Importance of Covered Entities Proactively Managing CyberSecurity Risks

TEd_Joneswo Articles Shine the Spotlight on the Subject

By Edward Jones III, Author and President of HIPAA, LLC.
Twitter: @HIPAAsafeguards

On July 13, Politico published online an article entitled “Electronic heath records ripe for theft,” which is available online.  This article makes several important points and we commend it to your attention.  First, the article states:

“[w]hile a stolen credit card or Social Security number fetches $1 or less on the black market, a person’s medical information can yield hundreds of times more, according to the World Privacy Forum.  Thieves want to hack the data to gain access to health insurance, prescription drugs or just a person’s financial information….  A credit card can be canceled within hours of its theft, but information in a patient’s health record is impossible to undo.  The record contains financial records, personal information, medical history, family contacts—enough information to build a full identity….  On the black market, a full identity profile contained in a single record can bring as much as $500.

In earlier postings on HIPAA Safeguard, we have addressed the largest number of breaches on the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Web site as involving medical records from stolen or lost mobile or portable devices that are not encrypted.  This Web site can be accessed online.  We also have pointed out that OCR’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals provides information on the encryption tools to secure “data at rest” on these types of devices or “data in motion” transmitted from them.  The Guidance, which also includes methods for proper disposal of protected health information in hard copy or electronic form, can be accessed online.  Obviously, much more attention must be paid by covered entities and business associates to safeguard protected health information as electronic health record (EHR) technology proliferates under the Meaningful Use program and mobile and smart devices increasingly are being used for storage and movement of such information.

This gets to the second point in the Politico article:  “[H]ealth security experts say hospitals’ response to cybersecurity issues has been lackluster, with providers still focused on privacy and confidentiality rather than data terrorists.”  This may be an artifact of the paper environment in healthcare, where the focus was on getting consents and approvals on paper forms and maintaining those forms with other “designated record set” documents out of sight to unauthorized persons and under physical lock and key.  Electronic systems are complex, expensive, require expertise to operate, and take time to understand and establish “reasonable and appropriate” settings—based on completing a comprehensive risk analysis of threats and vulnerabilities—and tracking and monitoring system-generated audit reports to ensure data base information is secure and identify security incidents when they occur.  One of the premises of federal financial support under the HITECH Act for electronic health record technology was to achieve more efficient administrative and clinical electronic healthcare exchange, which also required covered entities to pay more attention to the provisions of the HIPAA Security Rule and to expand that Rule for compliance to business associate contractors and subcontractors.  The federal financial support was the carrot for adoption, and increased financial penalties for noncompliance was the stick of enforcement.

This brings us to the third point of the Politico article, namely, “HHS, meanwhile, is stepping up with more aggressive enforcement of security breaches.”  In a HIPAA Safeguard posting on May 13, 2014, we discussed the $4.8 million in financial penalties assessed on two healthcare organizations in New York to resolve HIPAA noncompliance issues.  Also, see the HHS news release pertaining to this resolution online.  A careful reading of this and other resolution agreement corrective action plans shows that OCR is focusing attention on evidence of having conducted a risk analysis, implemented safeguard policies and procedures based on findings from the risk analysis, training workforce members on those safeguard policies and procedures and ensuring workforce members have access to them, and periodically evaluating the effectiveness of the risk mitigation program.  And resolution settlements are not trivial in cost or time.  On June 23, 2014, HHS reported an $800,000 HIPAA settlement in a medical records dumping case.  In its news release, OCR stated:  “All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk….  It is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal.”  The news release for this resolution is accessible online.  A reading of the Corrective Action Plan for this case shows that time constraints for getting approval from HHS for policies and procedures and for the safeguard training curriculum, implementing approved provisions, and reporting to HHS can be onerous.  It is much less expensive to achieve compliance ex ante than ex post following discovery of noncompliance during a random compliance audit or mandatory investigation following a compliant or breach involving 500 or more affected individuals.

The second article that we commend to your attention builds on cybersecurity compliance to achieve “cybersecurity resilience.”  This article is entitled:  “Resilience Crucial to Combat Persistent Cyber Threats,” in the June 23, 2014, issue of Business Insurance, which is accessible online.  The premise of this article is that an organization has to plan for the unexpected, and ‘[c]yber resilience makes the assumption that you can’t prevent’ cyber attacks.”  As a result, an “important element of achieving cyber resilience is aligning security measures with business objectives,” with “risk driving the conversation.”  This is an important consideration and is consistent with not only the risk analysis foundation of the OCR’s HIPAA Security Rule and Meaningful Use Security Measures administered by the HHS Centers for Medicare & Medicaid Services (CMS), but also with OCR’s Security Audit Protocols, which can be accessed online.  Each protocol begins with the statement:  “Inquire of management …,” which puts the focus on business—policies and procedures—rather on just technology.  The key provisions of the HIPAA Security Rule Administrative implementation specifications are the ones dealing with timely and effective recovery from a security incident or breach through contingency plans, recognizing that such incidents or breaches are “inevitable,” but adverse business consequences can be minimized through preparation.

These two articles highlight the importance of what we are trying to accomplish at HIPAA Safeguard, namely, providing covered entities and business associates with the tools to achieve compliance to mitigate risks and resilience to recover from an incident or breach should it occur.  HIPAA Safeguard policies and procedures cover the standards and implementation specifications of the HIPAA Privacy and Security Rules and HIPAA Act Breach Notification Rule, and provide a concordance linking Stage 1 and 2 Meaningful Use Security Measures to HIPAA Security implementation specifications.  With National Institute of Standards and Technology (NIST) guidance and reference material that accompanies each of the policies and procedures, a covered entity or business associate can readily tailor these required HIPAA/HITECH Act safeguard policies and procedures to a specific business operational environment to demonstrate compliance and achieve resilience once the policies and procedures are implemented. As the two Resolution Agreements referenced in this posting indicate, achieving compliance prior to an investigation related to a breach—or a random compliance audit—is significantly less costly than a determination of noncompliance afterward.

About the author: Ed Jones is an author, and owner and CEO of Cornichon Healthcare Select, LLC, Seabrook Island, SC, which provides consulting services pertaining to HIPAA/HITECH Act privacy and security compliance, and design of mobile strategies for healthcare transactions. At Cornichon’s Website, at, Ed offers online privacy and security safeguard guidance and reference tools and policies and procedures for achieving compliance with HIPAA Privacy, Security, and Breach Notification Final Rule and Stage 1 and 2 Meaningful Use Security Measure compliance. He also is President of HIPAA, LLC, which owns and that provide accredited privacy and security training for covered entities and business associates. Ed is the co-author with Carolyn Hartley of ten books for the American Medical Association (AMA) and the American Dental Association (ADA). This post has been syndicated with the authors permission.