The state of HIPAA security this year, plus tips to focus your efforts.
CISSP, HCISSP, QSA
What’s new in HIPAA in 2018?In general, organizations don’t seem to be keeping up with mounting vulnerabilities. Breaches have increased in frequency, and I anticipate that next year the number of breaches and penalties assessed in healthcare will continue to increase.
Hackers have wised up to the lack of compliance and the lack of security in the healthcare industry. They utilize gaps to attack healthcare organizations and hurt their systems. The FBI has reported an increase in discovered and reported attacks against all organizations, with 83% of ransomware attacks against healthcare.
We’ve all heard of ransomware, where hackers encrypt organizations’ systems and then demand large ransoms of bitcoin in exchange for the decryption of their data. As we look forward to more ransomware this year, we want to make sure to talk about how these types of breaches occur.
SecurityMetrics HIPAA Compliance ResearchWe surveyed HIPAA officials about their patient data and patient security. These officials were primarily from organizations with 0-500 employees. It’s important to remember that whether you’re a mom-and-pop practice or a large covered entity—big or small—hackers want your data. It’s not just the big targets that experience breaches.
According to our data, at least 20% of respondents report that their organizations do not encrypt stored protected health information (PHI). This fact, coupled with the prevalence of malware and hacking, presents a major threat to the healthcare industry and business associates.
If you’re thinking, “well we encrypt our data, so we’re protected,” the question is, are you encrypting ALL your data: flat files, spreadsheets stored locally or on network shares, USB thumb drives, and data being transmitted? Make sure any stored electronic PHI (ePHI) is protected using AES-256 (or other industry accepted/strong) encryption and any data in transit is moved on an encrypted connection (HTTPS, TLS, etc.)
Top Organizational VulnerabilitiesInterestingly enough, the vulnerabilities we’re seeing this year are the same ones we saw last year. Hackers all always advancing, but they will continue to attack and take data with proven methods for as long as they work.
Currently, the biggest issues we see are:
- Insecure remote access: Make sure you use multi-factor authentication. The long-trusted combination of username and password (and too often passwords are weak, e.g., 123456) will no longer suffice to protect all of your data. You need to make sure that you have a strong and unique username and password combined with other accepted and secure factors. An example of this would be if your privileged access login requested two or more factors (e.g., it asked for username and password/PIN, and then prompted you to enter a security token, One Time Password token, or some other accepted factor). Failure to properly secure all of your remote access is one of the main reasons for breaches today.
- Employees: The “human element” can be a big problem, and quite honestly, may always remain a large problem in the healthcare industry. In my experience, employees are almost always trying their best—but if they’re not properly trained, they won’t know any better and might open a phishing email or click on a malicious link. Training your employees properly and frequently will pay dividends when your employees stop an attacker or malware dead in their tracks.
- BYOD policies: When we think of a bring your own device (BYOD) policy, we might think of privately owned cell phones brought into a sensitive network, but there’s more to it than that. It includes the devices used at a company: work laptops and work phones--that go home and are connected to home networks or airport Wi-Fi--and then are brought back to your sensitive data environment. We see devices stolen which had no disk encryption. Remember all of your PHI and ePHI needs to be properly encrypted.
- Third parties: Some of you reading this are likely a third-party. Maybe you’re a business associate performing a duty like development, platform as a service, infrastructure as a service, billing, or something like that. We see a lot of vulnerabilities coming through third parties. As a third-party, you need to make sure security and compliance is a top priority as it will directly affect the growth of your business. Doing business with a business associate is often necessary to provide proper care to patients, but it is not without risks. I work with many vendors who diligently take care to ensure all patient data they access or are provided is secure, and that they are compliant. However, this is not the case for all business associates in the industry. It’s important to remember that you should engage business associates with proper due diligence. Make sure that all BAAs are in place and obtain assurances that your data and systems will be secure and compliant when shared or accessed by any third party.
HIPAA data security updatesI don’t see HIPAA compliance requirements as a whole changing drastically anytime soon. Not to be confused with the healthcare industry, HIPAA itself hasn’t really changed much from year to year.
In the cybersecurity realm, we did see new clarification from NIST regarding what are considered strong passwords or passphrases. OWASP re-released their updated top 10 most critical web application security risks of 2017. Keep in mind that it has been re-released, but that it hasn’t changed all that much. Since far too many businesses and vendors haven’t drastically improved their security, most attackers are using the same methods they have in years past.
Issues with a compliance mentalityFar too many entities are just “check listing” their compliance efforts (this is not unique to the healthcare industry)—which will continue to lead to data breaches. It’s easy to think of attackers as part of an extensive and organized network, or even as nation states--and certainly those things exist. But, the source of a data breach at your organization could be as simple as your own employees or patients accessing a system or application on your unsecured Wi-Fi.
