HIPAA Enforcer's Latest Actions: An AnalysisSizing Up OCR's Steps in Recent Weeks to Call Attention to Protecting PHI
The federal agency that enforces HIPAA has been very busy lately, taking numerous steps to reiterate the importance of safeguarding patient data from cyberattacks and other privacy breaches and stressing the need to prepare a breach response plan.
In recent days, the Department of Health and Human Services' Office for Civil Rights, headed by Jocelyn Samuels, has announced that phase two of its long-delayed HIPAA compliance audits is underway, has issued a $2.7 million financial penalty as part of a resolution agreement with a covered entity for two smaller breaches, and has issued guidance confirming that most ransomware attacks involving protected health information must be reported to federal regulators as breaches under HIPAA.
"Healthcare organizations and contractors and vendors that handle protected health information must step up their game."
And in its latest monthly cyber awareness alert, OCR stresses that healthcare entities and their business associates need to make security incident response plans a top priority in the face of "the constant upsurge of security breaches that involve cyberattacks."
Beefing Up Incident Response
In the alert, Is Your Covered Entity or Business Associate Capable of Responding to a Cybersecurity Incident?, OCR notes some disturbing statistics. It cites a recent survey that found that 43 percent of the respondents lack formal incident response plans and procedures, and 53 percent lack formal incident response teams. Some 61 percent of the respondents said they have experienced a data breach in the past two years that included unauthorized access, denial of service, or malware infection, OCR notes.
"Cybersecurity-related attacks have continued to rise and become more destructive and disruptive," OCR warns. "Although effective incident response planning can be a complex task, it should be one of covered entities' and business associates' priorities."
In its latest cyber awareness alert, OCR lists several steps that covered entities and business associates can take to improve incident response, including:
- Developing incident response policies, plans and procedures, including processes for detecting and analyzing incidents; containing, eradicating and recovering from incidents; and conducting post-incident activities and reviews;
- Creating plans for communicating with internal and external parties regarding incidents, including the IT department, public affairs office, legal department, management as well as law enforcement, news media, external incident response teams and government agencies, including OCR;
- Staffing incident response teams with individuals who have the appropriate skills, including network administration, programming, technical support, intrusion detection, forensic analysis and communications.
OCR also notes that "incident response policies and plans should be approved by management and reviewed on an annual basis."
While the latest OCR alert is directed to both covered entities and business associates, some experts say vendors that serve healthcare organizations present a particularly troubling weak spot, not only in preventing and responding to cyber incidents, but also in identifying and reporting any kind of breach involving PHI.
"Historically, I've seen BAs that have experienced breaches that they didn't even realize were breaches, and so those went unreported despite recommendations for them to report them," says privacy and security expert Rebecca Herold, CEO of The Privacy Professor and co-founder of the consulting firm SIMBUS Security and Privacy Services.
"The HITECH Act and the Omnibus Rule's expansion of HIPAA to fully encompass BAs, and their subcontractors, helped to raise their awareness," she adds. "But they still have a long way to go. Additionally, I'm seeing more CEs outsource a wider variety of activities involving PHI than ever before. Considering all this, I believe BAs, including their subcontractors, are a bigger threat to CEs than ever before."
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, offers a similar perspective. "Healthcare organizations are increasingly outsourcing to contractors and vendors activities that require the creation or maintaining large amounts of protected health information in all forms," he tells me.
"When you look at how organizations rely on offsite storage facilities for paper files, cloud computing and data storage providers or virtual medical transcriptionists, it is crucial that organizations look at how their vendors have implemented programs to put into place reasonable and appropriate safeguards for protected health information. Healthcare organizations and contractors and vendors that handle protected health information must step up their game."
One essential step is performing an enterprisewide risk assessment to identify information systems where PHI is vulnerable to unauthorized disclosure, Holtzman stresses.
As a result of its breach investigations and pilot HIPAA audits in 2011 and 2012, OCR has repeatedly stressed that the lack of a thorough risk analysis is a major problem.
More Transparency Needed
It's good to see OCR taking action to hammer home important security issues with its guidance as well as enforcement action. But another important step OCR needs to take is to improve transparency when it comes to sharing details of breaches involving business associates.
Currently, in entries added to OCR's "wall of shame" website listing major breaches, it's not always clear whether a business associate was involved. That's apparently due to the format of how information is reported to OCR. The agency needs to take steps to make sure its tally accurately reflects every instance when a major breach involved a BA (see Bizmatics Cyberattack: Assessing The Fallout).
"It would be quite valuable and useful to show if breaches originated within BAs, or the BAs' subcontractors, or within CEs," Herold stresses. This would help OCR to better track security issues at BAs and recommend appropriate mitigation steps, she says.