In 2015, the healthcare sector was hit extremely hard and was known as the year of the health care attack. Healthcare organizations are prime target for a cyber attack because of the treasure trove of sensitive data, the high resale value in the underground black market and most organizations security practices are often less sophisticated than other industries. Some of the data stolen can be used to set up fraudulent lines of credit, medical insurance fraud, or obtaining pricey medical care for another person. Read More
In 2016, one specific style of attack that hospitals and healthcare providers have fallen victim to is a ransomware attack. The likelihood of a successful crypto-ransomware attack against the healthcare sector is significantly higher than other sectors, due to the lack of a mature information security program and less than desirable security measures that are in place.
A recent U.S Government report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015). This surge of ransomware attacks has prompted the FBI to issue a news alert to the media, hospitals and healthcare providers. There are certain measures known to be effective to prevent the introduction of ransomware and to recover from a ransomware attack.
In order to help health care entities better understand and respond to the threat of ransomware, OCR released new HIPAA guidance to prevent, detect, contain and respond to these threats. Since ransomware can compromise the integrity and availability of electronic protected health information, the guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule. Under the rule, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach.
The HIPAA Security Rule requires implementation of security measures that can help prevent the introductions of malware, including ransomware. Some of these require security measures include:
• implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
• implementing procedures to guard against and detect malicious software;
• training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and
• implementing access controls to limit access to ePHI to only those persons or software programs requiring access
OCR HIPAA Audit Program Ramps Up in 2016
The President’s fiscal year budget request proposal for 2016 included $83.8 billion for the Department of Health & Human Services (HHS) and $43 million was slated for the Office for Civil Rights (OCR) HIPAA audit program. The OCR will focus on administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The OCR will also focus on corrective action plans while imposing civil monetary fines for violations of the HIPAA Rules.
On March 21, 2016, OCR announced its Phase 2 Audit Program. Since Phase 1 focused more on the larger organizations, this will no longer be the case for Phase 2. OCR is well aware of the fact that smaller organizations are not HIPAA compliant, so Phase 2 will cover a larger more diverse pool of healthcare organizations.
Organizations will be contacted via email to fill out pre-audit questionnaire and once that information is collected, OCR will select organizations to for the actual audit program. If you get selected for an audit, it will most likely be a desk audit and you will be required to upload specified documents within 10 business days.
For Covered Entities
Covered entities should do a self-evaluation to determine if they have the right policies and procedures in place, if they have performed a comprehensive risk assessment as required by the HIPAA Security Rule, if they have performed security awareness training for their employees, if they have an incident response plan in place that incorporates both administrative and technical safeguards and whether they have business associate agreements in place with their business associates.
Security Rule Requirements for Risk Analysis and Risk Management
The Security Management Process standard of the Security Rule requires covered entities to “implement policies and procedures to prevent, detect, contain, and correct security violations.” The Security Management Process standard has four required implementation specifications. Two of the implementation specifications are Risk Analysis and Risk Management. Risk analysis and risk management are important to covered entities since these processes will “form the foundation upon which an entity’s necessary security activities are built”
One of the most important and required steps that a covered entity must take is a risk analysis. A covered entity is required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. The Department of Health and Human Services (HHS) states that a risk analysis should be an ongoing process at an organization and should be part of their security management processes. The risk analysis affects the implementation of all of the safeguards (Administrative, Physical, and Technical) contained in the Security Rule.
• Evaluate the likelihood and impact of potential risks to e-PHI
• Implement appropriate security measures to address the risks identified in the risk analysis
• Document the chosen security measures and, where required, the rationale for adopting those measures; and
• Maintain continuous, reasonable, and appropriate security protections.
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.
The second most important step and required implementation specification under the HIPAA Security Rule is developing a risk management plan. Under the risk management plan, covered entities are required to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level in order to comply with the general requirements of the Security Rule.” Since the number of new vulnerabilities and threats continue to grow each and every day, it’s important for covered entities to adjust their cyber defenses to address the increasing risks. The purpose of a risk management plan is to provide structure for the covered entity’s evaluation, prioritization, and implementation of risk-reducing security measures. For the risk management plan to be successful, key members of the covered entity’s workforce, including senior management and other key decision makers, must be involved. The results from the risk analysis process will provide these key workforce members with the information needed to make risk prioritization and mitigation decisions.
Risk management is an ongoing process that requires covered entities to continually evaluate and maintain their security measures. Compliance with the Security Rule requires financial resources, management commitment, and the workforce involvement. The risk management plan will guide the covered entity’s actual implementation of security measures to reduce risks to ePHI to reasonable and appropriate levels.
Cybersafe Solutions’ Threat Hunting, Threat Monitoring, Threat Training and Threat Policies not only meets the requirements set forth by the Department of Health and Human Services, but will prepare your organization to successfully pass the upcoming HIPAA audits. Click here to visit our Contact Us page to take the next step towards achieving compliance while also securing your organization’s most sensitive data and systems.