Do You Understand HIPAA Security?

I see many hospitals, among other organizations in healthcare struggle with HIPAA security in regards to policy and procedure.

To help explain why HIPAA exists and to give you a little context for what the ‘bad guys are doing’ and why folks in healthcare—even tangentially involved—should be thinking about HIPAA security, I’ve written a few questions related to HIPAA security to get you thinking about security from a variety of people’s perspectives.

My message to you: use these questions to better aid in understanding of HIPAA-HITECH.

(I am planning on writing a few more each month to clarify points in HIPAA legislation that I see as sticking points in hospitals and clinics).

I want to emphasize that passing a HIPAA risk assessment is NOT the same as being secure. Even if you follow the check boxes of HIPAA standards for security, you may not be keeping you patients and staff safe from cyberattacks. We have seen time and again instances where we have had to clean up cyber events resulting from hospitals thinking they were secure when they actually had gaping holes in their network or staff that didn’t really understand how their roles fit into security.

Even if your facility has passed a HIPAA risk assessment, I would urge you to get a more detailed and updated security assessment done on the state of your network to avoid some of the sticking points many of the organizations have had that needed our ransomware remediation services.

We have put together a grant that offers a ransomware vulnerability assessment to 11 hospitals in the next 3 months free of charge (labor and technology expenses to complete these assessments cost us upwards of a thousand dollars). We have decided we’d rather make hospitals aware of the state of their vulnerabilities rather than have to be the ones to clean up the mess. To be frank, cleaning up from a ransom event (or even data breach) is quite costly (tens of thousands of dollars for minor attacks) and are never fun to work.

We’d much rather have you know that your hospital is safe from attack and ready to recover from any type of event (man-made or natural in nature) rather than having to pick up the pieces after disaster strikes without having a disaster plan ahead of time.

If you are interested in getting an assessment, please see our ransomware vulnerability assessment page or call our office for further details.

Here are the first batch of questions to consider:

Who needs to comply with the HIPAA Security Rule, according to 45 CFR Part 160 and 164, Subparts A and E?

1. Everyone who owns or works with a healthcare business who receives payments for health services needs to comply.
2. You need to comply only if you take or process health insurance payments or work with somebody who does.
3. You need to comply only if you take or process health insurance payments.
4. Any healthcare provider that transmits health information in electronic health records (EHRs).

The answer is ‘1’

Go deeper in the answer

All covered entities and businesses associates that receive payment for health services must comply with HIPAA standards. The Security Rule applies to all health plans, healthcare clearinghouses and healthcare providers who collect or transmit health information in electronic form. The Department of Health and Human Services (HHS) has adopted the Security Rule standards under HIPAA to covered entities (i.e., An organization that provides health plans, is a health clearinghouse, or a health care provider who transmits any health information in electronic form (Ref 45 CFR 160.103)) and to their business associates (i.e, A person or organization that provides data transmission services to a covered entity (CE) and requires routine access to that PHI, offers a health record to a 3^rd party on behalf of a CE, or is a subcontractor that creates, receives, maintains, or transmits information on behalf of a CE or another business associate (Ref 45 CFR 160.103)) perform health services.

Randal | Black Hat Hacker:

The HIPAA Security Rule standards have made it harder for me to obtain health records, which have highest value on the dark web right now. The good news is that their value keeps rising, so I will continue to hunt for healthcare targets.

Barry | Coffee Shop Owner:

The HIPAA Security Rule does not affect my business. I deliver coffee to workers in our nearby hospital and many doctors and nurses visit my shop. I have not seen any change to my security needs.

Bob| Nurse Practitioner:

The HIPAA Security Rule has forced me and my colleagues to be more diligent in how we access, store, transmit and dispose of health information. We are taking more care with both electronic and physical records to ensure PHI is properly managed.

Sara | Custom Software Designer:

I design custom code for several healthcare offices. Since I work directly with healthcare databases, I need to make sure that I am complying to the HIPAA Security Rule. The Security Rule makes my work more difficult, because I have had to modify my behaviors in how I code to ensure data is properly encrypted during transit and at rest.

Linda | Practice Owner:

My practice has had change its security policies since the Security Rule was enacted. We invest more in security and staff training to ensure everyone understands how to comply with security standards. We also have to make sure that all of our vendors that have access to some form of PHI (or have a chance of being exposed to PHI) have agreements with us and understand our heightened security policy.

