security. It is important for organizations to continuously evaluate their organization and their systems against industry standards and guidance to ensure appropriate security controls are in place. This can certainly be performed in conjunction with a HIPAA compliance program.
It is important for Health Center IT leadership to understand the key differences between security and compliance. As illustrated in the graphic below, while there is a cross-over between compliance and security to the degree that compliance establishes some security baselines, it is important to know that security encompasses a broader domain of required practices and controls in order to be effective.
Approach
The Security Risk Assessment approach outlined in the HIPAA Security Rule is designed to allow organizations to implement “reasonable and appropriate” safeguards. Said another way, the Rule does not prescribe what specific safeguards must be in place. This allows for flexibility based on the size of the organization, the technology in place, the number of medical records, and other organization-specific considerations.
An example of this flexibility is can be seen when considering Disaster Recovery Planning. What is a reasonable disaster recovery plan for a large health system would be excessive for a small doctor’s office. An OCR auditor would certainly have different expectations of these two types of organizations.
While the framework of the HIPAA Security Rule provides flexibility, the non-prescriptive nature of it can make it difficult to understand how to comply with its requirements and find concrete examples and expertise. Many organizations become concerned about identifying and documenting risks in their risk assessment as they worry it will be an indicator of non-compliance. Between the lack of understanding of the requirements and the fear of documenting risks, many assessments end up being an enumeration of security controls or simple checklists. Neither of these deliverables would meet the expectations of a Security Risk Assessment.
When looking at what is a “reasonable and appropriate” safeguard, organizations can look at what other similar organizations are doing. If other similar organizations are encrypting their laptops, it would seem reasonable to expect your organization to do the same.
Finally, one can look at industry standards and guidance for information on what security controls are not only reasonable and appropriate, but also effective. Remember, the goal is effective security, not just checking the checkboxes for compliance.
Health Information Security Basics
An important place to start with protecting ePHI is with the basics. This is considered the “blocking and tackling” of information security, or those things that users, managers, and IT staff should be performing day-in and day-out to protect information.
Step 1: Identify ePHI
Many organizations only consider their EMR when considering the security of their ePHI. What one must consider is that EMRs do not reside in a bubble. ePHI is transmitted to and from EMR systems, communication with patients and other third parties often occurs outside the EMR, and data is generated and stored outside the EMR.
ePHI must be protected both at rest and in transit (i.e. as it is being transmitted both internally and externally). Consider the following typical areas where ePHI is stored or transmitted:
- Practice Management System
- Email
- Text Messages
- Other messaging systems
- Fax transmission and storage of faxes
- Billing Systems
- Patient Portals
- Phone conversations and voicemail
- Photocopiers and network printers
- Medical Devices
- Image storage
- Reports
- Backup Storage
If the people using ePHI on a day-to-day basis can learn to recognize when they are handling ePHI and where it is stored and/or transmitted, they can start to have the awareness of how it can be protected.
Step 2: Protect ePHI
When EMR and other product vendors market the fact that their system is “HIPAA-Compliant”, many take that as assurance that the system is secure and don’t give additional thought to protecting the information.
Unfortunately, no matter how secure the system is, it is when the ePHI is used that the risk of a breach increases. Examples of potential openings for breach include:
- A user uses the same (or slightly modified) password between their personal email account and their EMR account. That password is compromised either because their email system has been compromised or a family member may know or find out the email password. Now that password can be used to access the EMR system by a third party.
- A staff member exports a report from the EMR and attaches it to an email for a colleague, referring provider, or billing company use. The message is sent using a public email system to another public email system. The risks involved include:
- While the message is being transmitted unencrypted over the Internet, it could be intercepted
- A typo in the email address could lead to the message being read by an unintended recipient
- Either person’s email system could be compromised and the information breached
- Information from an EMR system is exported to a USB drive in order to transfer to another computer. USB drive is lost or reused by another staff member and therefore information is breached.
Step 3: System Protections
Most operating systems these days are capable of protecting information, however the out-of-the-box configuration is generally focused more on usability than security, so enabling security protections is something that must be performed deliberately.
Here are a few steps that can be taken to increase the security posture of modern workstations, laptops, and tablets:
- Password protection – Password protecting your system enables the user to prevent unauthorized access to information and/or tampering with the system. This also prevents others from connecting to a system over the network, so even if a workstation is located in a more secure area, it is important that all sessions be properly authenticated. Current standards for strong passwords include:
- At least 8 characters
- Mixture of uppercase/lowercase, numbers, and symbols
- Not based off a single dictionary word (though phrases are good)
- Do not use the same password for multiple systems
- Individual user accounts – If more than one person will be using a system, create an account for each person. This will allow you to determine who used a system and when as well as grant access to information to other users on an as-needed basis.
