Share this article on:
The Department of Health and Human Services’ Office for Civil Rights has recently issued a large fine to Idaho State University for the accidental disclosure of electronic Protected Health Information stored on one of its servers. Unbeknown to the University, a server holding data on one of its HIPAA-covered clinics accidentally had the firewall disabled causing a 10 months data security breach.
The OCR investigation highlighted three main areas of non-compliance: A HIPAA Risk Analysis had clearly not been conducted, as if that had been the case, the deactivated server would have been identified. There was no risk management process in place which also could have identified the problem and thirdly, an Information System Activity Review had not been conducted. The HIPAA Security Rule demands all three of these procedures be made policy at a healthcare organization in order to be HIPAA-compliant. It was clear that ISU had, albeit unwittingly, violated HIPAA regulations without the OCR having to perform a full compliance assessment.
HIPAA compliance is an ongoing process
“Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” according to OCR Director, Leon Rodriguez. Ensuring current systems have the necessary safeguards employed to ensure data security is maintained does not mean that those measures will always remain in place.
Updates to policies and procedures should naturally follow rule changes and the introduction of new legislation, but organizations should not wait for congress to introduce stricter standards before revising current data protection systems and internal policies. Data security needs to be monitored, tested and updated regularly to ensure that it still confirms to the same standards as when it was installed, and in the case of Firewalls, to ensure they are still active.
Any healthcare organization that has taken action to become HIPAA-compliant yet has not conducted a further Security Risk Analysis or Information System Activity Review is in all likelihood now violating HIPAA regulations. If audited it could be penalized for non-compliance. Along with financial penalties, the OCR demands that organizations read the guidance issued via its website, which clearly explain what is required in order to be HIPAA compliant. All HIPAA-covered entities are obliged to read these guidelines.
Easily overlooked security issues that can Ccause a HIPAA violation
HIPAA regulations often do not specify the means by which a rule must be satisfied and some flexibility is allowed for organizations to implement the controls which are most suitable to work with the systems currently they have in place. There are some areas of data security that can be easily overlooked, especially by smaller healthcare organizations and those recently included by HIPAA Rule changes. These include:
Install Firewalls and Check they are Active
Firewalls are a barrier between your internal computer systems and everyone else with an internet connection. They are essential to prevent your data from being accessible freely on the internet and to stop hackers conducting targeted attacks to steal PHI data. Firewalls can be 100% effective as long as they are switched on and the license is current. When a firewall is deactivated, it allows hackers to gain access a computer and firewall rules can be changed to maintain access when it is reactivated.
Implementing Stringent Anti-Virus Policies
Firewalls can protect a system from intrusion and many have anti-virus features, although additional controls should be employed to prevent accidental infection from email attachments for example. These controls must be updated routinely, licenses checked and systems scanned regularly as an additional control measure to ensure that should an infection have bypassed controls, that it is quickly identified and corrected. A firewall and antivirus software should be installed and monitored by a qualified IT Professional.
Ongoing Security Monitoring
Not all network breaches raise alarms as the ISU security breach clearly demonstrated. Data security measures are only effective if they are active and firewalls can be switched off accidentally. It is therefore essential to conduct regular data security checks and there are many benefits to employing an external data security company to continuously monitor data security and integrity; update software, conduct the necessary reviews and provide documentation that these security measures have been performed.
Maintain a Record of all HIPAA Compliance and Data Security Measures Employed
Implementing the necessary controls under HIPAA to protect ePHI and computer systems from infiltration is only part of compliance. Should an organization be audited, documentation must be produced as evidence of the measures undertaken. Details of security settings must be provided, maintenance records kept, software upgrades and patches recorded and provided to the OCR during an audit.
Details of Information System Activity Reviews, HIPAA Risk Analyses and their findings and risk management processes must be documented, dated and available to auditors. An organization must be able to prove HIPAA compliance.