Chat with us, powered by LiveChat

Man-in-the-Middle Attacks

In their April Cybersecurity Newsletter, Office for Civil Rights (OCR) addressed an emerging threat known as “Man-in-the-Middle” (MITM) attacks. A MITM attack occurs when a third party secretly intercepts and relays the message between two parties who believe they are communicating directly with each other.

There are several forms of MITM:

Man in the Browser: Malware installed on a computer, used to modify online transactions and has the ability to bypass encryption and antivirus programs.

Man in the Mobile: Hacker inserts a self-signer certificate which allows them to intercept data from a free mobile app.

Man in the Cloud: Hacker gains access by intercepting a synchronized token, spying on file sharing and storage.

Man in the Internet of Things (IoT): Devices that are compatible with Bluetooth or the internet (security cameras or biomedical devices) without default usernames or passwords.

WiFi Eavesdropping: Hijacking a WiFi connection to spy a user, most likely to occur while using public WiFi.

An MITM attack can be used to achieve various outcomes. Some of these outcomes include: injecting malicious code, intercepting sensitive information like Protected Health Information (PHI), exposing sensitive information or modifying trusted information.

Protection from MITM Attacks

As with all malware and cyber-attacks, being aware of the threats and implementing appropriate safeguards are critical to creating a strong cyber security program and protecting PHI.

Below is a list of safety measures to protect against an MITM attack:

  • Implement firewalls that can provide https filtering / deep packet inspection (SSL and TLS)
  • Utilize web content filtering anti-spam protection devices or applications
  • Avoid using un-encrypted free WiFi hot spots to transmit sensitive data
  • Verify that sensitive data is only entered on websites using https
  • Discontinue use of websites that provide warning about issues with the certificate
  • Maintain your operating system software and verify your hardware is patched and up-to-date
  • Utilize a 2 factor authentication system whenever possible
  • Configure web-filters to deny any “zero-reputation” websites/URLs to reduce chances of compromised banner-ads
  • Training, it is very vital to constantly train and remind users, at the end of the day WE are the front end, top layer of any security device and without training we are not going to know what to watch for
HTTPS Inspection Products

To offset the threat of a MITM attack, many organizations have implemented end-to-end connection security to internet transactions using Secure Hypertext Transport Protocol, or “HTTPS.” Additionally, some organizations use “HTTPS interception products” to detect malware over an https connection. These products are known as “HTTPS / SSL inspection or deep packet inspection” and are designed to intercept the https network traffic then de-crypt, review and finally, re-encrypt it.

One issue organizations utilizing https interceptions products need to be aware of is the potential vulnerabilities due to an inability to verify web servers’ certificates and validate the security of the end-to-end connection. These products do requires users systems to trust the device vendor self-created certificate so there to facilitate communicating with the device which is decrypting and encrypting the inspected data.

PHI and HIPAA Security

The HIPAA Security Rule specifies that PHI must be encrypted stating “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 Definition of Encryption.) PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals if confidential passwords or keys that enable decryption have been breached. Additionally, encryption processes must meet the standards set by the National Institute of Standards and Technology (NIST) and Federal Information Processing Standards (FIPS).

US-CERT Recommendations

In a previous blog post we introduced the United States Computer Emergency Readiness Team (US-CERT), a team designed
to respond to cyber security incidents and analyze data from partners about emerging cyber threats. US-CERT has weighed in on MITM attacks and recommends that organizations verify that their https interception product properly validates certificate chains and passes any warnings to the client.

For the latest recommendations from the US-CERT, visit:

Fighting Ransomware: A Success Story

When the HHS Office for Civil Rights released the HIPAA guidance on ransomware in the summer of 2016, collectively the health care community sat up and took notice. The guidance (found here) outlines various activities required by HIPAA that assist organizations in the prevention and detection of threats. One of the key activities listed in the guidance is completing an annual Security Risk Analysis.

As an Auditor at HIPAA One®, my goal is to dot every “i” and cross every “t” to ensure a comprehensive HIPAA Security Risk Analysis.  By utilizing the HIPAA One® Security Risk Analysis (SRA) tool, I am able to guarantee compliance, automate risk calculations and identify high-risk technical, administrative, physical and organizational vulnerabilities.

Recently, I was on-site with one of our clients, which I will call “Care Health” to preserve their confidentiality, working on organization-wide identity protection. Care Health utilizes our SRA to safeguard their critical data and provide security and protection from Ransomware, malware and the proverbial “sophisticated malware attacks”.

blogWhile at the Care Health office, two staff members in the Billing department were utilizing shared files in a network-mapped drive (e.g. N: drive). One of the staff members noticed new files were being spontaneously created and the file icons in the network folder were changing. By watching the changing file names, the staff member noticed one showed up as ransom.txt.