Negligence of security can lead to:
- Unauthorized use or disclosure of PHI (i.e., loss of data).
- Patient harm (loss of data, physical/emotional harm), especially if it has to do with sensitive medical information (mental health, drug use, etc.).
- Network medical device loss of integrity. As technology advances, we’ll see more devices affected and the possibility of harm to patients (physical or emotional).
These types of problems are going to continue to happen until we make a big shift into real security and not just checking boxes.
5 tips to improve HIPAA compliance in 20181. Focus on policies and procedures
We often see that entities have completed some portion of their policies and procedures—usually their privacy policies. We also see policies and procedures that are just a few pages in total, if they exist at all. Of course, not all policies and procedures are going to apply to every employee, however, a 2- or 3-page document will not be enough.
Also remember that your policies and procedures document is not just a paperweight. You may have sufficient documentation, but if you need to find information about your firewalls or about authorized uses and disclosures, and your document isn’t usable, it’s not going to do you or your employees a lot of good.
If your organization receives a complaint or has a breach, the first thing HHS and OCR will likely ask to see is your complete policies and procedures. If you don’t have sufficient policies and procedures in place, it’s likely to lead to further investigation into your organization and compliance.
Think about implementation: where are the gaps in your policies and procedures? Do you use a cloud vendor? Do you have policies and procedures for your firewall and router configurations? For encryption of data at rest and data in transit?
Are your staff trained in the policies and procedures that apply to them? If not, it’s time to get our documentation in order and then train your staff on them. It’s not uncommon for me to go into an organization and ask employees to show me where their policies and procedures are, and they can’t find them.
Lastly, you need to regularly update your policies and procedures. As your organization changes, your roadmap (i.e., policies and procedures) should adapt and change with it. Your policies and procedures shouldn’t be an afterthought. They are there to help you and your staff ensure proper security and compliance in your organization and for your patients.
SEE ALSO: HIPAA Security Policy Free Download
2. Incident response plan
Even if you haven’t been breached yet, it’s likely you will at some point: whether it’s a small incidental breach or a major event where the contents of your database have been exfiltrated outside of your network. The size and severity will vary depending on the amount of time and resources you’ve put into your security. But, regardless of the size of the breach, if you haven’t prepared for the aftermath, it’s going to be significantly more painful and expensive.
First, you need to document your incident response plan, (and do so before a breach, rather than after). Second, you need use the incident response plan to minimize potential impact. This will help you to reduce fines and any negative effects on your business and customers. Make sure you’re identifying all the potential risk and vulnerabilities. This can be done through a risk analysis.
It’s not uncommon for health organizations to engage a third-party service provider to contain and respond to the breach. The use of that third party needs to be documented in your plan.
You will need to set up a breach response team and make sure they understand their responsibilities. Make sure you have a team leader, scribe, timeline leader, and HR or legal representatives. Oftentimes people wrongly assume a person or group knows their responsibilities related to a data breach. If they aren’t included in incident response planning and training, there’s no way for them to know their responsibilities.
Sell the incident response plan to your executives. Whatever you do after a breach will greatly affect the fines and bad press your practice could face.
Finally, you need to test your incident response plan. Start by performing tabletop exercises at least once a year. Doing so will not only keep you in compliance, but it will also help you find gaps in your plan. Whether your incident response team has twenty people or two, you need to test the plan for efficacy and communication. Bring up all aspects and details, like how physicians will communicate with communicate to IT, HR, and legal, and how legal will communicate with the courts. Document what you learn during your tabletop exercises—I’ve never seen an incident response exercise where someone didn’t learn something new to help improve security and protect privacy.
SEE ALSO: 6 Steps to Making an Incident Response Plan
3. Risk analysis
If you haven’t done a risk analysis, get started on one today. A risk analysis is the identification of the risks, threats, and vulnerabilities to your organization. Those risks, threats, and vulnerabilities can be digital or physical, internal or external, negligent or willful. A risk analysis takes into account your systems, as well as the human and environmental elements which affect your organization.
- Risk: The potential for a threat to exploit a vulnerability and the loss, damage, or destruction it would cause.
- Threat: Anything that could exploit a vulnerability, whether intentionally or unintentionally.
- Vulnerability: A weakness, flaw, or security gap in an environment.
If you have done a risk analysis, you should review and update it at least annually. Significant events, like mergers or acquisitions, would also affect your risk analysis, so you’d need to review and update yours at that time.
To start on a risk analysis, you need to first understand where your PHI is stored, received, maintained, and transmitted. If you don’t understand which systems are touching PHI and how they interact with it, it’s going to be incredibly challenging, if not impossible, to identify risks, threats, and vulnerabilities in a thorough and accurate manner.
