Last week we talked about HIPAA compliance as an ongoing process. Part of the reason that it must be ongoing is that the world changes. We are constantly offered new ways of doing the business part of behavioral health practice, and each of those new methods must be evaluated in light of the privacy and security requirements of HIPAA. For example, I know that many of you have gone to multipurpose copy/print/fax machines. Hopefully, you remember that the hard drives in those machines store most things that you photocopy, print or fax. When you eventually get rid of that machine, you will need to remove and destroy the hard drive in order to be sure the information you have processed does not leave your organization.
Another arena in which many of our customers now find themselves is access to Protected Health Information (PHI) “in the cloud”. Some customers back up their data to some sort of cloud storage. Some of you are using EMRs or eRx tools that are accessed from the Internet. Some of you have for years had practitioners access your billing and clinical record software remotely, connecting by means of a remote control product or something like Windows Terminal Services. All of these activities require that you make sure your processes are HIPAA compliant…and that does not mean that the service provider says they are.
HIPAA requires that data be secured both when it is “at rest” and when it is “in motion” using certain NIST standards. The requirements are pretty technical; interpretation of the rules extends to specific actions that must be taken by the Covered Entity. This generated some interesting discussion on our SOS User Group.
Dr. B posted: When PHI is stored on a website, how should that PHI be accessed? When are those computers considered secure in accessing that information? Obviously, it is not enough to assume that because the website is secure (has secure log in features), it is HIPAA compliant to access that website from any computer, anywhere. So, to what lengths must a business owner [go] when allowing staff to access PHI stored on the internet? How locked down and monitored should staff computers [be]?
I have heard a whole range of responses as to what people believe is necessary.
1. Some let their staff access the web-based PHI from any computer.
2. Some tell their staff to just be sure to clear the browser history, and they’ll be OK.
3. Some believe they are OK just having their staff sign an agreement that they are accessing PHI on a personal computer that is encrypted and has antivirus.
4. Some believe they have to buy computers for the staff and it is the owners responsibility to secure and monitor those computers in an ongoing fashion. That is, staff are not allowed to access the web-based PHI from a personal computer.
5. Some believe it is OK to use a type of VPN connection from a personal computer through an app such as “Remote App” because this apps gives access to a “virtual server” on the cloud. This app, provided by Microsoft, will only allow the user to access designated websites like the one where the PHI is stored.
Regarding option #3, I have heard from IT experts that “people are stupid” when it comes to understanding computers. SO while they may think they have good antivirus and are doing security updates, most are way off base. And if something happens, it falls at the owners feet (or wallet) not on the staff person who signed an agreement.
Lastly, I heard from a few IT experts who believe that in the next two years there will be many midsize healthcare companies that get nailed with big fines, and these people will be the unfortunate test cases.
After SOS staff discussion in our HIPAA training meeting, Seth replied: Secure use of cloud resources that involve PHI requires:
- Encrypted storage at the cloud service provider.
- Encryption of data being passed back and forth – preferably VPN/Virtual Private Cloud.
- Secure client end-point.
I think your question is specifically about security at the client side, so let’s now look at the factors there:
- Hardware and operating system factors
- Operating system updates
- Virus and malware protection
- Encryption of local storage, especially on portable equipment
- Others using the equipment MUST use a separate log-in. This is a big issue for those working from home.
- Use short timeouts so that system locks when not being used and when “sleeping”.
- Chromebooks and Chromeboxes provide all the above automatically and have the advantage of being less expensive (approximately $200 per unit) than similar traditional PC’s. The advantage is that the user does not have to do ANYTHING to secure it, beyond using a strong login/encryption password. Any device that requires the user to have some technical know-how and consciously follow certain procedures (like applying updates) regularly is going to be problematic.
- Access security
- Serious password policies that don’t permit short, common passwords like ‘password’, ‘abc123’, ‘qwerty’ and the like. Policies for password complexity must be enforced by the systems used.
- Two factor authentication is highly desirable and should be used whenever possible.
- If system permits, implement a whitelist that only permits log-in from computers/devices with registered MAC addresses.
- WiFi and other local network security issues
- WPS should be disabled on routers.
- UPnP (Universal plug and play) should be disabled on routers.
- WPA-2 security is the minimum acceptable wifi security.
- Firmware on routers should be kept up to date.
- If connecting from home, professional rather than consumer router should be used.
- Human Factors
- Train, train, and train some more. Users must be sensitized to the vulnerabilities and to the fact that PHI theft is BIG business. A single PHI record is worth approximately $50 on the black market because of its value in both identity theft and use in filing false claims.
- Having policies is essential, but to prevent breaches and HIPAA violations, your staff must understand why the policy is there, and the importance of adhering to it.
It is natural to downplay the importance of devices that just ACCESS rather than store PHI, but this recent article explains how even a cellphone, on which data is not actually stored, can result in major problems:
The same day this discussion occurred, I received an invitation to download a white paper through Healthcare Informatics magazine. The 7 Essential Layers of Secure Cloud Computing is a paper produced by ClearData corporation, a company that specializes in security for healthcare organizations. The paper is provided for you with their permission.
The final element of this HIPAA discussion related to cyber insurance. Dr. K, who is seeking outside assistance on developing and implementing his HIPAA plan was asked whether his group carries cyber-insurance.
Dr. K: Anybody heard of “cyber insurance”? According to the organization consulting with us, it is a policy that helps cover costs in the event of a breach. It’s inexpensive and worth considering.
Thoughts?
Dr. B: Definitely. I recall that we have a rider on our policy, but I need to double check that.
Dr. G: Would we need cyber insurance if we do not have internet in our office?
Seth responded: If you are an SOS customer, you obviously store and manage PHI in electronic form. Unless you are scrupulous about encrypting and otherwise safeguarding that data, then conceivably you could suffer a significant breach. Let’s say that the machine on which you store your SOS database is not encrypted and were to be stolen. Are you prepared to handle the fines, notification of patients, purchase of identity theft insurance for your patients, etc? Would you feel more comfortable if you had some insurance to help you with those costs?
Whether you NEED it or not is a call only you can make.
And that, my friends, is the bottom line when it comes to HIPAA privacy and security requirements. The law requires a great deal. The requirements are scalable based on the size of your organization. Only you can determine what is enough for your organization to do, keeping in mind that even small behavioral health organizations have begun to be fined for irresponsible handling of their security and privacy responsibilities that resulted in a breach. Can your organization survive the repercussions of a PHI breach? How are you handling these issues?