Acting quickly, she contacted the IT Helpdesk for assistance. The Helpdesk had been trained to triage all security-related service-desk requests immediately to the HIPAA Security Officer (HSO). Upon being notified of the issue, the HSO logged-into the N: shared drive and found their files were slowly being encrypted!

How do you stop a Ransomware attack?

blog-2Promptly, the HSO ran Bitdefender full-scans on the Billing department computers and found nothing. He then installed and ran Microsoft’s built-in Windows Defender, which has the most current malicious software removal utilities on Server 2012 and found Tescrypt.  Installing Windows Defender on the two desktops not only detected the encryption, but also removed it.

This specific Ransomware variant had somehow infected the system and was systematically encrypting these files.  Thankfully, the quick-acting team at Care Health recognized the attack and stopped the Tescrypt variant before any patient data was compromised. Following the incident, backups were used to restore the few-dozen encrypted files on the network-drive. Due to appropriate safeguards and training, the Care Health team was ready and a crisis was averted.

Upon a configuration review of Care Health’s security appliances, WebSense was configured to allow “zero-reputation” websites through.  Zero-reputation websites are new sites without a known reputation and are commonly used by hackers to send these types of attacks. At Care Health, the Ransomware apparently came from a valid website with an infected banner ad from a zero-reputation source. The banner ad was configured to trigger a client-browser download prior to the user being allowed to see the valid web page. This forced website visitors to download the executable virus from the banner-ad and unknowingly install the Ransomware on their local computer. Once downloaded, the Ransomware would begin encrypting files in high-lettered network-drives.

Next steps…

Unfortunately, Ransomware is here to stay and the number of attacks are rising.  Now more than ever, it is critical that health care organizations have updated policies and procedures in place to prevent these attacks and a comprehensive user training and awareness program. Let the Care Health incident be a reminder that a well-trained employee is an organization’s best defense against Ransomware, Phishing and sophisticated malware attacks.

The HIPAA One® software suite offers an automated approach to implementing and maturing your organization’s HIPAA Security Compliance Program. To learn more, visit us at  https://www.hipaaone.com/contact/

OCR’s Updated HIPAA Audit Program – What you need to know

Health and Human ServicesWith the pinnacle of patient breaches hopefully behind us (e.g. Anthem/WellPoint breach, Premera, Blue Cross, and others in 2015), it is clear the industry has struggled with proper security of our electronic health information (ePHI).  As such, the federal government has stepped in to ensure measures are in place to secure ePHI, abide by privacy rules granting all of us access to our health information, and making it illegal to discover a breach and not take appropriate steps to notify those affected.

The Office for Civil Rights (OCR) is a division of Health and Human Services with the responsibility to ensure industry compliance with an individual’s rights to Privacy, safeguards to electronic PHI and to investigate an organization’s diligence when breaches occur.  Part of the OCR’s focus is also to develop audit rules in its activities ensuring the industry is adopting compliance efforts, reducing risk of breaches and improving health care.  This is called the HIPAA Audit Program, and leverages the instructions, called the Audit Protocol, to test compliance.

Phase 1 of the HIPAA Audit Program officially ended and Phase 2 of the HIPAA Audit program was announced on March 21, 2016 by Health and Human Services. In April 2016 they announced the updated HIPAA Audit Protocol.  To clarify, the HIPAA law itself has not changed since the Omnibus update in 2013, but the government’s auditing of compliance has been updated and expanded.

The HIPAA Audit Protocol is something the Healthcare Information Technology compliance and audit communities have been asking for a long time, which is more guidance on HIPAA regulations.  In addition to NIST-based risk analysis methodologies, this new set of protocols (instructions) are the most comprehensive guidance we have for HIPAA security (safeguards around electronic protected health information, or PHI), privacy (rights and restrictions to PHI) and breach notification requirements (what to do when a breach of PHI happens).  This graphic shows the number of top-level HIPAA citations covered under the OCR’s checklist, color-coded by discipline:

HIPAA Audit Protocol 2016

To summarize the changes between Phase 1 and Phase 2 of the Audit Program:

What it was – Phase 1 of the OCR’s Privacy, Security and Breach Notification Audit Program:
  1. HITECH added Breach Notification to HIPAA and endorsed the OCR‘s Audit Program.
  2. Contained 169 total protocols.
  3. Pilot program included 115 covered entities.
What it is now – the HIPAA Audit Program-Phase 2:
  1. OCR is implementing Phase 2 to include both CEs and business associates (every covered entity and business associate is eligible for an audit)
  2. Provides an opportunity for the OCR to identify best practices, risks and issues before they result in bigger problems (e.g. resulting in a breach) through the expanded random audit program.
  3. 180 Enhanced protocols (groups of instructions) which contain the following updates:
    1. Privacy – 708 updates (individual lines of instructions)
      1. Most notable changes are more policies and procedures surrounding the HIPAA Privacy Officer as well as some changes for Health Plans and Business Associates.
    2. Security – 880 updates (individual lines of instructions)
      1. Most notable changes are that Health Plans must have assurances from their plan sponsors and all companies now have to get proof of HIPAA compliance from their business associates, vendors and subcontractors.

