Rebecca Herold: Use the Right Encryption
In an interview, Herold:
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking today with Rebecca Herold, owner of Rebecca Herold & Associates, who is known as the privacy professor. Rebecca specializes in information privacy, security and compliance. She has over two decades of experience not only as a practitioner who built an award-winning information security and privacy program in the 1990s, but also advising organizations in a variety of industries, including healthcare.
Thanks so much for talking with us today Rebecca.
REBECCA HEROLD: Well thank you very much Howard. I am glad to be here with you today.
ANDERSON: Based on your diverse experience, what is the most important security lesson that healthcare organizations could learn from those in other industries?
HEROLD: Probably that it is much less expensive to implement safeguards than it is to pay for the expenses of incidents and privacy breaches after the fact. (These expenses include) not only the cost of the breaches and incidents themselves, but also the accompanying regulatory fines and the probability of 20 years of required ongoing external audits. Plus, the likely civil action suits.
Properly protecting information from the very start is not only a legal requirement; it is a wise business decision from an economic point of view. And also, another important lesson is that it is vital that the information security and privacy activities and policies and procedures are documented. During all of those security and privacy program reviews I conducted, I found that there were probably around 35 to 40 percent of the organizations that indicated to me that they had policies and procedures in place who...didn't have anything actually documented. And I commonly heard from them that it was an "unwritten policy" or "we have always done it that way so we consider it a policy" or something similar to that.
You cannot demonstrate you have policies unless they are documented. You risk noncompliance with many laws by not having formally documented policies and procedures. If you have a regulatory auditor knock on your door to do a HIPAA or HITECH Act audit, I can guarantee that they will be asking to see your documented policies and procedures. Considering the Department of Health and Human Services is ramping up their numbers of privacy auditors, HIPAA and HITECH audits become more likely all the time.
Oh, and one more thing I would say is another very important lesson is to definitely make sure that your business associates are in compliance with HIPAA and HITECH requirements. Responsibility follows information, so if you give PHI, protected health information, to a business associate, you still have responsibility for ensuring the associate has strong security in place for it. And not only does that responsibility follow it, it is also a requirement now under HITECH, which expanded the requirements that business associates have to follow.
ANDERSON: Because the HITECH Act says that healthcare organizations don't have to report breaches if the data is properly encrypted, there is a lot of attention now on encryption. Several recently reported breaches involved data that was not encrypted....How widely should healthcare organizations apply encryption? Should it apply to data at rest in databases, as well as information on laptops or in e-mails?
HEROLD: Breaches do not need to be reported unless the encryption is using the minimum encryption standards as approved by NIST. NIST has a site that lists these standards, and also another web page listing some of the encryption solutions that they know meet those standards.
There are a lot of encryption solutions out there that do not meet the NIST standards. And not only that, but I have worked with a lot of organizations that had their IT department write a program to just scramble the data and they called that encryption. It is important for organizations to know and understand that these types of so-called encryption solutions would not pass as being a safe harbor under HITECH.
Anywhere protected health information is stored, transmitted or accessed is a potential breach location. There are growing numbers of incidents involving lost and stolen laptops and other types of portable computers, as well as electronic storage devices. These are considered high-risk devices, and most risk analyses would show that encryption is the most appropriate type of protection to apply to protected health information within these types of mobile devices.
There have also been a very large number of privacy breaches involving e-mail. So wise healthcare organizations will encrypt, according to at least the minimum NIST encryption standards, all protected health information that is on mobile computers and mobile storage devices, as well as protected health information that is transmitted through or using e-mail messages.
The decision to encrypt databases will depend upon how secure that database is and where it is located. The results of the risk analysis should point to whether or not encryption is necessary for databases. So there is not really as easy of an answer for the databases because it depends upon how the database is implemented.
ANDERSON: Besides encryption, what other steps should healthcare organizations take to help prepare for complying with the HITECH breach notification rule?
HEROLD: Well establishing and documenting responsibility for the breach notice activities and the associated policies and procedures is definitely an important first step that organizations should take with the backing and support and sponsorship of their executives. So make someone responsible for it.
And then, along with this, if they haven't already, make sure that they establish a comprehensive set of not only information security and privacy policies, but also the supporting procedures and the associated forms to use for documentation for those different activities.
But specific to the new HITECH requirements, data breach response and notification involves more than just writing down something like "call Stan in IT" in case a beach occurs. I have actually seen, when I have done my program reviews, so-called breach response plans that were really no more than just saying call someone. That is not going to pass the test with regard to what is an acceptable breach response plan.
Planning and documentation must be clear, and it should adequately cover all of the requirements to make breach response as efficient and effective and timely as possible....Training and awareness is very important too. Training and awareness is so critical, but often it is not done within healthcare organizations, or if it is done, it is not done well.
ANDERSON: In one recent survey of hospitals, about 55 percent said that they conduct a risk analysis on an annual basis or some of them every six months. Should all hospitals be conducting such an analysis at least annually, and do you have any tips on how to conduct such an analysis?
