Tag Archive for: security risk analysis

HIPAA Security Emphasis

/in /by

Prior to the end of support of Windows 7 in January 2020, many covered entities are still working to upgrade their operating system to Windows 10. We have published an article in the October issue of the Advisor® that warns of some documented security vulnerabilities within Windows 10 that must be considered in properly configuring the newer operating system. Following is a link to a whitepaper for proper configuration of Windows 10 (that was issued jointly by Microsoft and HIPAAOne) that you may share with your IT vendor or personnel: https://www.hipaaone.com/wp-content/uploads/2019/06/HIPAA-Compliance-Microsoft-Windows-10.pdf

In addition, the article describes two aspects of a Security Risk Analysis that HHS has recently emphasized. The first is in regard to an asset listing, which is generally addressed in contingency planning. While this list may be helpful in rebuilding the network/information system following a disaster, HHS emphasizes that the listing should first serve as a thorough inventory of all devices that receive, store or transmit EPHI so that appropriate security measures can be considered for each. And lastly, an asset listing will help practices with multiple locations track the location of devices.

The second item of emphasis is a recommendation from HHS that covered entities establish a business associate listing. It is recommended that any time the services of a new vendor are engaged, the practice determine whether the vendor will qualify as a business associate. If so, the business associate should be recorded in a listing, along with contact information and a description of the services the BA provides. A Business Associate Agreement must be established with such entities prior to providing access to or sending the BA any protected health information. When a covered entity is audited by the Office for Civil Rights, a business associate listing will be requested. Establishing the list prior to an audit will ensure that your practice is able to respond quickly and confidently to the request.

Please see the article in the October 2019 Advisor® for more details.

Cyber Extortion

/in /by

According to the Office for Civil Rights (OCR), incidents of cyber extortion have risen over the past few years and are projected to be a major source of digital disruption in the future. Cyber extortion is defined as a crime involving an attack or threat of attack, coupled with a demand for money to stop it. In addition to ransomware attacks, where cyber criminals encrypt your data and demand a ransom to restore your access to it, cyber extortion includes threats to make stolen information public, or to delete files altogether.

It is important to realize that even the smallest practices have been a target, due to the fact that patient information is valuable and smaller organizations are sometimes more lax in securing their information systems. Please consider the following recommendations in order to limit your liability exposure:

Security Risk Analysis (SRA) – Ensure that you perform a complete review of your HIPAA Security Rule policies and procedures on an annual basis.  Remember that a SRA involves verifying that you have implemented policies/procedures to limit risk to your electronic protected health information (EPHI).  Current subscribers to Eagle’s HIPAA Compliance System have a complete SRA tool to meet this annual requirement.

Technical Network Assessment (TNA) – A TNA involves a diagnostic evaluation of your information system to look for open unsecured ports, devices missing security patch updates, enabled User IDs that should have been terminated, and more.  Documentation from a TNA works in concert with a SRA, and provides strong evidence of applying reasonable safeguards to limit risks to patient information.

Workforce Privacy and Security Training – Awareness for privacy and security is critical to the front-line defense for your information system.  Eagle provides privacy and security training in the April and May issues of the Advisor® to help with this task.  Eagle also provides  “Compliance Notes” (a monthly one-page article in the Advisor®) to remind staff about privacy and security issues.  Train staff to identify suspicious emails and messaging scams that could lead to malicious software infecting your information system.

Anti-virus or anti-malware systems – Ensure that you have a strong firewall and anti-virus applications that can scan your information system and provide alerts when suspicious activity occurs.  The keys are to implement such applications and monitor the alerts so that immediate corrective actions can be taken.

Data backups – Your data backup procedures should ensure that backup data is encrypted and disconnected from your local server/network (having the data physically taken off site each night or backed up to a secure remote server).  Having the backup data stored off site will be critical to your recovery in the event of a disaster or attacks from ransomware.

Audit Logs – While most EMR and operating systems have robust audit logs, they need to be periodically reviewed for unusual or suspicious activity. Create a schedule of reviewing activity reports on at least a monthly basis.

Threats to your information system and the patient data that you store will not diminish in the future, they will likely intensify.  Take steps now to ensure your EPHI is protected from known threats by completing a security risk analysis and technical network assessment. These evaluations will help you improve the security of your practice’s information system and reduce your liability. 

Meaningful Use and Security Risk Analysis

/in /by

Now that the final rule for 2015 meaningful use has been released, we have received some questions as to whether there are changes that will need to be made to our Security Risk Analysis template. The final rule was released on October 16, 2015, and changed the Medicare and Medicaid EHR Incentive Programs reporting period in 2015 to a 90-day period aligned with the calendar year.

The good news is that the final rule did not include any modifications to Security Rule requirements, and therefore does not necessitate any changes to our 2015 Security Risk Analysis template. If you have already completed a Security Risk Analysis during 2015, and used our template, you will NOT need to re-do it, or change anything.

The rule specifies that you may select any 90-day period in the calendar year as a measurement period, and that your Security Risk Analysis must be completed during the same calendar year, and before you submit your attestation. So, even if you conducted your Security Risk Analysis outside of your 90-day measurement period, that is fine, as long as it took place during 2015, and was completed prior to submitting your attestation.

HIPAA Compliance System Subscribers

Security Risk Analysis – The 2015 Security Risk Analysis template is available in the Member Services area of our website. Simply log in to locate the document on the HIPAA Compliance System materials page, and then save the template to your hard drive to enable saving your entries. Explanations, instruction and HIPAA Compliance Manual references are provided for each item to be addressed within the risk analysis.

Risk Analysis Assistance – If you would prefer that Eagle Associates complete your risk analysis with you, you may call to schedule a phone conference with one of our consultants. During the call, our consultant will collect information about the security measures that are in place in your practice, make note of these in the risk analysis document, and identify any corrective actions that are needed to comply with Security Rule requirements. The fee for this service is $350. (Note that an active subscription to the HIPAA Compliance System is required.)