HHS Spreadsheets Outdated?With so many recent changes, it is clear that checklists, spreadsheets, the ONC’s SRA tool , HITRUST and most commercial compliance software companies are now out of date with the new HIPAA Audit Protocol.   As we get to the end of the Meaningful Use incentive program, we risk having a high number of covered entities potentially using outdated software tools for modern HIPAA compliance requirements.

Regarding the HIPAA Audit Protocol’s compliance date, says Brad Trudell of MetaStar, “Remember it’s intended to detail the specific questions OCR plans to ask in Phase 2 audits to determine compliance with the previously existing HIPAA/HITECH requirements.  If possible, CEs/BAs should use the protocol as the basis for conducting their own internal audits to make sure compliance is whipped into shape before the REAL auditors come knocking.”

In other words, the compliance date would match the release date – April of 2016 (about 2 months before this article was written).

Specific steps to take in light of the new HIPAA Audit Protocol:
  1. Check your “Clutter”, “Junk” or “Spam” folders to ensure that an email sent from OSOCRAudit@hhs.gov (OCR office) is forwarded to the appropriate person (e.g. Compliance Officer, legal counsel, etc.) and responded to accordingly. Example of the email is here.
  2. Conduct an accurate and thorough HIPAA Security Risk Analysis. Be sure to include Privacy and Breach notification assessments since these are often overlooked
  3. Review your organization’s policies and procedures along with the associated processes, compliance programs and other supporting documentation proving compliance. For gaps, update processes, policies and procedures to address identified issues.
  4. Address risks found in previous risk analysis efforts. This requires documented progress of gaps in compliance and associated vulnerabilities (e.g. installing enterprise-wide encryption, implementing a training and awareness program, updating policies and procedures).  This also includes having supporting documentation tracking these updates.
  5. Identify who your business associates (BA) are (or subcontractors a BA would give PHI to in order to facilitate a particular service for the upstream BA). Get a copy of each signed BA Agreement, ensure your agreements are updated per the HIPAA Omnibus update (after March, 2013), and collect proof (e.g. reasonable assurances) that the BA or Subcontractor actually has a HIPAA Security, Privacy and Breach Notification assessment and/or other proof of compliance (e.g. proof of encryption, training and awareness, policies and procedures).
  6. Ensure any software tools used are updated with the new release of the OCR’s updated HIPAA Audit Protocol (e.g. as part of OCR’s Phase 2 of their Audit Program); therefore, your risk management and compliance program will become compliant today (not months from now).

Why invest in yesterday’s Audit Protocol?  HIPAA One® announced on June 15, 2016 they are current with the OCR’s Phase 2 of the Audit Program.  To learn more on how your organization can simplify and automate HIPAA Security, Privacy and Breach Notification Assessments, Mock-Audits and Risk Analysis in compliance with the HIPAA Audit Protocol, HITECH and NIST-based methodologies contact us or email info@hipaaone.com.

 

Demystifying HIPAA Security Risk Analysis

Steven Marco

As a business owner, my professional conversations with physicians run the gamut, from how my business services can solve their problems, to exchanging ideas and best practices, and offering support in starting and growing a business. I get the feeling that physicians running a medical practice often feel like they have a target on their back because staffing, management, regulations, documentation, and reimbursement have become such big parts of medicine.

Building a business requires tremendous time, money and effort in order to become profitable.  The compliance landscape shifts and evolves.  Today, a HIPAA Security Risk Analysis has become paramount for almost any medical practice to collect state and federal reimbursements.  An often overlooked benefit, however, is the Security Risk Analysis, which can improve the efficiency and professionalism of these same practices.

But how does complying with HIPAA help?

First, HIPAA Security is greatly misunderstood.  HIPAA was originally conceived because patients were not able to access their own health information.  Today, HIPAA enforcement is the main driver to ensure we don’t mishandle or otherwise treat patient’s protected health information (PHI) with neglect—willful, or not.

Many practices believe that if they complete a quick checklist or perform a risk assessment with an auditor on the phone and get a final report, they are done and have “checked the box.”    Like doing a fast tax-return, this quick approach diminishes the value of HIPAA. If embraced, HIPAA’s Security Risk Analysis checklist of best practices provides ongoing benefits, such as:

Staff morale:Improve morale

  • Policies and Procedures establish a code of conduct on how staff should represent the clinic in day-to-day interactions with patients.
  • Guidance on handling patients, staff, processes and technology provides operational clarity
  • Assurance that the IT department makes Electronic Medical Records available (e.g. performance, backups and recovery), complete, accurate and confidential.
  • A clear baseline on how to handle all aspects of patient releases, authorizations, business associates and internal operations.

