Last month the Office for Civil Rights (OCR) began the second phase of its HIPAA Audit Program. OCR has randomly selected 350 covered entities to take part in desk audits which will aim to ensure those entities have proper written documentation, training and notice procedures regarding the management and safeguarding of personal health information belonging to their patients. The audit will also include desk audits of 50 business associates. This is the first time business associates have been included as part of the OCR audit process.
The purpose of this new round of audits is not to punish those entities who have gaps in their policies but rather to allow OCR to gather information that will help them get in front of potential problems before they lead to a breach of information. Despite the current audit focus, we highly encourage all covered entities to take action now not only to ensure that they can demonstrate that their policies and procedures adhere to HIPAA and HITECH standards, but also to ensure they are mitigating risks across their computer networks for breach of PHI.
Pilot audits were conducted by OCR in 2014. Following the pilot audit project, it was reported the most common deficiency found by OCR during that round of audits was failure on behalf of covered entities to conduct a security risk assessment to identify and mitigate risks to personal health information (PHI). Example violations included PHI on exposed servers, unencrypted laptops, unchanged default passwords, outdated security software and inadequate training.
Improper security and risk mitigation made headlines throughout the year last year. In fact, 2015 was dubbed by security professionals as “the year of the HIPAA breach.” Anthem made headlines last year when personal identification information was stolen from a compromised database that contained nearly 80 million customer records. Theft of personal health records is big business. Healthcare providers will continue to be a target and with good reason: a single credential – such as the person’s date of birth, diagnosis code, billing information, or insurance policy number – can sell for as much as $10 on the black market. A full, intact health record containing the patient’s entire health profile can sell for as much as $500. Why? Because possession of this information enables criminals to fraudulently bill insurers for thousands of dollars making the theft of personal health information a very lucrative business.
While improving data security may seem to be an overwhelming process, there are some simple steps that may be taken to significantly decrease your risk of data breach:
#1: Invest in your network
Keep your PC and server operating systems current and patched regularly. Update the software packages in use by your practice as updates become available. Install security software across your network. Set up firewalls. Secure your wireless network. Be aware of what ports are open on your network and close any that are unnecessarily open. Proactively monitor your network for activities that should not be taking place in your environment. Doing all of these things will reduce the level of risk in your network environment.
#2: Train your users
Building and maintaining your network foundation is not enough. You can have the best security tools and staff available but they will do little to protect you if your employees are not educated. Review your company’s acceptable use policy as part of your new employee onboarding process. Educate your employees about best practices with regard to internet safety and security. Include training about email scams and phishing attacks. Also teach your employees what types of information you deem to be sensitive and how to properly handle the disclosure of that sensitive business information to others.
The National Cyber Security Alliance offers free resources to get you started with your training. Access their materials at www.staysafeonline.org.
#3: Use a web filter
Consider the use of web filters to control what websites can be accessed by users on your network. Encryption and security expert Beachhead Solutions reports 52% of organizations experienced an increase in malware attacks as a result of employees’ use of social media. Social media is the perfect place for cyber criminals to prey on victims due to the sheer quantity of individuals accessing these sites daily. Facebook had an average of 890 million daily active users in December of 2014. What may look like a harmless message or wall post may actually be a phishing scam. The typical user may not recognize the risk and as a result compromise your entire network. By using a web filter you can blacklist websites like social media pages which pose a risk to your network environment by preventing user access to those sites. (For more information about the risk of social media use by healthcare organizations, see our past article.)
#4: Encrypt your data
HIPAA HITECH compliance requires electronic personal health information to be unusable, unreadable or indecipherable to unauthorized individuals. Despite your best efforts to secure your network, train your employees and block access to harmful websites, you could still be a victim of lost or compromised data. The best way to ensure your patient information remains unusable should it fall in the hands of cyber thieves is to encrypt it. Encrypted data requires a secret key or password to access the information. There are cost-effective tools today that encrypt your data automatically and with no adverse impact to your users. Learn more about how encryption keeps your data secure.
How confident are you about the security of your practice’s network? When was the last time you conducted a security risk assessment? Need help? Contact us to request your free security assessment. The risk of data breach and the resulting consequence of such a breach is simply too great to continue to ignore.