HIPAA Audits May Give False Sense of Security
The news that Premera Blue Cross was audited just three weeks before hackers were able to infiltrate its computer systems has raised a number of questions regarding the effectiveness of compliance audits.
The U.S. Office of Personal Management performed an audit of the health insurer and identified a number of security vulnerabilities that it advised Premera to address, in particular the failure to install patches and software updates in a timely manner and the importance of developing a baseline configuration that would allow full audits of the insurer’s servers and databases to be conducted.
It took the OPM six months to release its final report on the audit, during which time hackers were accessing and copying the PHI of Premera’s members. After the report was released, it took a further 2 months before the insurer was able to identify the HIPAA breach and shut down access, although that was too late to prevent the PHI of 11 million members from being obtained by the thieves.
These issues, along with a handful of other observations, were not considered to be serious enough at the time to warrant any action being taken, nor did they suggest to the auditors that Premera was not adhering to HIPAA Rules.
The audit was not performed by the Office for Civil Rights, which has previously conducted much more comprehensive audits on covered entities; instead the OPM audit focused on only a small area of HIPAA compliance and assessed only claims processing applications. It is unlikely that this is the method the thieves used to gain access to the data; however, the completion of an audit just a matter of a few days prior to hackers gaining access to the insurer’s computer systems is concerning.
The passing of an audit, with our without any observations, could potentially give a covered entity a false sense of security.
Passing a Compliance Audit Does Not Guarantee HIPAA Compliance
The much delayed second round of HIPAA compliance audits, scheduled to be conducted in October last year, will involve a more specific according to early reports on the audit protocol the OCR plans to use.
After the round of pilot audits were completed, the OCR was able to identify a number of key areas where covered entities were struggling with HIPAA Rules, and it is these areas that are expected to be the focus of the next round of audits.
The OCR has recently announced that it has yet to finalize the protocol for the second round, but previous reports indicate that covered entities will only receive a partial audit, either on the HIPAA Breach Notification Rule, Security Rule or Privacy Rule; not all three.
This could potentially also lead a covered entity to believe that they are HIPAA-compliant if they pass the audit when this is far from being the case. Being compliant with HIPAA Breach Notification Rules does not mean the organization will be compliant with the Privacy Rule, for instance.
A Change of Mindset is Required
Organizations selected for audit will be notified in advance, allowing them to conduct a rapid compliance check, but as Torsten George, Agiliance VP for marketing, pointed out to Technewsworld.com in a recent data security article, “Cases like Premera and thousands of others are proof that if you follow compliance – the checkbox approach to security – it doesn’t mean you’re more secure,”. He went on to say that “You have to change your way of thinking. You have to get away from these three-to-six-month sprints to get to compliance and then forget about it.”
The mindset of covered entities really does needs to change if they want to prevent data breaches and ensure that PHI is properly protected. Hackers are now using increasingly sophisticated methods to gain access to healthcare provider’s databases. Even adhering to HIPAA Rules will not be able to prevent hackers from gaining access to PHI.
HIPAA requires covered entities to adopt a number of safeguards to protect the data they hold, but HIPAA Rules are very much focused on preventing attacks and implementing a range of defenses which make covered entities less susceptible to attack.
Many organizations see HIPAA as a maximum security standard which they must strive to achieve, when in actual fact it only lays down minimum standards, and certainly not enough to prevent a sophisticated cyber attack.
The Security Rule, for instance, requires organizations to implement a number of administrative safeguards, which include logging access to PHI and routinely checking these access logs, but this is only an addressable area, not a requirement.
The legislation also falls short of demanding data encryption. In many cases, such as appears to be the case with Premera Blue Cross, this could have potentially prevented hackers from gaining access to PHI. However in the case of Anthem, even data encryption would not have prevented its 78.8 million-record breach: Hackers were able to obtain the login details of members of staff, which would have bypassed any data encryption in place.
If healthcare providers, insurers and other covered entities really want to protect patient privacy, there must be a change in their mindsets. HIPAA compliance is only the start, and even the passing of a compliance audit should not be taken to mean that all systems are secure and locked down. Hackers may still be able to gain access unless much more robust security measures are implemented, monitored and updated frequently.