Technology:Improve technology

  • One aggregated place for information about patient visits can contribute to population health research and disease management.
  • Encryption of laptops, desktops, smartphones and all portable media can reduce the risk of having to report a breach by up to 68% (according to OCR breach data for theft, loss and improper disposal).
  • Meaningful Use provides incentives and ongoing reimbursements (soon to become MACRA).

Clinic appearance:Improved appearance

  • Staff attire, name badges and a proper patient waiting area separate from the clinic complies with HIPAA and improves the professional look and feel of the clinic.
  • Training and employee awareness reinforces policies and procedures which drives improved moral and reduces risk to the clinic.

The Bottom Line:

Conducting a HIPAA Security Risk Analysis covers Administrative, Technical and Physical (PAT) safeguards and provides a snapshot into where the clinic is performing well and where improvements are needed.  If a HIPAA Security Risk Analysis is the snapshot, then the “moving picture” is the ongoing process of improving gaps in compliance, not only to reduce the chances of a security breach but also to improve the efficiency of the health care organization.   For a quick 5-minute assessment, take our high-level HIPAA Security Assessment quiz and see how your practices measures-up to the the top 13 HIPAA items typically missed.  Contact us today to learn how to get more of a return on investment in HIPAA than simply, “checking the box”.

HIPAA One Releases Privacy Risk Analysis

After releasing the HIPAA One Security Risk Analysis, we received exceptional feedback on the product and how much our clients appreciated the simplicity and automation provided by the product. We have been committed to expanding our solutions and add products to be “all things HIPAA”. With the launch of the Privacy Risk Analysis, we now offer a full suite of products to address all citations and requirements related to HIPAA Security, Privacy and HITRUST.

Having implemented and performed the HIPAA One Security Risk Analysis at over 2000 locations, we know the importance of having a cloud-based process that is easy to understand and allows collaboration among different departments.   Furthermore, our Privacy Analysis, like our Security Risk Analysis, is offered in three different levels of engagement to meet the needs of not only the large practices, but also the small health and dental practices.

With the rise in hacking and breaches, our goal is to provide timely solutions to clients to ensure the patient information they keep is safe and secure. Furthermore, the OCR is accelerating the frequency and number of audits, with HIPAA One solutions, you are guaranteed to pass.

LEARN MORE

Meaningful Use Attestation Extended!

Instead of “hoping” not to get audited, consider this:  your organization can have guaranteed compliance with HIPAA One® because CMS has extended the Meaningful Use attestation period to February 29, 2016!

HIPAA Isn't Going Away

HIPAA Isn’t Going Away

Good news – with the mixed-bag of recent news from CMS, the boat has not yet left the dock!  If you conducted a “last-minute” spreadsheet or checklist to meet December 2015 deadline, the odds of passing an audit are not good.  Take advantage of the extension and guarantee compliance with HIPAA One®.

Both Meaningful Use Stage 1 and Stage 2 require that a Security Risk Analysis be completed as part of the Medicare and Medicaid EHR Incentive Programs.  In spite of the recent proclamation from CMS that MU will end in 2016; any Eligible Provider (EP) or Eligible Hospital (EH) must still file for 2015.  The specific requirements to “Protect Electronic Health Information” are described by CMS as listed in the following table:

table1The filing period for Meaningful Use Attestation and reporting is from January 4 through February 29, 2016.  This means that if you were not able to complete your Security Risk Analysis (SRA) during calendar year 2015; there is still time!  The SRA will need to be for 2015 and cannot be used for the 2016 reporting year.

HIPAA One® has a simple and automated solution for the SRA process; using a cloud-based, step-by-step- approach (see quick video here:  https://youtu.be/9G_B7U_pnuo).  As such, you will be able to comprehensively address the HIPAA required safeguards (listed below) in an efficient, logical and clear fashion:

table2A “new program” is slated to be announced by CMS on or about March 25, 2016 that will replace (some think “augment”) the current MU program.  It will focus less on technology adoption and more on clinical outcomes and value-based reimbursement.  There will also be special attention paid to APIs and interoperability.  That said; data security will still be of paramount concern.

The new MACRA (Medicare Access and CHIP Reauthorization Act of 2015) program will still include some version of the EHR incentive (not yet defined) and certainly will still include the Security Risk Assessment.  The key elements are The Merit-Based Incentive Payment System (MIPS) and Alternative Payment Models (APMs).

