BLOG POST: Keeping Your Eyes Peeled to the OCR
Blog Post by Brian Selfridge, ITRM Partner and Doug Copley, Advisory CISO at Meditology Services
At the recent HIMSS conference, the OCR provided an Enforcement Update where they outlined how they plan to approach enforcement with healthcare covered entities in 2019. As security and privacy consultants and advisors with our ears to the ground, we keep our eyes peeled for these important regulatory trends.
OCR Focus Areas to Watch
Entities that do not report breaches are of great interest to OCR auditors and this is a new focus area for them. Breaches are more common today that any of us would like to admit, so organizations that do not report any breaches can raise red flags. Were there really no breaches or are their controls not sophisticated enough to detect them? Do they have the required risk analysis processes in place to determine whether to declare a breach? So even if you don’t encounter a breach, be prepared to justify your controls and breach processes because you may still get a call from the OCR.
Right-to-access compliance reviews. Healthcare patients in the US have a right-to-access their medical records and organizations have a regulatory requirement to provide them. As patients become more engaged in their health and wellness, the OCR wants to make sure organizations are educated on their responsibilities to provide patients timely access electronically AND in their preferred form and format provided the entity has the ability to produce them.
Business Associate Agreements. (BAA) and ensuring that appropriate security and privacy requirements are in place and being evaluated to ensure compliance. Managing third-parties can be difficult and cumbersome as it involves contractual terms (BAA), risk management and ongoing oversight. On a positive note, it’s becoming easily viable to outsource third-party risk management to companies like CORL Technologies who perform this function for many healthcare organizations day in and day out.
Key Security Trends Noted by the OCR
PHI theft has been trending down over the last 5 years. Though there’s no clear cause and effect relationship, PHI theft may have declined due to the level of encryption implementation efforts by covered entities and the availability of encryption solutions offered by hardware and software vendors and cloud service providers.
Hacking into databases with PHI has gone up over the same 5 years. Healthcare information security teams should leverage the expertise of ethical hackers to identify and test systems for vulnerabilities. With hacking into large databases a greater likelihood, it’s important to revisit your Incident Response Plans to update, test and train your current staff on handling potential data exposure events.
The OCR reported that email related breaches are on the rise, which points to a continued need to focus on technology and education. Spam filters and solutions like multi-factor authentication can greatly reduce an organization’s attack surface, but education and awareness efforts need to provide continual reminders to individuals of how to recognize and report potentially fraudulent and/or malicious emails.
The lack of enterprise risk analysis is a key finding of the OCR’s largest most recent breach report of Anthem levied with a $16M fine. Common vulnerabilities the OCR notes are lack of auditing and software patching practices as well as poor security practices around media disposal.
Staying Ahead of the OCR
Performing periodic (at least annual) security risk assessments and risk analysis on your organization’s information security policies, procedures and systems is a critical control to identify and prioritize control weaknesses. With proper prioritization and resource allocation, organizations can address these weaknesses and improve the posture of their security program before the OCR comes knocking.
The use of risk analysis and risk management tools such as risk registers should be built-in to your business processes. Risk registers provide a method of documenting each identifiable risk event or vulnerability point in the organization, including those with business associates. A regularly updated risk register provides the OCR with evidence a continual risk management program is in place. Thus, it is important to update the risk register anytime there is a new security risk identified, or there is change in the data flow or organizational environment (e.g. new technology added or new business systems). Mature security risk management programs will include risk registers that provide an overall risk score and are updated frequently to capture new vulnerabilities as they arise.
Closing Thoughts for Moving Forward
We are keeping our eyes peeled and our ears to the ground for our healthcare clients. Our entire focus is Security and Data Privacy in the healthcare industry. Leverage our leadership and let us help you bring your programs to a new level of maturity.