Breach Notification Archives

HIPAA Security Rule requirements, Part 2 – Security Awareness and Security Incident Procedures

Suze Shaffer February 15, 2021February 18, 2021

What the Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS) considers as reasonable and appropriate safeguards are always open for discretion. Every organization is different, and what may work for one, may not for another. For that reason, this information is a guideline only and should not be taken as legal advice.

Here are a few areas that should be reviewed:

§ 164.308(a)(5)(i) Security Awareness and Training has (4) implementation standards. They are labeled as “Addressable” under the HIPAA Security Rule. Do not be fooled by the term addressable, that does not mean optional. It just means you have options in implementing the standards.

The Security Awareness and Training standard means that a covered entity must implement a security training program for all employees including management. The frequency in which the training is performed is typically questionable and HIPAA requires new hires must be trained within a reasonable amount of time. We recommend HIPAA training BEFORE any person has access to PHI or ePHI since one mistake can cause a data breach. Then, HIPAA requires “periodic” training. Most organizations conduct annual HIPAA training. Although HHS does not specifically state you must conduct annual training, should you suffer a data breach and it is caused by an employee that did not have proper training, you could be fined for that violation. That is why it is so important to ensure your employees not only attend (and have documentation) HIPAA training, but must also actually understand what is required of them and how to safeguard patient data.

§ 164.308(a)(5)(ii)(A) Security Reminders – HIPAA is not just a once-a-year process. Periodic security reminder updates should be conducted throughout the year to keep HIPAA and data security in the minds of your staff. This should be documented as well.

§ 164.308(a)(5)(ii)(B) Protection from Malicious Code – Procedures must be in place to guard against, detect, and report viruses and malware. Up to date anti-virus and anti-malware software can ward off most intrusions. That is, as long your staff does not click on attachments or visit certain website where malicious code is located. Education is key. Ensuring software patches are applied when released, scanning systems on a routine basis, and utilizing firewalls are also very important. Making sure users do not introduce malicious code from downloads, DVDs, flash-drives, or other products brought from home.

§ 164.308(a)(5)(ii)(C) Log-in Monitoring – Procedures for monitoring log-in activity and reporting discrepancies. This standard states you must monitor user logins and unsuccessful attempts. Best practices are to have procedures to lock a user out after a predetermined number of failed log-in attempts. This may prevent an unauthorized user from gaining access to your system. With malware that repeatedly tries new passwords, this is highly recommended.

§ 164.308(a)(5)(ii)(D) Password Management – Procedures for creating, changing, and safeguarding passwords. All users must use their own credentials to log into systems that contain ePHI. Passwords are to be complex, never shared, secure, and changed at least every 90 days. Although HIPAA does not specifically state the 90-day rule, it is best practices unless you are utilizing a second method of authentication.

§ 164.308(a)(6)(i) Security Incident Procedures has (1) implementation standard, and this is “Required”. This means you MUST implement the standard as stated. You must have policies and procedures in place that identify security incidents, so employees understand what a security incident is, and how to respond.

§ 164.308(a)(6)(ii) Response and Reporting requires a covered entity to have policies and procedures in place to report and mitigate security incidents and determine if a data breach occurred. Then, if a data breach has occurred, the covered entity must determine how many patient records were affected. The time frame to report the breach to OCR and possibly state and local agencies differs on whether the breach is over 500 patient records or not. This should be clearly outlined in your Breach Notification Plan. During the breach notification process, state law will supersede the federal HIPAA law if the state law is more stringent. Keep in mind, all 50 states have their set of privacy laws.

We will be adding more information on other Security Standards, so watch for more posts!

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

OCR Issues Audit Report on Health Care Compliance

Suze Shaffer December 18, 2020February 1, 2024

Yesterday, the Office for Civil Rights (OCR) at the Department of Health and Human Services (DHHS) released its 2016-2017 HIPAA Audits Report. Although this seems outdated, it typically takes this long to compile the data. They reviewed selected covered entities (CE) and business associates (BA) for HIPAA compliance of the HIPAA Privacy, Security, and Breach Notification Rules.

DHHS is required by law under the HITECH Act to conduct periodic audits. The chances of a random audit are slim, but they do happen, and you must be prepared. Don’t be fooled by a slim chance of a random audit, you can be audited for many other reasons! This audit comprised of 166 covered entities and 41 business associates. The OCR publishes this report to share the overall findings.

A summary of the audit findings includes:

Most CEs met the timeliness requirements for providing breach notification to individuals.
Most CEs that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website.
Most CEs failed to provide all of the required content for a Notice of Privacy Practices.
Most CEs failed to provide all of the required content for breach notification to individuals.
Most CEs failed to properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee.
Most CEs and BAs failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

The 2016-2017 HIPAA Audits Industry Report may be found at: https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

Ransomware is a REAL threat…

Suze Shaffer October 20, 2019February 1, 2024

By: Aris Medical Solutions

We all hope that we do not fall victim to ransomware, but we need to do more than just hope. All businesses, especially healthcare must have a contingency plan that includes data recovery in the event their systems are encrypted. If you have a backup that is NOT connected to your network, your downtime will be minimal. Keep in mind, you may need to go through the breach notification process based on your state and federal HIPAA law.

A Michigan ENT and Hearing practice refused to pay $6,500 in ransom and the hackers wiped their systems. With no chance of recovering this data, they chose to close the practice.
Most recently, a California Medical Practice was unable to recover their data after ransomware encrypted their systems including their backups. As a result, they will close their practice December 17, 2019.
I could keep adding to the list, but I would rather educate you on how to avoid this!