HIPAA One®’s take:

With respect to the MU Program:

  • Current participants still need to complete attestation / reporting:
    • By 02/29/2016
    • HIPAA Security Risk Analysis (SRA) is always required
  • A “new program” is slated to be announced on or about 03/25/2016
    • There will still be quality and process measures
    • The SRA is still a requirement – ePHI Systems/Assets always need to be secured
    • The new program will focus on “patient outcomes rather than technology use”
  • The new MACRA program will still include some version of the EHR incentive (not yet defined)

With respect to DHHS OCR:

Common Sense:

  • HIPAA Security Risk Analysis is the benchmark for any Risk Management Program
  • Reducing risk to patient breaches is saving goodwill, time and money
  • HIPAA One® provides operational clarity for staff to know what is needed to maintain a great code of conduct
  • Keep your Meaningful Use Incentives and avoid payment discounts by maintaining automated documentation proving compliance

Prevent HIPAA Violations
Get Started by Contacting Us Today

HIPAA One® has over 1600 sites leveraging the streamlined, best-of-breed cloud-based HIPAA Security Risk Analysis Software (SRA) and has a fully-certified Audit Support Team (AST) to provide support & consulting solutions.   We have a full-service package for awareness training, Privacy, Breach Notification, Policies and Procedures, and more.

Contact us today at www.hipaaone.com/contact to learn more. HIPAA One® guarantees compliance for your 2015 Meaningful Use Security Risk Assessment for 164.308(a)(1)(ii)(A) so you be assured you are compliant.

HIPAA Security for Meaningful Use : Myths and Facts

fact-vs-myth

After you spend enough time in one position, role or subject, it is human nature to assume for a fleeting moment others know what you are “geeking” about.  This is particularly true when it comes to Meaningful Use and to “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.” This is accomplished by doing the following: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1)…”

Was that a good example?  Let me take it back out of the “geek” closet for a moment.

So we all know that this thing called a HIPAA Security Risk Analysis can be done using tools like spreadsheets, ONC’s Security Risk Assessment Tool, and NIST Questionnaires.  Ironically, none of these tools assure you are doing the right “thing” unless you have some sort of Auditor and Security designation (e.g. JD, CISA, CISSP, HCISPP, and CHPS among others), let alone provide any sort of guarantees.  But as the old saying goes, “You get what you pay for.”

Using a professional, third-party Audit, Legal, Security or IT Managed Service Provider (outsourced IT) usually provides good results as long as they are accredited (see above paragraph on basic credentials).  They go in to the organization interviewing, collecting some documentation, running scans on the networks and provide a comprehensive, detailed project plan to achieve compliance.  Somewhere between 4-6 weeks after the flurry of activity is over, and the world moves on, the final report appears.

The HIPAA Security Risk Analysis and Assessment (SRA) report is a combination of art, content, and most-importantly; it highlights serious risks to the organization.  Except there is one problem – you now need a project deployment team to convert this static SRA report into an ongoing risk management plan (prioritized by risk-level), get status reports on tasks, research Policies and Procedures, track progress, send email or meeting reminders, and track all of this towards HIPAA compliance.

This is a huge administrative burden!

Then there are the Myths…

Myth #1 – We will update the plan from last year’s SRA for Meaningful Use reporting and attestation.

HIPAA One® take:  False – this is called updating the progress of last year’s security risk management plan (see more in Myth #2 below).

Myth #2 – Each year, I’ll have to completely redo my security risk analysis.

HHS Guidance - Each year have to redo entire SRA Myth

False. Perform the full security risk analysis as you adopt an EHR.  Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks…

HIPAA One® take:  Things change on a constant-basis.  Roles change, network computer systems are changed to meet new requirements, and internal processes change too.

“Updating the prior analysis for changes in risks.” means conducting a gap assessment and risk analysis on any of those items that changed from last year.  Since tracking these changes is a near-impossible task (ITIL Change Management processes are being widely-adopted to tackle this), HIPAA One® will allow a full-import of last-year’s HIPAA Security Risk Analysis (SRA) allowing a review of each question to see what has changed.  Ongoing tracking is built-in after the SRA is over and automated documentation requirements simplify audit responses by pressing a “Print” button.

Myth #3 – I have to outsource the security risk analysis.

I have to outsource our Risk Analysis.

I have to outsource our Risk Analysis.

HHS Privacy and Security Guide of Health Information, page 6

False.  It is possible for small practices to do a competent risk analysis themselves using self-help tools.  However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

HIPAA One® take:  If you haven’t had a third-party come in the past 3 years, or ever, then we would strongly recommend outsourcing one to ensure your efforts stand up to a compliance review.  The first year of compliance efforts are expensive however, year 2 should be roughly 50% of what year 1 is as investments are implemented.  The Security Risk Analysis should contribute to that 50% savings by automating the mundane, error-prone and labor-intensive steps to conduct the risk analysis.  HIPAA One® accomplishes this by accelerating each person’s efforts by a 5x factor; using automation vs any manual-based risk analysis while learning from the experience.  In year 2 this allows you, the non-certified auditor, to simply press the “Import Last Year’s Assessment” button and HIPAA One® allows you to insource, instead of outsource.

Org Info Import

We have tried to stay out of the geek-closet for this blog as much as possible and realize this is a very jargon-clad specification.  Let us at HIPAA One® along with our esteemed partners help provide the software, assurance and peace-of-mind for your organization.  Contact us today to get your Meaningful Use HIPAA Security Risk Analysis done before the Holidays!

