Art Gross, President and CEO of HIPAA Secure Now!, participated in an American Osteopathic Association (AOA) webinar on 2015 HIPAA Audits and How to Avoid HIPAA Related Breaches. The recorded webinar is below.
There are a large number of potential attack vectors on any network. Medical devices on a healthcare network is certainly one of them. While medical devices represent a potential threat, it is important to keep in mind that the threat level posed by any given medical device should be determined by a Security Risk Assessment (SRA) and dealt with appropriately.
So let’s assume the worst case and discuss the issues associated with medical devices. First off, it must be recognized that any device connected to a network represents a potential incursion point. Medical devices are regulated by the FDA, and that agency realized the security implications of medical devices as far back as November 2009, when it issued this advisory. In it, the FDA emphasized the following points:
- Medical device manufacturers and user facilities should work together to ensure that cybersecurity threats are addressed in a timely manner.
- The agency typically does not need to review or approve medical device software changes made for cybersecurity reasons.
- All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices.
- Software patches and updates are essential to the continued safe and effective performance of medical devices.
Many device manufacturers are way behind on cybersecurity issues. As an example, many devices are still running on Windows XP today, even though we are one year past the XP support deadline. They are often loathe to update their software for a new operating system. In other situations device manufacturers use the XP support issue as a way to force a client to purchase a new device at a very high price. All healthcare facilities would be well advised to review any purchase and support contracts for medical devices and make sure that things such as Windows upgrades do not force unwanted or unnecessary changes down the road. While there are options to remediate risks around obsolete operating systems, they are unnecessary and costly. Manufacturers should be supporting their products in a commercially reasonable manner.
Why would anyone be interested in hacking into a medical device? Of course there are those that would argue that anything that can be hacked will be hacked, “just because”. While it is possible that hacking could also occur to disrupt the operations of the device, the more likely reason is that getting onto a medical device represents a backdoor into a network with a treasure trove of PHI that can be sold for high prices on the black market. Medical devices are often accessible outside of normal network logon requirements. That is because manufacturers maintain separate, backdoor access for maintenance reasons. Hackers armed with knowledge of default passwords and other default logon information can have great success targeting a medical device. For example, this article details examples of a blood gas analyzer, a PACS system and an X-Ray system that were hacked. Many times healthcare IT departments are unaware or unable to remediate backdoor access to these systems. These are perhaps more “valuable” as a hack because they are hard to detect and can go unnoticed for a long period of time. As a reminder, the Target data breach last year was initiated because the access that a third party had to the retailer’s network was compromised. A complete SRA should inventory all network connected medical devices and analyze the access/credentials that a device has, and any associated security threat. The best defense is a good offense – make sure that networked devices have proper security built in and implemented. Then your devices will no longer be “the weak link in the chain”.
Now that the 2015 HIPAA Audits have begun, organizations are reevaluating their HIPAA compliance posture. This is a good thing being that an organization will have very little time to respond to pre-audit and audit inquiries from the Office of Civil Rights (OCR).
On the other hand, some organizations are evaluating the risk of being selected and might conclude that the risk is low. These organizations might decide that the low risk is not worth the effort to ensure HIPAA compliance. The risk of being selected by the IRS to audit your tax return is very low but most people and organizations file their taxes. Why is this the case? People fear the IRS. They fear the hassle associated with an IRS audit, they fear the penalty associated with an IRS audit and they fear the consequences of failing an IRS audit.
Right now people don’t really fear OCR or HIPAA audits. I am pretty confident that people didn’t fear the IRS audits when they first started. It took a few years and some very high profile cases, including putting people in jail, to get people to worry about IRS audits and ensuring that they are properly filing their tax returns. It is not hard to see an analogy with the start of the HIPAA audits. The question that organizations need to ask themselves is:
Do I want to be a high profile example if my organization is selected for a HIPAA audit?
Other concerns
There is no denying that the chance of being selected for a HIPAA audit is low. But a random audit is only one of the ways that OCR could investigate an organization. Let’s take a look at some of the other ways that an organization can come under the HIPAA microscope.