Best practice is of course to PREVENT ransomware in the first place. This starts with a solid network security program and education for your workforce. Most malware is introduced by an unsuspecting employee. Truly, one click of a mouse can cause a tumbling effect leading to the loss of your business. I know that sounds a bit dramatic, but most small to medium sized organizations that suffer a data breach do not survive.

Healthcare is a major target, in fact, 71% of ransomware attacks are towards small to medium sized practices since they do not have adequate network security in place.

Your first line of defense is an enterprise version firewall device. This means, do not purchase one that has parental controls!
Second, have a network security specialist set up your firewall and set custom security controls. It is fairly simple to set up a “network”, but it takes someone who truly understands network security to secure your network. This includes computers, servers, access points, etc.
Depending on the size of your organization, you may need to set up an onsite server as a domain controller. Once this is in place, all users are authenticated through the domain. Security permissions can be set all at once and can’t be changed by the users.
Phishing education for all employees including providers, and management. Business email addresses are targeted typically between Tuesday and Thursday according to the analysis from Barracuda. Phishing emails impersonate a trusted entity, they try to get the recipients to click on the links or attachments, share account credentials, and typically have some sort of urgency associated with the email. These emails often bypass traditional email security since they originate from reputable senders.
Ensuring you have business associate agreements in place before releasing any PHI. This will protect you from fines and penalties in the event they have a data breach. It is advisable to carry cyber-liability insurance. If your business associate causes a data breach, it will still be your responsibility to go through the breach notification process. Best practice is to require your business associate to carry cyber liability as well.
Physical security is often overlooked when we talk about data security. Portable devices need to be secured when left unattended. Printers and fax machines should not be located where they can be accessed by an unauthorized person. Servers should be in a locked room or cabinet. Computers should not be located near exits. Keeping an up to date inventory list and reviewing it regularly is critical in knowing if anything is missing. Lastly, a security system that has cameras and access logs is recommended.
Organizations that have well defined policies and procedures are less likely to have a data breach. Employees are educated on what they can and cannot do with business equipment. Knowing what to do in the event of a security incident can actually STOP a data breach from becoming a major breach. Plus, most large fines are because the organization did NOT have a policy or plan in place. Just make sure you have read and dated them!

Remember HIPAA is not a once and done process, as technology changes and employees come and go, you need to keep track and update accordingly. Use your Risk Management Plan to track your progress! Let us know if you need any help with implementation.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Cyber Security – how to prepare!

Suze Shaffer September 18, 2017February 1, 2024

By Aris Medical Solutions

Cyber attacks are on the rise in healthcare, and are one of the leading cause of data breaches. Disgruntled employees are another and patients that believe their information has been compromised round out the top three. Although nothing is 100% secure, there are a few simple things you can do to prevent nearly all of these attacks.

First and foremost prepare and plan for a breach. Implement a Breach Notification plan. Understand the difference between an internal and external breach. Make sure you have your security team in place!

Too many practices think they can ignore the possible threat because they use a cloud based EHR. Most hacks and unauthorized access are caused internally due to an employee that is uneducated in security. Employees that use their work computers to access personal email or use their work email for personal use expose the practice to this uncertainty. This could potentially allow viruses and malware into your network. It only takes one person to surf the web and pick up keylogging malware or click on an email attachment or link and bring your entire organization to a halt. Best practices to share security information with your staff at least monthly. Continual education of the possible threats are necessary. You can never be TOO diligent in the area of security!

Make sure you use a Termination Checklist to remind you of all of the access points that must be removed should an employee leave. This is a huge oversight that we see a lot of when we are conducting network security audits. Employees leave and some of their login credentials are removed but not all of them.

Last but certainly not least; if you have a patient that complains about their privacy being violated, take it seriously and resolve the issue as quickly as possible. Make sure you document the process.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

DynA-Crypt Ransomware is worse than the others!

Suze Shaffer April 2, 2017February 1, 2024

By Aris Medical Solutions

Karsten Hahn who is a GData malware analyst discovered this ransomware called DynA-Crypt. Larry Abrams at Bleepingcomputer alerted the world about this new type of ransomware. Thanks to them, we know about this and must be diligent in protecting our information.

This new strain is even more dangerous and destructive than the others. This malware not only encrypts your data, but also takes screenshots of your active desktop, login commands that you type, and even records system sounds from your computer. It will even steal information from Skype and Chrome. While this vicious attack is encrypting your computer, stealing your information, it is also deleting your files.

This would be considered a major HIPAA data breach and not only will you lose everything, you will have to report this to your State and Federal authorities under the Breach Notification Laws.

Make sure your anti-virus and anti-malware is up to date and verify it is an enterprise version. Although this is not specifically stated under HIPAA, it is considered reasonable and appropriate. If you never have this happen to you, the HIPAA Police is not going to penalize you. However, if this does affect your practice or organization and you do not have reasonable and appropriate safeguards in place, you will be fined and penalized.

Everyone in your organization should be made aware of this new attack and remind them NOT open any file attachments OR click on any links in ANY email unless you are absolutely sure it is safe. Best practices is to open your browser and go directly to the company’s website to check on anything you receive in an email. Also be VERY careful trusting emails from friends. If YOUR email is hacked, they will spoof a name in your contact list and send an email back to YOU. They hope that since you know this person you will open the email. If you receive an email that asks you to click on a link or open a file, look carefully at the FULL email address, more than likely is NOT your friends email. Keep in mind, it still could come from their actual email address. Always call or text them and ask if they sent this to you.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting Patient Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”