Reference:  HHS Privacy and Security Guide of Health Information

6 Laptop Security Basics

reddragonscreenshot

If you work in IT and HIPAA compliance you understand that laptop security is a leading threat in the rising number of HIPAA breaches. Many of us watched the “Girl with the Dragon Tattoo” and walked away concerned about our decision to use Microsoft’s “free” BitLocker solution with Windows 10! Despite the “Hollywood spin” of spies stealing laptops and leveraging Firewire drives to gain the decryption keys, these threats are very real in the world of health care IT today.

We work with Hospitals, Clinics, Health Plans, Health Information Exchanges, Business Associates.  Most recently we helped a HIPAA Security Officer at an IT company encrypt all their laptops.  They have no Active Directory Domain, users are working from home in all corners of the country, and they don’t want to spend $70 per laptop to encrypt them.

BitLocker-Drive-Encryption

We upgraded their Windows 7 Professional laptops to Windows 10 and employed BitLocker on all laptops using TPM and PINs.

They are encrypted, and now we are compliant with HIPAA, right?  Not quite so fast.  Upon verification, we found out their IT company used only TPM to encrypt their laptops.

TPM stands for Trusted Platform Module – which essentially is a microprocessor that off-loads encryption/decryption loads when reading and writing to the hard drive and integrates the decryption key with the hardware.  It is a feature in most all laptops nowadays and is required when using most encryption products.  The key needed for decryption can be stored on USB, or network file share and is temporarily stored in the system’s memory while the laptop is turned on and the user is logged-in.  The key is needed to use the laptop (by decrypting the information on the hard drive so it can be used in the device’s memory and CPU processes).

Using the OCR’s Audit Protocol as our HIPAA  checklist, here are some basics we recommend for HIPAA-compliance efforts and best practices (be sure to use SSD to help with encrypted laptop performance):

In summary laptops need, at a minimum:

  1. Patch Management & supported OS 164.308(a)(5)(ii)(B)
  2. Malware Protection (ideally from centralized console) 164.308(a)(5)(ii)(B)
  3. Even though they call this one “addressable, IMO full-disk encryption is a must 164.312(a)(2)(iv) – We recommend AD/Azure with BitLocker full-disk encryption*, Symantec Endpoint Encryption (PGP), or McAfee Encryption.
  4. Session Idle timers set to lock or logoff 15-30 minutes (depending on your org’s workflows) 164.312(a)(2)(iii)
  5. Disposal and reuse procedures (secure wipe before reuse or destruction for disposal) 164.310(d)(2)(ii)
  6. Device and Media Controls (tracking and remote wipe/lock management if lost or stolen) 164.310(d)(2)(iii)

*Per Microsoft’s article on BitLocker’s “vulnerability” , “Some configurations of BitLocker can reduce the risk of this kind of attack. The TPM+PIN, TPM+USB, and TPM+PIN+USB protectors reduce the effect of DMA attacks when computers do not use sleep mode (suspend to RAM). If your organization allows for TPM-only protectors or supports computers in sleep mode, we recommend that you block the Windows SBP-2 driver and all Thunderbolt controllers to reduce the risk of DMA attacks. ”

So don’t let this article sway you from using BitLocker.  It is still a valid solution.  And just like any other tool needs a few additional configuration settings (TPM + PIN or TPM + USB) to ensure you don’t fall into a situation where you must notify your patients a breach happened.

So if you are a clinic, hospital, health plan or business associate, and become a targeted victim of laptop theft, you can smile all the way to the IT Helpdesk knowing a ePHI breach to Health and Human Services is not reportable, and your shiny new laptop will be on its way!

To cover these 8, and the other 72 HIPAA Citations, contact us or see our HIPAA One® Solution page for the simple, automated and affordable way to meet complex compliance requirements while reducing your organization’s risk handling PHI.

Implementing HIPAA’s Security Rule Safeguards — Part 2: Physical Safeguards

Image Courtesy of Randen Pederson

Image Courtesy of Randen Pederson

In part one of this three-part series, we discussed what HIPAA’s Security Rule’s Administrative Safeguards require and why these safeguards need to be implemented. In today’s post, we’re providing the same type of overview with its Physical Safeguards.

The U.S. Department of Health & Human Services defines physical safeguards as the “physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

There are four main requirements with the Security Rule’s Physical Safeguards:

Facility Access Controls (§ 164.310(a)(1))

It’s mandatory for covered entities to limit the physical access to their facilities and information while guaranteeing that access is allowed to those with the right authorization. This aspect of Physical Safeguards includes four subset to ensure all of a Covered Entities physical locations are secure.

