5 Critical HIPAA Healthcare Audit Blunders10:00 AM EST Wed. Jan. 23, 2013
An initial Health Insurance Portability and Accountability Act audit program conducted by the Department of Health and Human Services in 2012 found a variety of HIPAA privacy and security problems. The initial findings released in June discovered security challenges at larger healthcare organizations, issues mitigating the risks posed by third-party service providers and serious compliance failures with smaller, cash-strapped providers. Organizations that are not maintaining a security program face loss of contracts, criminal and civil investigation, federal penalties and state fines. A data breach could also result in reputational risk, legal costs and costs ensued as a result of having to notify patients.
Here are five HIPPA requirements that organizations must comply with as well as advice from security experts on how to meet those requirements.
User activity monitoring involves log collection and analysis to keep track of administrator and end-user activity, as well as a history of system and application access. The goal of user activity monitoring is to detect suspicious activity and take action as well as provide forensics teams with a road map if a breach occurs within the organization.
Security experts say activity monitoring is most effective if it is coupled with security policies to put context with user activities. Someone also needs to review the logs. HIPAA specifically requires procedures to regularly review logs of system activity, including access reports and security incident tracking reports. It also requires systems that record and examine activity in information systems that contain or use electronic protected health information.
Contingency planning gives organizations an effective way to address issues when they happen. HIPAA requires a plan as part of administrative safeguards for responding to an emergency such as a system failure. It must include a data backup plan, disaster recovery procedures, emergency mode operation plan, and testing and revision procedures. A well-documented plan will cover many possible scenarios and provide the tasks and procedures necessary in the event that data is lost or stolen or a physical disruption to systems and services takes place. Most importantly, it will lay out the communication protocol and delineate who is making the decisions in a crisis. Security experts say some organizations fail to conduct an annual assessment of the plan and test it to ensure its effectiveness. Drills help improve procedures and create a culture of security and privacy within the organization, experts say.
Risk assessments analyze internal threats, such as an employee with too much access to critical systems, and external threats, ranging from physical disruption to potential threat actors, such as cybercriminals out to steal credit card data. HIPAA requires organizations to perform risk analysis as part of their security management processes. Organizations shouldn't undergo a single risk assessment, security experts say, but instead should create an ongoing risk management program to help identify and mitigate risks and help drive spending decisions. Risk assessment identifies vulnerabilities and configuration errors that can weaken systems. It also analyzes each threat to determine the conditions under which an attack is most likely, the likelihood of occurrence and the potential damage. According to Forrester Research, organizations must first understand the data and systems that need to be protected and then measure the likelihood of an attack's occurrence targeting the data and systems. Controls already in place need to be taken into account as well as the costs required to mitigate the foreseen risk. HIPAA requires the process be documented.
Healthcare organizations should have a formal policy in place to ensure sensitive data is permanently removed from media before disposal or reuse. The plan should cover media sanitization and how systems and devices will be properly recycled, reused and disposed. Many systems store data and pose a significant risk if an attacker attempts to recover the stored data with freely available tools. Deleted files and hard drive formatting does not necessarily mean data cannot be recovered by a determined person, according to experts. The National Institute of Standards and Technology has outlined recommendations for media sanitization.
Access to personally identifiable information is restricted, and HIPAA requires that policies and controls are in place that authorize access to the data based on the user's or recipient's role. Employees need to undergo user awareness training to properly understand the policies and procedures for accessing the data. HIPPA also requires periodic assessments to measure the effectiveness of the security controls and policies in place. Organizations must assign a unique name or number for identifying and tracking user identity. It also requires the establishment of emergency access procedures. Mechanisms need to be in place to verify the identity of individuals attempting to access systems, and once validated, they need to limit permissions to only the necessary sensitive resources.