SEE ALSO: How to Start a HIPAA Risk Analysis
It is not uncommon for organizations to use tools like vulnerability scans (internal and external), penetration tests (internal and external), and virus scanning, to assist in the identification of some of the many risks and vulnerabilities in your PHI/ePHI environment. However, these tools are not the only component to your risk analysis. It’s important to consider the physical, administrative, and technical risks, threats, and vulnerabilities that may be present in your organization. It’s your responsibility to make sure that the accurate and thorough identification of all potential risks, threats and vulnerabilities is performed. There is no shame in seeking the help of an experienced third-party service provider to simplify this process and help close any gaps you may have in experience.
Don’t forget to to interview employees during this process. Your employees have valuable insights into how they interact with your systems and sensitive data. You might believe that staff are doing things one way, only to discover that they don’t because they found a better way. Here are a few questions you might ask in this process: How do employees interact with patients and PHI/ePHI? Who has access to what data? What are the policies and procedures around access and data usage. Where do they send data, and how is that transmission performed? What do your employees do when a process or technology isn’t working? Do they find a new, creative way of interacting with that PHI/ePHI?
Whatever you do, do not delay in your risk mitigation. Properly addressing risks will require time and resources, but know that the risks, threats and vulnerabilities in your organization will not address themselves, and hackers are always looking for access to your systems and data.
4. Train staff properly
Training can’t be emphasized enough. Your staff can either be your greatest asset or your greatest vulnerability.
Training staff just at the time of hire is not sufficient. You need to hold monthly meetings where you review the Security, Privacy, and Breach Notification Rules. All staff should be included: nurses, doctors, receptionists, assistants, developers, system administrators, network administrators, etc. Each job role will experience different issues.
Make trainings fun. If you include games or food, staff will be more likely to engage with and retain the information presented. Here are some example training topics: acceptable uses and disclosures of PHI, social media compliance, phishing, social engineering, and physical security.
You should also test staff: quiz them and give them reviews. Find out if your trainings are effective. You could even hire someone to perform an email phishing tests on your staff to determine if your training is working in a real-world situation. Security should be first of mind. If your staff introduces security risks due to ignorance, it is highly likely that they will think it’s acceptable for future situations and you will remain vulnerable.
5. Security best practices
We are constantly looking at how to best bulk up security and protect data. We sat down with our forensic team to find out the top vulnerabilities that allow attackers to break into systems. These are the most common areas with which they noted security concerns:
- Intrusion Detection/Prevention System (IDS/IPS)
- File Integrity Monitoring (FIM)
- Edge Firewall Security
- External Vulnerability Scan
- Remote Access Security
Keep in mind the many tools and services available to help you test your systems and protect PHI:
- Wireless Network Security
- Web Application Security
- Physical Security
- Penetration Testing
- System Hardening
- System Patching
- Internal Vulnerability Scan
A less technical, but just-as-important, aspect of security, is encouraging the right kind of culture. Many companies do not maintain a good and ubiquitous security culture. Management in these organizations may be touting that they have an awesome security culture, but in reality their security culture, or lack thereof, is causing their patient data many risks, threats, and vulnerabilities. It is not uncommon see healthcare companies pour time and money into systems or outside assistance, but then fail to protect or maintain those systems, because it just isn’t a priority internally. In those cases, their efforts are more like a Band-Aid.
Also understand that security comes from the top down, not vice versa. If security is not handled with a top-down approach, things can get frustrating for staff members. Many times, employees will even leave an organization if it doesn’t seem to care about security.
Security does not have to be overly challenging. Create an environment where employees aren’t afraid to report suspicious behavior or anything that could be a security problem. A great security culture will facilitate openness and empower employees to bring up the security issues you need to know about.
Live and breathe securityTo better protect yourself and your organization, you should live and breathe security. Make compliance and security year-long practices. HIPAA compliance is often treated as a “single-point-in-time” event, but in reality, security and compliance are never ending. That fact on its own can be enough to make you want to throw your hands up and call it quits, but don’t. Your patients rely on you to protect their sensitive information. It’s up to you to make sure that your organization has complete and secure processes in place.
Also remember that healthcare workers are busy, and their main concern is taking care of patients. If you conduct a thorough, annual risk analysis, (as well as anytime there is a big change in your processes or in your PHI/ePHI environment), you can feel better knowing about the vulnerabilities working from an action plan.
We’ve only listed 5 tips in this blog post, but there are so many excellent processes and tools you can implement to help safeguard your patient data. And you don’t have to do it alone: get your organization on board and engage a third party if you need to.
If you are interested in a HIPAA audit, or would like to learn more about HIPAA, PCI, GDPR, or data security, please contact us here.
Brand Barney (CISSP, HCISPP, QSA) is Senior HIPAA Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.