I work with a whole bunch of vendors. According to 45 CFR Part 308 and 314, which of the following choices are applicable to making sure they are keeping my PHI safe?

1. I need to understand where my PHI is going outside and inside of my organization.
2. I get vendors to sign a business associate’s agreement (BAA) and the vendor tells me they are following security compliance, so I am off the hook.
3. I need to validate that I have signed agreements with BAs (Business Associates) that have any access to my PHI and audit those BAs to ensure they are complying to HIPAA security standards.
4. 
   
   1. I perform a periodic (annually is recommended) risk assessment that includes a review of vendors and how they are managing our information.

Which apply?

1. 1
2. 1, 3, and 4
3. 1, 2, and 3
4. All of the above
5. None of the above

The answer is ‘2’

Go deeper in the answer

Covered entities are required to ensure that PHI moving inside and outside of their organization is secure. They are required to have agreements with business associates and ensure those associates are complying with security standards. Business Associates are defined as a person or organization that provides data transmission services to a covered entity (CE) and requires routine access to that PHI, offers a health record to a 3^rd party on behalf of a CE, or is a subcontractor that creates, receives, maintains, or transmits information on behalf of a CE or another business associate (Ref 45 CFR 160.103)) perform health services.

Randal | Black Hat Hacker:

I often get into hospitals and big healthcare organizations through their vendors. When business associates have networks that are hard to get into/ compliant, I can’t access these organizations so easily.

Barry | Coffee Shop Owner:

I am not a business associate, so I don’t have to worry about this too much, other than personally being concerned that my health data is managed appropriately and secure.

Bob| Nurse Practitioner:

We have had to change our policies on how we select vendors to make sure they will comply with security policies. We have had to build out new processes to collect business associates agreements and hold vendors accountable to those agreements.

Sara | Custom Software Designer:

I am a business associate and get audited by my clients periodically. I am constantly thinking about and trying to find ways to simplify compliance. My productivity has slowed since having business associate requirements due to the added work involved in securely working with on my healthcare client projects. On the bright side, I have been able to charge more for compliance and am considering a specialization in healthcare coding.

Linda | Practice Owner:

I need to follow up with my team to make sure our vendors are compliant and that we have documented business associate agreements for any vendor with exposure to our PHI. Having compliant associates truly makes me worry less about security breaches than I had in the past.

I am disciplined in making sure that our backups work and restoring test files on a monthly basis. We retain our backups for one month. Am I HIPAA compliant?

1. Yes, you’re covered, but most state laws have some sort of retention requirements. Make sure you are familiar with your state’s legislation.
2. No, HIPAA requires you to retain backups indefinitely.
3. No, HIPAA not only requires that you have backups in place, but data retention for 7 years. You will need to add a periodic archive that you’ll retain for 7 years.
4. No, HIPAA not only requires that you have backups in place, but data retention for a year. You will need to add a periodic archive that you’ll retain for that year.

The answer is ‘1’

Go deeper in the answer

HIPAA does not require medical record retention. This is left up to state legislation. For instance, Michigan requires record retention for 7 years, except with written approval from the patient to destroy the record (Public Health Code Act 368 of 1978, Section 333.16213).

Randal | Black Hat Hacker:

I frequently use a ransomware kit I purchased on the dark web to lock down patient files and ransom hold the organization’s data for ransom. When they have backups, they don’t pay the ransom.

Barry | Coffee Shop Owner:

I’ve read a lot of stories of how hospitals and healthcare have had their healthcare records lost from ransom attacks. I am concerned by this because I heavily depend on the hospital and local healthcare businesses attending my shop. My business can’t survive without them.

Bob| Nurse Practitioner:

I sure hope we’re getting good backups of our data so that all the information I’m entering about my patients isn’t loss. I heavily depend on electronic health records to do my job.

Sara | Custom Software Designer:

I not only need to make sure that backups are happening, but also that the data my code is storing or accessing is encrypted.

Linda | Practice Owner:

I am responsible to make sure all of our PHI gets backed up and is retained. I rely heavily on reports from our Managed Service Provider (MSP) to explicitly understand status of backups. This is now part of my weekly routine when I meet with our technology manager and security officer.