The recent discovery of new hacking threats to medical devices and systems is a reminder that you should go beyond the four walls of your offices when you perform your security risk analysis under HIPAA.
A new order of threats to your data is brewing in cyberspace. The heath care IT “threatscape” gets more active each year. Health care organizations have been spooked by major hacks such as the Heartbleed virus, and this year a home health agency was snared by a ransomware attack (PBN 5/4/15, 5/5/14). But hacks to insurers such as Anthem and Premera Blue Cross have made 2015 into what The Washington Post calls “the year of the health-care hack.”
“It’s interesting what people predicted a couple years ago is actually happening,” says David Kibbe, president and CEO of DirectTrust, a network of health information service providers in Washington, D.C., and senior advisor to the American Academy of Family Physicians’ Alliance for eHealth Innovation. “In years past, we had a spate of well-covered hacks at Target and places like that, and people said, ‘where are the health care hacks?’ Some of us said they will come because the larger industries will harden their systems, and the hackers will look for something that isn’t hardened. And we saw with Anthem and Premera Blue Cross and others that we were right. I think there will be a lot more.”
How to stay updated about threats
If you’re not sure what the latest threats are, educate yourself. “You can’t protect yourself against threats you don’t know about,” says Asaf Cidon, co-founder and chief technology officer of Sookasa in San Mateo, Calif. Some security officers may think paying attention to what’s inside the four walls of the office covers the job, but in an increasingly interconnected world, that’s not the case.
“Monitoring the outside environment would be a part of conducting an annual risk analysis in addition to general good practice to be aware of changes,” says Matthew R. Fisher, an associate with the Mirick O’Connell law firm in Worcester, Mass. “An organization cannot afford to be unaware of the changing nature of threats.”
• Use Google alerts or some similar technology to stay current. “From my perspective, if you’re a security professional and you aren’t subscribed to Google alerts and tracking IT security media on a constant, almost neurotic, basis, then you’re frankly negligent,” says Jeff Mongelli, CEO of Acentec Inc. in Irvine, Calif.
• Make sure your compliance officer follows key Twitter feeds. Advise your compliance officer to follow the Twitter accounts of the equipment vendors they use and other Internet security vendors, says Hoala Greevy, founder and CEO of Paubox in San Francisco. He recommends WhiteHat Security (@whitehatsec), Security Affairs (@securityaffairs) and Eric Vanderburg (@evanderburg) for starters.
• Check the white papers at the National Institutes of Standards and Technology (NIST).“It arms you with information when you deal with vendors” because the vendors read those papers, says Lee Barrett, executive director of the credentialing organization Electronic Healthcare Network Accreditation Commission (EHNAC). That’s in addition to the regulatory agency reading you should already be doing — the latest news and reports from the Office for Civil Rights, the Workgroup for Electronic Data Interchange (WEDI) and CMS, for example.
Get tough with vendors
Remember that you’re in the driver’s seat when you hire a technology vendor; don’t give them the opportunity to shirk on security. “Medical groups have been penalized by CMS because of HIPAA violations caused by unqualified IT providers,” says Joyce Tang, president and chief customer happiness officer of AgilisIT in San Diego.
“You don’t want to rely on a vendor to tell you what you should be looking for because a vendor will always say they’re compliant,” Barrett says. EHNAC and WEDI created an accreditation program to vet project management software vendors at the request of the Medical Group Management Association (MGMA) and others called the Practice Management System Accreditation Program (PMSAP). “We’re getting the message out so providers can say to their vendors: You need to go through this accreditation or you don’t make our shortlist,” says Barrett.
Research vendors you consider doing business with, then put them to the test, says Rebecca E. Gwilt of the Nixon Law Group in Vienna, Va. “You should ask them directly about their privacy and security policies and protocols and request to review their incident logs,” she says. “If they are unwilling to share this information with you or you determine their security posture is not sufficient, move on. There are plenty of vendors out there to choose from.”
Be tough on contracts too. In addition to the HIPAA required breach notification, require that vendors inform you of any actual or suspected security incidents. “If the covered entity would like more detailed reporting than required by HIPAA or if the covered entity would like notification by the business associate for any unauthorized use or disclosure, even if it doesn’t result in a breach, then that expectation should be defined in the business associate agreement,” says Gwilt.
2 more tips to protect your practice:
• Recognize changes in your vulnerability. As technology evolves, so does your vulnerability. Any time a new piece of technology enters your workflow — whether it’s installed by your practice or owned and used by your clinical staff, such as mobile devices — find out what the risks are and take steps to meet them. For example, “companies should understand that PHI and corporate data is never safe by default on mobile devices — and that vulnerability is one of the top causes of data breaches,” says Cidon. Also, if you use cloud services, you should use cloud software that encrypts PHI at the file level.
• Disseminate information about threats to your organization. “If you have a HIPAA committee, that’s a good place to be talking about these issues,” says Fisher. “A committee can be a central repository of knowledge about changes and awareness of threats, including big things as they come out. Another good avenue is to include changes in the annual HIPAA training.”
This article was originally written by Roy Edroso and published in Part B News on October 19, 2015. Part B News is a publication of DecisionHealth®, which has served as the industry’s leading source for health care provider news, analysis and instructional guidance. To subscribe to Part B News click here.