- Encryption – Many systems have built-in encryption capabilities; however, it may not be enabled by default. If a system with ePHI is lost or stolen and the data is encrypted, this will provide safe harbor from breach notification (https://www.federalregister.gov/d/2013-01073). Furthermore, the HIPAA Security Rule requires that organizations encrypt ePHI wherever “reasonable and appropriate”. Failure to do so would require an organization to provide evidence that it was not reasonable and appropriate or to provide evidence that equivalent alternate safeguards are in place.
- End-Point Protection – Traditionally, end-point protection consists of Anti-Virus software that detects malware based on signatures. While this is still an important protection, today’s attacks have become adept at evading detection by anti-virus signature-based detection. End-point protection adds additional protections including:
- Additional behavior-based heuristics for detecting malware
- Built-in antispyware protection
- More intelligent host-based firewall
- Intrusion Detection and Warning
- Application control and user management
- Data input/output controls such as locking down USB ports and other removable storage
Step 4: Continuous Maintenance
One of the toughest aspects of privacy and security management is the diligence required to maintain safety. Security is not a one-time task and requires ongoing maintenance, upgrades, training and changes to workflow.
Below are a few examples of ongoing maintenance tasks that organization should be performing:
- Security Awareness Training – This is all about creating a culture motivated and dedicated to securing patient data. Workforce members require regular reminders regarding how to detect suspicious activity, handling of ePHI, and what to do in the event of a security incident. This is especially important as threats evolve and new threats appear.
- Patching – Many breaches occur because systems have security vulnerabilities that have fixes available, however the fix has not been applied. Be diligent about operating system updates and updating of third party software and components.
- Review Policies and Procedures – As technology and work processes change, policies and procedures should be reviewed and updated accordingly. HIPAA requires that organizations have a policy for review of policies. Standard practice is to perform this task annually or as changes occur.
Health Information Security Basics
While the HIPAA Security Rule does provide a framework for security risk management, it can be difficult to know what specific steps to take to implement “reasonable and appropriate” security controls. Ways of determining this may include looking at what other similar organizations are doing and adopting relevant industry standards.
One such standard organization effort that security administrators may wish to consider is The Center for Internet Security’s (CIS) Top 20 Critical Security Controls (CSC). This standard is internationally recognized and provides guidance that is flexible for organizations of all size and maturity. The guidance is specific and practical and can often be adopted without spending a lot of money.
Per the Australia Signals Directorate (ASD): “Incorporating the Top 4, the eight mitigation strategies with an 'essential' rating are so effective at mitigating targeted cyber intrusions and ransomware that ASD considers them to be the cyber security baseline for all organisations.”
Critical Security Controls
While ASD recommends the Top 4, CIS indicates “Controls CSC 1 through CSC 5 are essential to success and should be considered among the very first things to be done.” The top 5 controls include:
- CSC 1: Inventory of Authorized and Unauthorized Devices
- CSC 2: Inventory of Authorized and Unauthorized Software
- CSC 3: Secure Configurations for Hardware and Software
- CSC 4: Continuous Vulnerability Assessment and Remediation
- CSC 5: Controlled Use of Administrative Privileges
These controls do map to requirements of the HIPAA Security Rule and can be used to assist organizations in finding specific technical measures that can help meet the requirements. A mapping of the Top 5 Controls provides an example:
# |
Control Family |
HIPAA Security Controls |
1 |
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices |
164.310(c): Workstation Security - R 164.310(d)(1): Device and Media Controls: Accountability - A |
2 |
Critical Security Control #2: Inventory of Authorized and Unauthorized Software |
164.310(c): Workstation Security - R |
3 |
Critical Security Control #3: Secure Configurations for Hardware and Software |
164.310(c): Workstation Security - R |
4 |
Critical Security Control #4: Continuous Vulnerability Assessment and Remediation |
164.308(a)(8): Evaluation 164.308(a)(6): Security Incident Procedures |
5 |
Critical Security Control #5: Controlled Use of Administrative Privileges |
164.310(b): Workstation Use - R 164.310(c): Workstation Security - R 164.312: Access Control: Unique User Identification - R 164.312(b): Audit Controls 164.312(d): Person or Entity Authentication |
Acknowledgements
Origins and Ongoing Refinement of this Guide: The content in this resource is drawn from and builds on widely used Information and Security standards, tools and protocols that have continually increased in terms of required measures, especially over the past couple decades in which the Internet and the ever-growing Internet of Things have evolved and expanded. The HITEQ Center plans to continue refining this Guide based on input from users like you, so please consider sharing your feedback through the comment form.
This guide was developed in collaboration with Adam Kehler, CISSP, a Senior Consultant within the Healthcare Information Privacy and Security division of Online Business Systems. Adam specializes in assisting healthcare organizations in managing and meeting compliance requirements such as conducting security risk assessments, systems vulnerability assessments and regulations associated with HIPAA and Meaningful Use criteria. Adam is assisting the HITEQ project in building out resources and guidance to health centers on privacy and security best practices.