HIPAA Security Primer
HIPAA, HACKING, and ePHI SECURITY
A Primer for Health Care Providers
The Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) maintains a list detailing all breaches of patient medical records affecting more than 500 individuals. In 2016, the healthcare industry suffered four reported data breaches per week. Estimates are that one in three healthcare patients can expect to have their medical records and other ePHI breached by cybercriminals in 2016.
HIPAA data breaches are expensive
Advocate Health Care Network, Illinois’s largest fully integrated healthcare system will have to pay $5.55 million in fines and adopt a corrective plan for safeguarding its ePHI because it failed to:
• conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
• implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
• obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
• reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
The HIPAA Security Rule
The primary rules for ePHI data protection under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) call for “ensuring confidentiality,” and protecting against “reasonably anticipated threats,” and that you “use any security measures that comply.”
Don’t take any chances with federal regulators or risk a HIPAA audit. Unless you are a HIPAA compliance expert, you really should be engaging the services of those who are.
The government does, however, provide several resources: HIPAA Security Rule, HSS Security Guidance Index, and NIST HIPAA Security Rule Toolkit.
HIPAA Demands Encryption and “Integrity”
Given the sheer volume of cyberattacks, the increasing sophistication of cybercriminals, and the number of cyber-hacked entities, it just makes good sense to encrypt ALL ePHI wherever it may be stored. The ePHI encryption rule requires you and your Business Associates (BA) to guard ePHI with sufficient encryption to ensure it is not stolen in transmission; while the integrity rule demands that ePHI be protected so that it can’t be modified in transmission.
What is a “secure” ePHI transmission?
For data-in-motion, TLS encryption — or Transport Layer Security — is the protocol recommented by NIST — the National Institute of Standards and Technology for communications across a public network such as the Internet. It is designed to prevent interception of sensitive information, tampering, and message forgery, for example by a man in the middle (MIM) attack where a cybercriminal can intercept and grab the data being transmitted and modify it without either party even knowing it. Sender and recipient think they are engaged in a confidential exchange of information over the Internet, but in reality there’s a malicious third party modifying that communication.
SSL (Secure Sockets Layer) – the predecessor to TLS – is known to be vulnerable to these types of cyber-attacks while ePSI is in transit across the Internet, and not all cloud providers are using TLS to protect data – some are still using SSL.
Any PHI that is stored — data at rest — on devices, whether on premises, in data centers, or in the cloud should be encrypted. NIST recommends AES, the NIST Data Encryption Standard, 256-bit encryption for this task.
HIPAA Violations –Enforcement
Failure to comply with HIPAA can result in civil and criminal penalties.
The HHS Office of Civil Rights must investigate any complaint when a preliminary review of the facts indicates a possible violation due to “willful neglect” which HIPPA defines as “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is part of the American Recovery and Reinvestment Act of 2009 (ARRA) and attempted tocreate a national health care infrastructure based on adoption of electronic health record (EHR) systems among providers. The HITECH Act established four tiers of increasing penalty amounts for violation of HIPAA Rules.
1. Unknowing. The covered entity or business associate did not know and reasonably should not have known of the violation.
2. Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect.
3. Willful Neglect – Corrected. The violation was the result of conscious, intentional failure or reckless indifference, however, the covered entity or business associate corrected the violation within 30 days of discovery.
4. Willful Neglect – Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference and the covered entity or business associate did not correct the violation within 30 days of discovery.
Fines are applied not just for the violation, but for each and every individual instance in which ePHI was compromised.
Civil Monetary Penalties (CMP)
|Violation Category||Each Violation||Maximum CMP|
|Unknowing||$100 – $50,000||$1,500,000|
|Reasonable Cause||$1,000 – $50,000||$1,500,000|
|Willful Neglect: Corrected||$10,000 – $50,000||$1,500,000|
|Willful: Not Corrected||at least $50,000||$1,500,000|
Places your ePHI might be hiding
You need to know all of the places where your ePHI resides at all times and how it is being viewed, stored and shared outside of your network firewall, among them:
USB drives. Fast and convenient for exchanging patient records between colleagues, or to transfer them more easily from a device in the office to a device at home, but as far as HIPAA regulators are concerned, and for the cyber thief who steals the device and all of the data on it, these innocent intentions won’t protect your patients or your practice.
Text messages. Under most circumstances, texting non-secured ePHI is a HIPAA violation. HIPAA auditors can fine you up to $50,000 for each insecure text containing ePHI. Texting ePHI over a non-secure network — such as a WiFi hotspot in a public place — allows hackers to grab the data digitally. Another problem occurs if the person texting ePHI loses that phone or has it stolen.
Email accounts. You should be using a secure email system using secure transmission encryption protocols and other security measures, not the “free” personal email accounts provided by Gmail, Yahoo!, and Microsoft, among others.
Hard drives on office equipment. When physical documents containing ePHI are scanned, copied, or faxed, digital copies of those documents are saved to the hard drives of the copiers, scanners and fax machines.
Voice files and recordings. Patient voicemail on your phone service, an answering machine, or a smartphone can be considered ePHI. Tapes and other media on handheld dictation systems which contain patient information qualify as ePHI and need to be protected. They cannot be left on a transcriber’s desk or in an unlocked file cabinet!
Previous EMR (Electronic Medical Record) systems. After migrating records to a new platform, a computer server often remains that contains copies of all of its old records from its legacy system. You are responsible for providing adequate security for that old EMR data subject to the exact same HIPAA regulations as new patient records.
Medical device hard drives. The CT scanner, MRI, dental x-ray device and other medical equipment have hard drives and virtually all of the images and data stored on these hard drives are, by definition, ePHI. You need to implement a process for encrypting these storage drives and regularly offloading the data to a secure server.
ePHI held by third-party providers
To function as a healthcare provider today, you almost certainly need to work with third parties. Any vendor that handles your ePHI must demonstrate they maintain HIPAA compliant processes to secure your ePHI at all times and execute a HIPAA business associate agreement (BAA).
A (BAA) is a contract between a HIPAA covered entity—any organization or corporation that directly handles Personal Health Information (PHI) or Personal Health Records (PHR)— and a HIPAA business associate (BA)— any organization or person working in association with or providing services to a HIPAA covered entity who handles or discloses Personal Health Information (PHI) or Personal Health Records (PHR).
The BAA contract provides that the BA will protect personal health information (PHI) in accordance with HIPAA guidelines.