HEROLD: Well yes, all healthcare covered entities, and now business associates, must perform risk analysis to identify the threats, vulnerabilities and resulting risks to protected health information. And then, they must apply safeguards to appropriately mitigate or reduce those risks to an acceptable level.
Now directions for HIPAA security rule compliance under HITECH are provided within the National Institute of Standards and Technology, or NIST, document called the "Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule." That is SP800-66. Directions for HIPAA security rule compliance under HITECH are provided within that document, and it points to a risk assessment methodology based on NIST SP800-30 for evaluating risks.
Under HIPAA, a covered entity, and now under HITECH, business associates as well, must periodically review and update the security measures and documentation that are in place in response to environmental and operational changes that affect the security of protected health information. The covered entities and business associates must establish the frequency of those risk evaluations, and they need to take into account the sensitivity of the PHI, or protected health information, that is controlled by the organization and that includes its size and complexity and the environmental and operational changes.
In addition to periodic re-evaluations and risk analysis, they need to do risk assessments whenever major environmental and operational changes are made to the organization that would affect the security of the protected health information.
Covered entities and business associates can follow the guidance from that NIST document SP800-30. I know many healthcare organizations, especially those that are medium or small in size, do not have staff dedicated to information security and privacy, or their staff does not have the background or experience to follow that NIST guide. So in such a situation it makes sense to get help from an outside consultant, or to use an automated risk assessment tool.
I know one I saw from ACR2 Solutions was especially designed to do risk assessments according to NIST SP800-30 methodology.
Now let's talk about frequency. It would be good to do risk analysis at least once a year, or as often as the organizations' changes would indicate that such risk analysis has to be done....HITECH, however, does not include or indicate any specific frequencies; they just indicate that they must be done based upon changes within the organization.
ANDERSON: The attorney general of Connecticut recently filed a civil suit against an insurer for security violations. So now that state attorneys general have this power under the HITECH Act, and the Office of Civil Rights within HHS has enforcement power, and penalties are tougher, do you think more organizations will ramp up their security efforts?
HEROLD: Well this new power will be exercised sooner rather than later by more than one state attorney general.
The recent HITECH lawsuit filed by the Connecticut attorney general really makes it apparent to all entities within the healthcare industry that they need to ensure that they are HIPAA and HITECH compliant. Not only the large organizations, but the small and medium-sized healthcare providers, including very small clinics and neighborhood pharmacies, plus all the other business associates that they do business with and that they share their protected health information with.
In the 200 or so business associates reviews I have done, a large portion of the organizations were very small organizations doing work for a very large covered entity. In fact, one business associate only had five employees, but they were handling and managing the records of literally millions of individuals. So a breach of this small five-person organization would be just as damaging to all of those individuals as it would be if the covered entity itself were breached. The Office of Civil Rights has been hiring new privacy auditors in the past month providing really clear indication that they plan to do more compliance enforcement activities. So covered entities and business associates of all sizes really need to be sure that they are in compliance with HIPAA and HITECH and that they have effective safeguards in place.
ANDERSON: Finally, do you have any other advice for hospitals and other healthcare organizations on data security priorities for the year ahead?
HEROLD: Well first, hospitals and covered entities and business associates of all kinds need to formally document and assign responsibility for information security and privacy and then communicate that responsibility throughout their entire organization so that everyone knows that the executive management is in support of it and is encouraging everyone to make sure that they are doing the right thing.
Next, you need to make sure that you document the policies and the supporting procedures...to truly demonstrate due diligence and show that you really are trying to follow up on not just all of the requirements of HIPAA and HITECH, but also that you are doing everything you can to protect the patient information.
I was really happy to have an opportunity to create content for a system called Compliance Helper that makes managing all of these policies and procedures and the supporting forms easier and also helps with documenting all of the tasks that show what you are doing and what needs to be done on an ongoing basis....When you are managing compliance, it is good to have an automated way to keep track of everything that you need to do because there is so much involved with HIPAA and HITECH compliance that it is really easy to let something important go through the cracks. So I really believe that Compliance Helper is one of the most useful tools I have seen in a long time, especially for small and medium-sized businesses, for making sure that you have those policies and procedures that are key to HIPAA and HITECH compliance. And plus, it also makes it easy to monitor where the organization is at with compliance at any point in time. And if anyone wants to get more information about that you can see more at www.compliancehelper.com.
And then, I guess another piece of advice is, for goodness sakes, covered entities and your business associates need regular training and ongoing awareness. I mean, how can you expect the folks in an organization to know how to protect information if they have not been told how to protect information? And not only is it important for that reason, but it is also a requirement under HIPAA and HITECH to provide training and ongoing awareness.
If anyone is interested in finding out more about how to do that effectively, I have a lot of information about that out on my site, www.privacyguidance.com
ANDERSON: Thank you very much. We have been talking today with consultant Rebecca Herold. This is Howard Anderson of Information Security Media Group.