Contingency Operations (§ 164.310(a)(2)(i))

In the event of an activation of a contingency plan, CEs must have a plan in place for securing ePHI data. You never know when disaster will strike, having processes in place to access and secure facilities before it happens is necessary.

An example would be as part of the D.R. Plan, ensure IS personnel have a way to access the data facility in the event of a disaster or emergency.

Facility Security Plan (§ 164.310(a)(2)(ii))

The Facility Security Plan is where CEs need to document each physical access control in-use. Policies and procedures here should ensure the facility is protected from unauthorized access, theft, and/or tampering.

An example would to be to establish a Policy and Procedure whereby each of the organization’s locations are required to take steps to physically secure computers connected to ePHI systems and control physical access to the premises.

Access Control and Validation Procedures (§ 164.310(a)(2)(iii))

Here, CEs will delve into more detail from the Facility Security Plan. Specifically, the access to facilities based on job role and function. In addition, CEs must have procedures and policies regarding visitor controls and software testing controls.

An example would be to establish a procedure where all staff must have organization-issued badges displayed at chest-height at all times during clinic operations.  Require all vendors (e.g. Drug Reps, Consultants, Contractors, Auditors, etc.) sign in and provided a VISITOR badge.

Maintenance Records (§ 164.310(a)(2)(iv))

A CEs facility will undoubtedly require physical maintenance; such as changing locks and installing new security systems. The Maintenance Records provision requires for policies and procedures to exist to ensure documentation of such events.

An example would be to establish a Policy and Procedure where all security-related repairs and modifications are authorized and tracked/logged.

Workstation Use (§ 164.310(c))

Covered entities are also required to enforce company guidelines and processes that identify the proper access and use of company workstations. A “workstation” is defined in the HIPAA Security Rule as “an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.”

Improper use of computer workstations may lead to threats from viruses and hackers, as well as confidentiality breaches. It’s essential for CEs to implement proper procedures to ensure compliant workstation use. This includes all off-site work stations, too!

An example would be to establish an Acceptable Use Policy that contains sections addressing acceptable use of computer systems and workstation environment.

Workstation Security (§ 164.310(c))

While it may seem at first that Workstation Use and Workstation Security are one in the same, they have a key point of difference. The Workstation Use standard includes no implementation specifications. However, the Workstation Security standard outlines the policies and procedures for how workstations should be used and protected.

An example would be to apply measures to ensure all workstations are physically secured from unauthorized access (i.e. away from public areas and screens angled away from public areas).

Device and Media Controls (§ 164.310(d)(1))

Similar to Workstation Use, in order to meet the Device and Media Controls standard, CEs must ensure all documents that transmit or contain ePHI data are secure. This standard also further specifies that policies and procedures must be in place that cover the receipt, removal, backup, storage, reuse, disposal and ownership of electronic media.

Examples to cover this specification would be to:

  1. Establish a Policy and Procedure outlining secure disposal techniques ensuring all ePHI is adequately destroyed on old computer media before disposal or re-use;
  1. Establish a Policy where staff is provided guidance on encrypting ePHI downloaded to any electronic media (including laptops, smartphones, etc.);
  1. Establish a Procedure to conduct a full backup of any ePHI systems prior to being moved;
  1. Evaluate & deploy an inventory IT asset management tracking and security (i.e. remote wipe) system for laptops, smartphone, tablets and digital media assets (i.e. backup tapes, desktops) containing ePHI; and
  1. Assign the responsibility of maintaining the IT asset management system to document movement of all ePHI repositories.

Conclusion

Most HIPAA violations relating to the Security Rule’s Physical Safeguards deal with paper documents, human error and the loss or theft of a mobile device. Any violation to the HIPAA Security Rule runs a high-probability of severe fines, being fired, office closures and even some jail time. You don’t want your organization or any of your employees to face these consequences, which is why it’s so critical for each of your employees to understand HIPAA’s Security Rule and each of its three safeguards. Education will help prevent violations and help establish a proper communications & awareness effort such that the organization remains HIPAA compliant and in control of its breach-related risks.

Make sure to check our blog in the near future to read the last post in this series and learn about HIPAA’s Security Rule’s Technical Safeguards.

Implementing HIPAA’s Security Rule Safeguards — Part 1: Administrative Safeguards

Protect

Image Courtesy of GotCredit

What would you be willing to spend to pay off liability claims for breaching HIPAA laws? $10,000? $50,000? $100,000? Or you could prevent ever having to write that enormous check and save yourself thousands of dollars by using HIPAA compliance software.

In order to fully reduce and minimize liabilities, the smart choice is to use HIPAA compliance software. It is an efficient and affordable way to ensure your organization is HIPAA compliant, and it will keep you and your clients feeling assured and protected.

The U.S. Department of Human and Health Services regulates the maintenance and fulfillment of following these codes, which includes the HIPAA Security Rule. With the ever advancing of technology and methods of spreading information, making sure electronic protected health information remains safe and secure must be a top priority.

