- Health records are to be secured, exchanged and portable ,while credit card numbers are to be secured.
- Covered entities and their business associates (receiving any government reimbursements for healthcare treatment, payment or operations) are required to comply with HIPAA.
- Unlike finite PCI requirements, HIPAA encompasses security, privacy and rights, safety, quality improvement and eliminating fraud, waste and abuse.
- HIPAA security compliance may include risk analysis, remediation progress and periodic vulnerability scans.
- Meaningful Use helps address the most serious health care threats to electronic personal health information: theft, unauthorized access and loss.
- A health record with basic health insurance information is worth 10-20 times more than a U.S. credit card with a CVV code.
Steven Marco ([email protected]) is the founder & CEO of Modern Compliance Solutions & HIPAA One® in Lindon, UT.
This is one of the questions that comes to mind when reading recent breaches in businesses that are PCI-compliant and HIPAA covered entities. According to a recent Identity Theft Resource Center data breach report for 2013, there were approximately 47,260,237 breaches for the business category and 4,659,965 breaches for the medical/healthcare category. Assuming the business category processes credit cards and the medical/healthcare category maintains protected health information, we have a case of PCI-compliant firms vs. organizations addressing HIPAA security compliance.
1. Health records are to be secured, exchanged and portable while credit card numbers are to be secured.
Health care covered entities (CE) and their business associates (BA) handle personal/protected health information (PHI) as part of an initiative to have a portable, secured and available electronic health record (EHR). PHI must be protected from unauthorized disclosure, yet be available on demand by the individual and shared (in some cases with and without the individual’s authorization such as treatment, payment and healthcare operations) appropriately but also restricted upon the individual’s request.
If hospitals and clinics adopt electronic PHI and shred their paper records, vast amounts of uniquely identifiable health records accumulate. According to the HIPAA One® security risk analysis database, even small clinics can acquire more than 10,000 patient records within 3 years.
The focus of the electronic health record revolution has traditionally been changing healthcare workflows using computers instead of paper charts. Now, information is freely exchanged between clinics, health plans, clearinghouses and health exchanges. Security has not been a focus. The top threat facing healthcare is loss and theft of ePHI, which is the No. 1 cause of breaches over 500 (according to the OCR’s current breach data reports as of July 2014).
Much like the example above referencing the number of patient records, aggregated data stemming from PHI can be used for valuable research improving health and raising ePHI security awareness.
If business and commerce — the exchange of goods and services for monetary enumeration — had adopted technology earlier, it would have more personal identifiable information (PII). The use of credit cards is globally adopted as a quick way to receive money electronically. As more merchants (businesses that accept credit cards) adopt e-commerce websites and connect their payment- processing systems (i.e. processors) to the Internet with growing consumer comfort with online purchasing, fraudsters are capitalizing on poorly protected systems to steal payment data, making payment care fraud more prevalent than ever before.
Unlike aggregated, de-identified PHI data, the approach to secure credit card numbers is to limit storage of credit card elements and make this information unavailable except in the event of a payment transaction.
Source: Payment Card Industry (PCI) Data Security Standard, November 2013
2. Covered entities and their business associates (receiving any government imbursements for healthcare treatment, payment or operations) are required to comply with HIPAA.
Covered entities (i.e. hospitals, clinics, doctors, health plans and healthcare clearinghouses that use ePHI) and business associates (i.e. vendors providing services to covered entities that access [even incidentally]), as of September 13, 2013, store, modify or transmit ePHI under the enforcement jurisdiction of Health and Human Services.
In summary, any organization that receives reimbursements from Centers for Medicaid and Medicare Services is a covered entity. And any vendor that provides services to covered entities are business associates. Accountants, legal counsel and consultants are examples of groups that may encounter PHI while working with covered entities and fall into the business associate category.
