Light Dark
December 30, 2016 By Christopher Burgess 3 min read
Healthcare
Risk Management

Over the course of 2016, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached many resolution agreements with a number of covered entities and business associates for violation of the Health Insurance Portability and Accountability Act (HIPAA).

These HIPAA settlements are mutually agreed-upon resolutions between HHS and the offending entities. A settlement may require these parties to implement additional parameters to better secure personal health information (PHI). It may also include a civil money penalty and subject an offending entity to HHS monitoring for up to three years.

HIPAA settlements are not always achieved, however. If the HHS cannot reach an appropriate agreement with an offender, it may impose civil money penalties (CMPs) for noncompliance.

Learning From HIPAA Settlements

Each settlement listed on the HHS website includes a resolution and corrective action plan (CAP). These action plans demonstrate ways in which other organizations might tighten their infrastructures, processes and procedures related to health records and other patient information.

Risk Analysis

Many CAPs call on offending entities to incorporate comprehensive risk analysis into processes related to PHI. This would require a party in violation to:

  • Develop a complete inventory of all its facilities, electronic equipment, data systems and applications that contain or store PHI and conduct a thorough risk analysis.
  • Evaluate the risk to all equipment, data systems and applications. The evaluation should extend to any portion of the entity’s infrastructure that deals with PHI.
  • Provide documentation related to current security measures and the level of risk to PHI within network segmentation, network infrastructure, vulnerability scanning, logging and patch management.

In truth, the processes described above should be standard operating procedure for any organization that handles PHI.

Policies and Procedures

CAPs also commonly require offending parties to review policies and procedures related to the security of PHI. This may force them to:

Training is often viewed as a loss to production and placed on the back burner. But it’s more pragmatic to view training as a valuable investment.

Encryption

The bottom line is that PHI must be protected. Knowing the state of PHI when at rest and in transit is the key to determining the level of risk at a given time. Many CAPs require organizations to report details on their use of encryption. This report needs to include:

  • The number of devices used to access, store, download or transmit PHI;
  • The number of devices that are encrypted;
  • Evidence of such encryption; and
  • Details related to any devices that lack encryption.

The clear message to all entities is that if your data is at rest, it needs to be encrypted, unless there is a clear and well-documented need for it to be insecure.

Access Controls

Unauthorized access to PHI is an ongoing issue. Countless news headlines have documented instances in which files went missing, uncredentialed personnel accessed critical materials, third-party vendors gained inappropriate access and more. The HHS stresses the need to know who is accessing PHI, whether they are required to have access and, in the case of third-party entities, ensuring the business associate agreements spell out the security and privacy requirements for protecting data.

Security Awareness Training

Many CAPs require entities to provide security awareness training to workforce personnel who handle PHI. Training materials must be approved by the HHS. If the materials fail to meet the HHS standards, the organization must adjust and resubmit them for approval. This cycle continues until the training is deemed appropriate and sufficient.

Avoiding HIPAA Settlements

The best course of action is to hire a dedicated employee to be held accountable for the security of PHI. This individual can manage the comprehensive risk assessment and necessary actions stemming from regulations.

Furthermore, it’s critical to discourage employees from taking shortcuts or stepping outside of established processes and procedures. They should be thoroughly trained on how to transmit and handle PHI securely and in compliance with HIPAA.

As we like to say in the security industry, you should always treat sensitive information such as PHI as if it was cash — your cash.

Listen to the podcast: Data Security Insights from a Health Care Insider

 |  |  |  |  | 
Christopher Burgess
CEO at Prevendra

More from Healthcare
October 29, 2024

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

September 26, 2024

Ransomware on the rise: Healthcare industry attack trends 2024

4 min read - According to the IBM Cost of a Data Breach Report 2024, the global average cost of a data breach reached $4.88 million this year, a 10% increase over 2023.For the healthcare industry, the report offers both good and bad news. The good news is that average data breach costs fell by 10.6% this year. The bad news is that for the 14th year in a row, healthcare tops the list with the most expensive breach recoveries, coming in at $9.77…

September 18, 2024

Cybersecurity risks in healthcare are an ongoing crisis

4 min read - While healthcare providers have been implementing technical, administrative and physical safeguards related to patient information, they have not been as diligent in securing their medical devices. These devices are critical to patient care and can leave hospitals at risk for cyberattacks, causing major disruptions to patient care. In fact, 88 million individuals were affected by large breaches, compromising vast amounts of electronic protected health information (ePHI) last year according to the U.S. Department of Health & Human Services. This year,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature