OCR Risk Analysis Initiative

0 Comments read eagle associates staff
OCR Risk Analysis Initiative

The Office for Civil Rights (OCR) is the government agency that enforces HIPAA Privacy, Security, and Breach Notification Rules. For several years, OCR has been issuing alerts to increase awareness of cyberattacks in the healthcare industry. It has also issued several guidance documents to help providers secure their electronic protected health information (EPHI) from cyberattacks. Despite these efforts, OCR continues to find during its investigations that large breaches resulting from cyberattacks could have been prevented if HIPAA Security Rule requirements had been met. For this reason, OCR has announced a Risk Analysis Initiative to focus certain investigations on compliance with the HIPAA Security Risk Analysis provision.

The Security Rule specifically requires that every HIPAA covered entity “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

The Security Risk Analysis is a key Security Rule requirement and the foundation for effective cybersecurity measures and the protection of EPHI.  According to OCR Director, Melanie Fontes Rainer, “OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement.

In its first enforcement action in the Risk Analysis Initiative, OCR fined a health care organization $90,000 for failing to conduct a compliant risk analysis which resulted in a ransomware attack and breach of EPHI of 14,273 patients. The organization is also required to implement the following corrective action plan that will be monitored by OCR for three years:

  • Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI; 
  • Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis; 
  • Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Rules; and 
  • Train its workforce on its HIPAA policies and procedures. 

Areas of Non-Compliance

In an instructional video published to YouTube™ in October, OCR discusses Ransomware and the HIPAA Security Rule.  In addition to discussing trends in ransomware and breaches, OCR outlines some common areas of non-compliance that can be addressed through an accurate and thorough security risk analysis:

Deficiency – Unpatched vulnerabilities, such as in computer operating systems, remote access solutions, and routers, as well as unsecure network configurations.

Corrective actions – Processes should be in place to identify technical vulnerabilities, such as through regular vulnerability scanning to detect obsolete software and missing patches, and penetration testing to identify weaknesses. Once risks and vulnerabilities are identified and assessed, they can be mitigated by applying patches, replacing obsolete software and equipment, etc. Network segmentation is an important solution for legacy systems that are needed but can no longer be patched.

Deficiency – Poor access controls and weak authentication processes, particularly in remote access solutions and administrator-level privileges. Worst practices include remote access groups requiring only single factor authentication (i.e., a password), generic software users or service accounts with default passwords.

Corrective actions – Due to the increased risks associated with remote login and the extent of access that is permitted under administrative privileges, covered entities must ensure that authentication solutions are sufficient to reduce those risks. Access controls should be role- or user-based, and use of multi-factor authentication is strongly recommended for remote access and administrator-level privileges. Virtual private networks, Microsoft’s Remote Desktop Protocol, as well as firewalls, network segmentation, and network access control (NAC) are all possible solutions to secure networks.

Deficiency – Lack of thoroughness (e.g., only a subset of a regulated entity’s environment was considered for risks posed to its EPHI).

Corrective actions – A comprehensive assessment of risks and vulnerabilities to all EPHI must be conducted. This will include an assessment of all devices and media that receive, store, or transmit EPHI. An asset listing is the best place to begin to ensure that all computers, servers, removable media, and other devices are considered. Provider cell phones, medical devices/equipment and any other devices that may receive, transmit, or store EPHI must be included. OCR suggests considering all of the ways that EPHI is created or received, how it flows through your organization, and how it leaves or is disclosed.

Deficiency – Audit controls are not in place to record and examine information system activity, neither through manual monitoring nor through an automated rules-based system. Too often, OCR finds that attackers have infiltrated a regulated entity’s network, conducted surveillance, and exfiltrated data over a protracted period, sometimes for months.

Corrective actions – The Security Rule requires implementation of procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. This can be accomplished through manual processes or through an automated cybersecurity system. Cybersecurity software such as anti-malware software, intrusion detection and response solutions can not only detect and alert appropriate personnel, but oftentimes can also proactively take measures to contain or impede the progress of a cyber-attack.

In addition, OCR recommends all covered entities take the following steps:

  • Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
  • Ensure that that EPHI backups are secure, current, accessible and recoverable at all times through performance of periodic test restorations.
  • Integrate risk analysis and risk management into business processes regularly.
  • Encrypt ePHI to guard against unauthorized access to ePHI. 
  • Incorporate lessons learned from incidents into the overall security management process. 
  • Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

Resources

If your organization is due to conduct an accurate and thorough security risk analysis, the following resources are available:

HHS Security Risk Analysis Tool – Assistant Secretary for Technology Policy (ASTP), in collaboration with OCR, offers a free, downloadable Security Risk Assessment Tool here: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

A User Guide for the Security Risk Assessment Tool is available here: https://www.hhs.gov/guidance/document/security-risk-assessment-sra-tool-user-guide

If you are a subscriber to the Eagle Associates HIPAA program, you have access to a Security Risk Analysis tool, and complete Security Rule policies in Section 4.00 of the manual, along with training for staff.

Eagle Associates recorded a Security Risk Analysis webinar for subscribers of the HIPAA Compliance System.  This detailed, step-by-step recording with explanations of each specification, findings and corrective actions can be purchased for $225.  Send an email to info@eagleassociates.net or call us at (800) 777-2337

We will follow-up with more ransomware prevention measures in the January issue.

You May Also Like

Updated Guidance for COVID-19 Infection Control Updated Guidance for COVID-19 Infection Control OIG Exclusion Search Tips OIG Exclusion Search Tips Hazard Communication Changes Part II Hazard Communication Changes Part II