To help define who is covered under HIPAA, guidance from CMS provides charts to help define most scenarios and to determine qualification, per the below image:
Source: CMS Covered Entity Charts
Fines under HIPAA typically come in two forms: the Office of Civil Rights (OCR — the enforcement division of CMS) fines through self-reported breaches or through HIPAA violations found as a result of a patient complaint registered on the HHS website. The OCR, under the HITECH Act, may use proceeds from fines (called Civil Money Penalties – or CMPs) to fund further enforcement. OCR fines and settlements start at $50,000 and can easily exceed $1.5 million per investigation where willful neglect to comply with HIPAA is determined. Some forgiveness in terms of reduced fines is allocated for actions taken during the OCR audit, and all settlements are public domain according to the Freedom of Information Act.
Organizations that process credit cards, even a single transaction per year, must become compliant with the PCI Data Security Standard. Covered entities that process credit cards also become merchants under Payment Card Industry and must comply with the Data Security Standard, or PCI DSS.
Merchants are required to, at a minimum, provide an annual attestation of PCI compliance statement through their processor. Failure to pass all the requirements will result in monthly fines that are proportional to the volume of credit card transactions processed annually. They start at about $50 per month for small companies, and we have seen non-compliance fines in upwards of $3,000 per month for larger covered entities providing healthcare services.
PCI enforcement audits are typically triggered by self-reported breaches. Fines stemming from breach investigations are not typically applied to merchants but are applied for other non-compliance factors. See the PCI Standard website for a more detailed guide.
3. Unlike finite PCI requirements, HIPAA encompasses security, privacy and rights, safety, quality improvement and eliminating fraud, waste and abuse.
The PCI Security Standards Council has released an updated standard, called v. 3.0, to the PCI DSS requirements, which emphasizes the need for in-house vulnerability assessments, adds flexibility to password requirements and highlights the growing importance of provider compliance, as well as many other notable changes.
PCI was pioneered in the late 1990s, as Visa became the first credit card company to develop security standards for merchants conducting online transactions. The need stemmed from vast amounts of credit card fraud, which would need to be paid for by the credit card companies.
According to SearchSecurity, Visa and MasterCard reported credit card fraud losses totaling $750 million between 1988 and 1998.
Per the PCI website, “The major credit card issuers created PCI (Payment Card Industry) compliance standards to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This set of requirements is called the Payment Card Industry Data Security Standard (PCI DSS). All merchants (any entity that accepts payment cards from American Express, Discover, JCB, MasterCard or Visa as payment for goods and/or services) must comply with these standards. Failure to meet compliance standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards. The payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
The Payment Card Industry Security Standards Council (PCI SSC) manages the PCI security standards.”
HIPAA was formed because of the following reasons:
- Growing numbers of uninsured
- Lack of rights for patients to obtain,review,amend and correct(if needed) their own health information (imagine mistakenly having an STD in your medical history entered by someone’s mistake)
- Rise of the Internet threatened privacy and confidentially
- Medical information could be used against individuals for non-medical reasons
- Healthcare dollars lost to fraud and waste
- Genetic information becoming available
- Different standards for medical record format sand PHI
It is also important to note that HIPAA has evolved and developed in many waves over the past 18 years to address the above concerns and is still very much a work in progress.
In terms of our ePHI data, there are 18+ elements that identify an individual which can be stored, shared and must be secured. Per 45 CFR 164.514 of the HIPAA Privacy Rule, they are:
(i) The following identifiers of the individual or of relatives, employers, or household members of the individual:
(B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses; (G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section
4. HIPAA security compliance may include risk analysis, remediation progress and periodic vulnerability scans.
We don’t want to jump in too deep in this area, as compliance and security are subjective topics that need to stay relevant to the size and complexity of each organization.
For compliance, follow the Office for Civil Rights (OCR) as they are responsible for issuing periodic guidance on the provisions in the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.). For security, follow the National Institute of Standards and Technology (NIST) Special Publications. The OCR suggests methodology in their guidance materials is the NIST SP800-30.
Checklists that have workflows attached to each item are available in the form of spreadsheets, the OCR’s “SRAT” tool and, for more advanced collaboration, web-based solutions.
Based on our observations of the OCR, we have found, in summary, they look for the following in their audits:
- (Easy*)Performance of these checklists covering the 78 HIPAA Security Citations and provide the 9 steps identified in conducting a risk analysis in NIST SP800-30.
