Action Items Based on Lessons Learned
By Howard Anderson for GovInfo Security
What can be learned from the more than 390 major breaches affecting more than 19 million individuals that have been reported as a result of the federal HIPAA breach notification rule? Plenty, breach prevention experts say.
Here are eight key breach-prevention insights from information security thought-leaders:
1. Don’t Forget Risk Assessments
The details of the biggest breaches last year “make it painfully clear that inadequate, if any, HIPAA security risk analysis took place prior to the breaches,” says Dan Berger, CEO at Redspin. “A comprehensive security risk assessment would have identified where PHI [protected health information] is stored, who has access to it and how it’s utilized in the normal workflow. The analysis would then investigate whether sufficient controls are in place.”
Because so many huge breaches have involved the loss or theft of mobile devices and media containing unencrypted PHI, Berger concludes that risk assessments were either not conducted or they failed to pinpoint that vulnerability. He urges organizations to conduct comprehensive assessments that take into account external and internal infrastructure, web applications and wireless security and lead to a mobile device policy and in-depth employee training.
2. Encrypt Mobile Devices, Media
“Even though encryption is what’s referred to as an addressable standard in the HIPAA security rule – which means it’s not actually mandated in all cases – I don’t see any reason why information shouldn’t be encrypted in all cases on portable media and devices,” says Robert Belfort, partner at the law firm Manatt, Phelps & Phillips LLP. “That’s one step that organizations can take that can address a very significant share of the types of breaches that are occurring.”
In addition to making better use of encryption, organizations should consider limiting or banning patient data storage on mobile devices, many experts advise. For example, David Szabo, partner at the law firm Edwards Wildman Palmer LLP, says organizations should “reassess their policies about how much information employees really need to take off the premises. … The whole issue of portable devices is one that organizations really need to look at hard.”
3. Beef Up Training
“People have to be trained to understand the policies of the organization, and they have to be trained about common-sense safeguards that they can follow to avoid breaches or the misuse of information,” Szabo stresses.
Timothy McCrystal, partner at the law firm Ropes & Gray, points out that the Department of Health and Human Services’ Office for Civil Rights has stressed the importance of ongoing training in its resolution agreements with organizations that have experienced a breach.
“I have participated in discussions with OCR on a resolution agreement, and that was a particular point of focus – that the organization not just have policies and procedures, but that employees and others had been trained on them, understood them and were actually implementing them in their day-to-day responsibilities.”
4. Conduct Internal Audits
In addition to training, an important step toward addressing internal breach threats is to conduct audits of records access, Belfort says.
“The belief that audit logs are being monitored and that there is a high risk that if you access a record improperly you will be caught through some sort of audit trail review can have a very important impact on behavior within an organization,” he notes.
5. Monitor Business Associates
About 22 percent of major breaches, including many of the largest incidents, have involved business associates. As a result, it’s essential to work with vendor partners to ensure they’re taking adequate breach prevention steps.
McCrystal says it’s important to ask business associates probing questions before signing a contract. Those questions should include inquiries about the companies’ privacy and security policies, use of encryption and reliance on subcontractors.
Healthcare organizations “should actually implement an audit from time to time” to ensure business associates are adequately addressing security, McCrystal adds. “Some of our clients, when contracting with business associates, have conducted audits of their privacy and security practices in advance of entering into a contract.”
6. Limit Data Storage
Fred Cate, a law professor at Indiana University, says the recent breach affecting 24 million customers of Internet retailer Zappos.com raises an important question for security professionals in all industries: “Are you collecting and storing more data than you need? Because if you are, you’re taking on more risks then you need to face.”
In the Zappos.com incident, a hacker gained access to an unencrypted central database containing a wealth of customer information. In the healthcare arena, numerous major breaches have stemmed from massive unencrypted databases stored on laptops or backup tapes.
Ozzie Fonseca, senior director at Experian Data Breach Resolution, notes that about half of 500 organizations across all U.S. industries that have experienced a breach said in a recent survey that they subsequently took steps to limit personal data collected and limit sharing of the data with third parties. About 42 percent limited the amount of personal data stored.
“Collecting and storing unnecessary information is never a good idea,” Fonseca says.
7. Don’t Forget About Paper Records
Szabo points out that federal authorities fined Massachusetts General Hospital $1 million after an employee left paper medical records on a subway train. “We shouldn’t get too wrapped up in just thinking about computers and technical things – paper records can also be at risk simply because of the errors and omissions of employees,” he says.
8. Address Other Potential Vulnerabilities
Last May the HHS Office of the Inspector General issued a report based, in part, on audits of seven hospitals. Those audits, McCrystal notes, identified numerous technical vulnerabilities. “Five of the hospitals had wireless access vulnerabilities, including ineffective encryption, rogue wireless access points, no firewall separating wireless networks from internal wired networks … and no authentication requirements for entering wireless networks,” McCrystal says.
All of the hospitals had some access control vulnerabilities, including, for example, inadequate password settings and a lack of automatic log-off of inactive computers, he adds.
Some hospitals had certain audit log functions disabled. And others had uninstalled critical security patches, outdated anti-virus updates, operating systems that were no longer supported by the manufacturer and unrestricted Internet access for hospital users.
McCrystal advises hospitals to use the report to guide a self-audit to help identify vulnerabilities and reduce the risk of breaches – as well as help prepare for this year’s HIPAA compliance audits.