As part one in a three-part series, we will outline why it is vital to be compliant with HIPAA’s Security Rule and how to do so.

Administrative Safeguards

First on your list to implement are the Administrative Safeguards. The HIPAA Security Rule’s Administrative Safeguards focus on your organization’s internal security measures, ensuring you create a durable security foundation to best protect your patients’ information.

Below, we’ll outline are the ten areas which the Administrative Safeguards requires.

1. Security Management Process (45 CFR 164.308(a)(1)(i))

Recognize and scrutinize possible risks to ePHI. Every security means available must be implemented to minimize risks and any potential susceptibility to be leaked.

2. Security Risk Analysis (45 CFR 164.308(a)(1)(ii)(A))

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

HIPAA One is the simplest, most-automated and affordable comprehensive Security risk analysis on the market that guarantees compliance and reduces risk.   See www.hipaaone.com for more information.

3. Assigned Security Responsibility (45 CFR 164.308(a)(2))

Designate an official who is trustworthy and responsible to oversee the progress and execution of the organization’s policies and practices.

4. Workforce Security (45 CFR 164.308(a)(3)(i))

Only those authorized may be granted access to ePHI. This means the disclosure and use of ePHI comes only on a role-based access. To be compliant with the Privacy Rule, any access or disclosure of ePHI is on a need-to-know basis.

5. Information Access Management (45 CFR 164.308(a)(4)(ii)(A))

Identify and isolate healthcare clearinghouse functions by moving the computing/server environment onto a seperate network with some type of firewall inserted between it and the rest of the production computing network. Ideally put some type of IPS/IDS in place (network security device) to monitor for malware or other types of attacks.

6. Security Incident Procedures (45 CFR 164.308(a)(6))

Implement policies and procedures to address security incidents.

Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

A Security Incident Response Plan is designed to report, verify, contain, notify, restore service, document and provide a cost estimate. If you have an SIRP, but no reports of incidents, look at training and awareness to your workforce! There should be some reports in the past 12 months or folks are not aware what the process is.

7. Security Awareness Training (45 CFR 164.308(a)(5)(i))

Train and supervise personnel who have access to ePHI. The rule requires that organizations must train employees about the security policies and procedures and enforce appropriate sanctions against those individuals who do not comply.

Conduct training annually and ensure HIPAA Security Training at a minimum covers encryption, security incident definition, channels to report incidents, email phishing and to report any unencrypted ePHI to the HIPAA Security Officer.

Provide periodic reminders such as emails, newsletters, staff meetings, posters and bulletin board postings are all helpful in keeping people aware.

People are the biggest resource in helping identify security incidents and reporting.

8. Contingency Plan (45 CFR 164.308(a)(7)(i))

Establish a data back and restoration plan for all servers and databases – don’t forget to include periodic testing (at least quarterly) of data restores to verify backup integrity.

Contingency planning may be as simple as developing a “System Downtime Packet” which includes paper-sheets stapled forming a health care packet. Include patient Demographic forms, SOAP note forms, common ICD codes, 1blank prescription sheet, medical/Doctor’s Note and any other forms commonly used through the process. Enter data when the EHR system becomes available again.

Disaster Recovery Planning includes an updated ePHI asset sheet with server criticality and restoration priority (no more than 4 levels please) in the event of restoration.

Periodically test the above scenarios to verify they would meet the emergency needs of your organization.

9. Protection from Malicious Software (45 CFR 164.308(a)(5)(ii)(B))

Ensure there are multiple layers protecting your computers from malware. Ransomware is becoming a huge problem when users click on an email link after they were fooled to open it, they just downloaded the virus that jumps to all the computers encrypting their hard drives requiring a money transfer to release the files.

Files

At a minimum include safeguards such as patch management, anti-virus, a deep-packet inspection firewall that includes a subscription service to block any suspicious activities (SonicWall/Dell and FortiGate have great solutions for small to medium sized organizations) and training to keep users aware of deceptive phishing scams (and never to open email from people you don’ t know).

Through a multi-layers approach you can protect your organization from being another victim of cybercrime.

10. Evaluation

Perform a routine and periodic evaluation of how well the security policies and procedures fall under the umbrella of the Security Rule.

In a world where private information is becoming less and less private, organizations — including yours — must strive to maintain and protect the health information of each individual. By following the required steps of the Administrative Safeguards, you can feel assured that you are following HIPAA standards and are keeping yourself, those you work with and your patients safe.

HIPAA One® provides a comprehensive coverage of all Physical, Administrative, Technical and Organizational (Vendor Management and Business Associates) safeguards and empowers individuals with or without security experience to test their own preparedness and benchmarking their HIPAA Security efforts. Email us at info@hipaaone.com, or visit www.hipaaone.com today for more information.

Check back on our blog soon for part two of this series where we will explain the HIPAA Security Rule’s Physical Safeguards.