3 Health InfoSec Resolutions for 2015Steps to Take to Avoid Regulators' Wrath
Over the past couple of decades, I've helped hundreds of covered entities and business associates with HIPAA compliance issues. A common bad practice I've seen throughout most of these organizations is that they address the "squeaky" security and privacy problems at the cost of protections elsewhere in the organization.
However, many breaches have occurred as a result of organizations taking their eye, and attention, off these other risks. Are you guilty of this practice? Well, for your 2015 resolutions, commit to the following three actions:
1. Manage Risks on an Ongoing Basis
Of course, a risk assessment is an important tool in identifying risks, but you cannot stop there.
These include administrative, technical and physical risks. Significant breaches have occurred as a result of not addressing risks within each of these areas. Of course, a risk assessment is an important tool in identifying risks, but you cannot stop there. You need to implement a risk management program that includes keeping anti-malware updated, regularly applying network and systems security patches, limiting access to information assets to only those who need such access to support their job responsibilities, and performing audits, just to name a few.
Here's a perfect case in point. Anchorage Community Mental Health Services' failure to apply software patches led to a malware-related breach impacting more than 2,700 people in 2012. In December, HHS' Office for Civil Rights slapped ACMHS with a $150,000 sanction for this HIPAA violation: not appropriately mitigating risks. If the organization had a comprehensive risk management program in place - as HIPAA requires - that included keeping their systems patched and up to date, this breach probably would have been avoided. If a breach still had happened with such a program in place, the penalty likely would have been significantly lower.
2. Document, Document, Document!
Over the past 25 years of doing information security and privacy audits, I've had far too many organizations tell me upon my request to see their documented policies, "Oh, our policies are unwritten but generally accepted policies; we all tell each other what they are." Not only is this an unacceptable business practice, it is a violation of HIPAA requirements.
Consider that the ACMHS corrective action in its settlement with HHS provided a long list of documentation requirements, including: information security policies and procedures; training and training participation; an IT risk management policy and procedures; reportable events and associated mitigation plans; and officer attestations for HIPAA compliance activities.
Basically, as far as HHS is concerned, if it isn't documented, it isn't happening.
3. Educate and Keep Everyone Aware
As time goes on, and more information is put into the hands and care of more end-users using a wide variety of new technologies who have no background in information security or privacy, education becomes more important than ever.
Let's take one more look at ACMHS's corrective action plan, which highlights the importance of providing regular training and ongoing awareness. There is an entire section dedicated to education. The corrective action plan calls for ACHMS to provide training to all employees with access to PHI within 60 days of the HHS settlement. On top of that, ACMHS must give copies of the training materials to HHS to approve. ACMHS must provide training at least annually, and to every new worker within 30 days of employment start. Each employee must certify that they attended training.
And HHS was very lenient with these requirements. Ideally, training should be offered more than once a year, and for new employees, right before or after they join the organization. And it would have been good if HHS had also included a requirement for ongoing awareness communications and activities, because that is also required by HIPAA.
Every organization of every size needs to invest some time and resources into regular training and ongoing awareness communications. Besides being a wise business decision that has a relatively low cost and tremendous return on investment in terms of breach prevention, it is also a requirement in most data protection laws and regulations to provide such education.
The Bottom Line
If your organization currently does not do all three of these activities, then make sure you resolve to do them in 2015. Keep in mind that OCR is going to increase HIPAA audits in the coming year, and, based on the ACMHS settlement and others, OCR is increasing its enforcement activities and associated sanctions as well.
Rebecca Herold is a partner and co-owner of HIPAA Compliance Tools and CEO of The Privacy Professor. She is also author of more than 16 books, including, Managing an Information Security and Privacy Awareness and Training Program and a new edition of The Practical Guide to HIPAA Privacy and Security Compliance.