- (Difficult*)Ongoing updates to the results of the risk analysis conclusions (i.e. what risks were found, who is going to do what, by when to address the risk found) and risks results (i.e. tracking what activities have been performed since the risk analysis was performed)
*It is easier to identify HIPAA gaps in compliance and risk items to the organization. It is more difficult for organizations to react to the gaps and risks found as this requires resources, changes in process and increased administrative, technical and physical safeguards.
Like any other security assessment (gaps identified against an industry guidance) and risk analysis (calculating risk for the organization for any said gaps), security encompasses authorization (who is granted authorized access to
what data and reducing unauthorized access), integrity (timely and complete data), and availability (ability to restore damaged or lost ePHI and ability to continue operations during emergency scenarios).
To address common vulnerabilities and exploits (CVE), we recommend all security risk analysis include, as a base-requirement, the performance of an automated vulnerability analysis scan 164.308(a)(1)(ii)(A) from the Internet against any of the organization’s Internet-accessible systems.
The next level of this type of effort would include internal vulnerability scanning, which is like the external vulnerability scan but against all internal computers, servers and systems. We find most environments are like M&M candies — hard on the outside, but soft and easy to melt on the inside.
- a) ePHI discovery and mapping (what databases, purpose and who is responsible)
- b) Firewall configuration review (ensure only minimum ports are open, see if IPS/IDS is appropriate to detect malicious software communicating to the Internet from breached systems)
- c) Penetration testing of all Internet-facing applications (especially if software is developed in-house)
- d) Ethical hacking (such as testing various ways to gain administrative access to systems and firewalls)
- e) Ongoing remediation consulting (having an external firm remind assignees of tasks to deadlines and update results documentation for potential audit response)
5. Meaningful Use helps address the most serious healthcare threats to electronic personal health information: theft, unauthorized access and loss.
The healthcare industry stores patient information for the treatment, payment and healthcare operations of medicine. This industry has historically been slow to adopt technology and computer systems. As such, the migration of our protected health information (PHI) from paper to electronic (ePHI) has been largely fueled by the Meaningful Use (MU) incentive program. To qualify for these MU funds, covered entities must adopt a certified electronic health record technology (CEHRT), or as the industry calls it, an “EMR program”, and use it in a meaningful way (e.g. complete demographics, allergy and prescription drug checks, make patient visits available to the patients, etc.).
Stage 1 of Meaningful Use was extended in December 2014, and stage 2 is being adopted for continued incentive payments. Part of the increased security measures for stage 2 includes the following CEHRT/EMR software features: additional audit logging capabilities (to combat unauthorized access), mandatory encryption/no temporary files being written that may contain ePHI and patient amendment tracking.
6. A health record with basic health insurance information is worth 10-20 times more than a U.S. credit card with a CVV code.
Dell SecureWorks recently uncovered numerous underground marketplaces where hackers are selling information packages that include bank account numbers and logins, social security numbers, health information and other PII. In the underground world, these electronic packages put together for identity theft and fraud are referred to as “fullz”. When “fullz” are sold along with counterfeit or custom manufactured physical documents relating to identity data, the packages are called “kitz”.
Below are the average fees for these packages:
“Kitz” — $1,200 – $1,300, which includes PII and faked papers
“Fullz” — $500, which includes PII faked documents
There are additional fees for health insurance credentials and U.S. credit cards with CVV codes.
Health insurance credentials cost $20 each, while credit cards are only $1 – $2 each. This tells us that people are willing to pay more for your health insurance information than for your credit card information — about 10-20 times more. Therefore, your health information is way more valuable than your credit card information, and it’s extremely important that your health information is kept safe and secure from hackers.
So what is the motivation of enforcing PCI and HIPAA? In the case of PCI – it is clearly the credit card companies suffering financial loss from fraud. In the case of HIPAA – the motivation is to ensure our rights to protect and have our health information secured, reduce waste and hold covered entities, as well as their business associates, accountable for providing basic security, privacy and breach notification requirements.
At the end of the day, after conducting thousands of risk analysis and security projects, a new question pops up from this discussion, “If security and compliance are too difficult for organizations, then why does it seem so easy for hackers to get into their systems?”