Mission Control, We Have a Breach Problem (Part 1 of 5)
Published On August 23, 2018
Blog Post by Brian Selfridge, Meditology Services IT Risk Management Partner
Security and compliance teams are your organization’s “mission control centers” for ensuring that the mission of healthcare delivery is conducted safely and effectively. Mission control has been raising alarms of late to notify leadership that information security breaches are on the rise.
In the U.S. and abroad, regulatory agencies are also exercising their power in fining organizations deemed to not be within compliance of data security regulations. States’ regulations have also increased in frequency and severity over the last few years.
2017 OCR Audit Findings on Healthcare Data Security
OCR recently performed its own reconnaissance mission. In 2017, OCR issued results from its Phase 2 Audits. The results indicated that a large majority of entities are still lacking adequate data privacy, security risk analysis and data risk management processes to meet HIPAA compliance standards.
73% of audited organizations scored below average on the OCR Risk Management Ratings.
The reported Security Risk Analysis Ratings show that 57% of audited organizations scored below average, and no organizations audited received the highest score in this area. Similarly, the Risk Management Ratings show that 73% of audited organizations scored below average (below the level 3 of a scale of 1-5).
Privacy areas did show some improvement over previous OCR audits; however, participating organizations were still perceived to be weak in meeting privacy compliance requirements. The audit revealed that for many organizations, policies and implementation procedures did not sufficiently address privacy access request response processes, breach notification and notice of privacy practices.
There are several actionable steps healthcare providers, health plans and Business Associates can pursue in bolstering security compliance measures and documenting their progress. Some examples include:
- Creating and Maintaining a Security Risk Register
- Updating Business Associate (BA) Inventories
- Improving Privacy Programs
Creating and Maintaining a Security Risk Register
Creating and maintaining a risk register is a fundamental activity every organization should build into their data security programs. A risk register is a method of documenting each identifiable risk event or vulnerability point in the organization and throughout the extended data network (which includes Business Associates). OCR recommends that risk registers be used to track continual monitoring and remediation of identified security risks.
Risk Register Components
The Risk Register provides a list of potential data security risks and evaluates each by:
- Likelihood of occurrence
- Potential impact
- Maturity level of security control
- Overall risk score
Updating Business Associate Inventories
OCR has indicated an expectation that organizations maintain an up-to-date inventory of Business Associate Agreements (BAAs) including specific data fields such as contact information and website details for the BA.
Managing third-party BA security risk is a complex, ongoing task and should have oversight by stakeholders including Legal, IT and Compliance areas. As part of this inventory, it is important to document how well vendors are meeting data security requirements. While some BAs can and do obtain security certifications, the majority of BAs still have not achieved relevant security certifications such as HITRUST and SOC 2 Type 2 reports.
The workload involved in auditing and documenting vendor data security often merits the use of a third-party vendor data management services firm and/or some data automation services.
Privacy Program Improvements
Privacy programs were determined to be lacking across the healthcare industry in the 2017 OCR audit results. Moving forward, organizations should establish the following Privacy policies and processes:
- Access to records must be provided to patients in a timely basis.
- Records must be provided to designated third-parties upon patient request.
- Multiple format options for patient records should be made available (e.g. paper or electronic options).
For Breach Notification processes, organizations should include these response measures:
- Breach notification should include specific details on the dates breaches occurred and what was breached.
- Notify patient community of the response actions taken by the organization following a breach.
- Provide information to affected individuals of future mitigation strategies to address data vulnerabilities and properly secure data.
Finally, the Notice of Privacy Practices (NPP) should be posted publicly on the organization’s website and must be easy to access for site visitors.
These simple steps can improve the organization’s stance with their patient base, satisfy important aspects of the HIPAA requirements and increase public trust for the handling of sensitive information.
Mission Control (the Information Security and Compliance teams) for healthcare entities must also stay up to date on the evolving threats and regulatory enforcement trends to help navigate their organizations to safety.
Healthcare data security. We know it. We analyze it. We report on it. Our annual trend report: Navigating Through a Changing Cyberspace: 2018 Healthcare Data Security Outlook is available to download and share with your colleagues.