Data Breaches
If an organization has a data breach (lost laptop or hacker steals protected health information -PHI) OCR may decide to investigate the incident. If OCR starts an investigation, they will want to see what safeguards the organization had in place prior to the data breach. It is almost guaranteed that OCR will want to see the following:
- The most recent HIPAA Security Risk Assessment (SRA) and documented work plan to address any issues discovered in the SRA
- Evidence of documented HIPAA Security and Privacy Policies and Procedures (including evidence that the organization has implemented and is following the Policies)
- Evidence that employees have received periodic HIPAA Security and Privacy training (this should be ongoing training that occurs at least once a year)
- Evidence of a security incident response plan
Business Associate Data Breaches
A data breach by a Business Associate may cause OCR to investigate the Covered Entity. If a billing company or IT support organization has a data breach there is a good chance that OCR will investigate both the Business Associate as well as the Covered Entity. The question that organizations need to ask themselves is:
Besides signing a Business Associate Agreement, do I have any proof that my Business Associate is protecting PHI that we disclose to them?
Patient Complaints
Another way that OCR may open an investigation into an organization’s HIPAA compliance is if a patient or former patient files a complaint. The patient may feel that their privacy or the security of their data has been breached and can file a complaint with OCR. OCR evaluates each of the complaints that have been filed and decides if they will investigate the organization.
Employee Complaints
Employees or former employees may feel that their employer is not protecting PHI and could file a complaint against the organization
Meaningful Use
Organizations that are participating or have participated in the CMS Meaningful Use (MU) Incentive Program can be audited by CMS or the Office of Inspector General (OIG). A common reason of failing a MU audit is the lack of a Security Risk Assessment (SRA) or the lack of a thorough SRA and documented work plan to address any issues discovered in the SRA
Conclusion
With over 100 million patient record breaches in the last few years it should come as no surprise that the government is increasing HIPAA enforcement. We have an epidemic of patient records breaches and the need to protect this very sensitive information is apparent. Organizations can no longer ignore HIPAA. Proper safeguards and increased security is needed to protect PHI. It is a lot easier and cheaper to proactively implement HIPAA requirements than it is to respond when OCR comes knocking on your door.
Krasner brings 25 years of IT and seven years of Healthcare IT, HIPAA and Meaningful Use experience to HIPAA Secure Now!
Morristown, NJ (PRWEB) June 04, 2015
HIPAA Secure Now!, a HIPAA compliance service provider, has named Jonathan Krasner to the position of Director of Business Development.
Krasner was hired to expand the company’s MSP (managed service provider) partner program and nurture those relationships. Krasner will help partners grow their businesses and increase sales of HIPAA Secure Now’s award-winning risk assessment, policies and procedures, and employee training program to their medical practice clients.
Krasner brings 25 years of IT and seven years of Healthcare IT, HIPAA and Meaningful Use experience to HIPAA Secure Now!, with positions held in account management, business development, strategic planning and consultative selling.
Most recently Krasner was director of sales at BEI Networks, a successful MSP in the Washington D.C. area, where he brought on more than 50 healthcare provider clients. He also sold HIPAA Secure Now!’s privacy and security services to help them maintain HIPAA compliance.
“Jonathan understands physicians’ businesses and especially the challenges they face meeting HIPAA requirements in the world of electronic health records,” Gross said. “He proved his knowledge by landing more than 20 accounts in the first four months of selling HIPAA Secure Now!, including performing risk analyses for clients. Jonathan brings focused HIT, HIPAA and direct MSP experience to our company.”
HIPAA Secure Now! reached a milestone of 200 partners, as of May, 2015. As the company continues to recruit MSPs to join its member program Krasner will make sure each partner is successful by showing them how to diffentiate their companies and compete in the marketplace. He will train partners in selling HIPAA Secure Now! to generate more business and to upsell to existing clients by offering HIPAA risk analysis and add-on IT services, such as encryption.
“At BEI our customers were always asking for HIPAA compliance services. After trying out multiple products, HIPAA Secure Now! finally met our criteria. It was affordable, timesaving, easy to use and didn’t require the client to be HIPAA experts.
“What HIPAA Secure Now! offers is a new concept – a complete set of compliance services that are done well for the masses. And it’s the right time for the product, with the increase in audits and patient data breaches.”
About HIPAA Secure Now!
HIPAA Secure Now! has been helping clients comply with the HIPAA Security Rule since 2009. The company’s all-in-one solution provides risk assessment, which also satisfies Meaningful Use requirements, as well as privacy and security policies and procedures, and training. HIPAA Secure Now! moves customers toward HIPAA compliance quickly and easily, and protects them in the event of an audit. Customers complete the entire process in two to three hours, and regularly comment that it is painless and has made HIPAA compliance very easy. For more information visit https://www.hipaasecurenow.com.