Healthcare providers, payers, and business associates must adopt a robust approach to cybersecurity protocols to protect health information, comply with Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations, and prevent breaches and resulting investigations.
A Growing—and Costly—Concern
According to the Department of Health and Human Services Office of Civil Rights (OCR) most recent annual report to Congress regarding breach notification,1 in 2021, OCR received more than 600 notifications of cybersecurity breaches—those affecting at least 500 people—which in total impacted more than 37 million people. The most commonly reported category of breaches was hacking/information technology (IT) incident of electronic equipment or a network server.
Through its investigations of these breaches, OCR identified the need for covered entities to improve compliance with the HIPAA Security Rule standards and implementation specifications of risk analysis, risk management, information system (IS) activity review, audit controls, and access control.
A recently announced settlement between OCR and L.A. Care Health Plan, the nation’s largest publicly operated health plan, demonstrates the importance of such compliance activities.2 L.A. Care agreed to pay $1.3 million and implement a comprehensive corrective action plan to include three years of compliance monitoring by OCR and a requirement that L.A. Care report all evaluation of operational or environmental changes and any noncompliance of HIPAA rules. Specifically, the settlement addressed the failure to
- Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information (ePHI) across the organization
- Implement security measures sufficient to reduce risks and vulnerabilities to ePHI at a reasonable and appropriate level
- Implement sufficient procedures to regularly review records of IS activity
- Perform a periodic technical and non-technical evaluation in response to environmental or operational changes affecting the security of ePHI
- Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI
Adherence to the HIPAA Security Rule and by extension the protection of ePHI requires providers, payers, and business associates to be vigilant in their risk management processes, as well as their response to changes in their physical and technical environments. Cybersecurity leaders must proactively address the potential for breaches and security incidents by implementing effective internal controls and processes in these and other key areas:
- Conducting annual risk analyses
- Implementing security measures and audit procedures to protect ePHI from unauthorized access, use, or disclosure
- Ensuring mechanisms are in place to examine IS activity and respond to alerts of suspicious activity
- Performing periodic technical and non-technical policy evaluation
5 Cybersecurity Strategies to Avoid Breaches
To avoid breaches and subsequent government investigations, providers, payers, and business associates should implement a robust risk identification and mitigation process. While a full HIPAA Security Risk analysis addresses multiple control areas, these five strategies, learned from the L.A. Care case, are key steps to protect data:
- Conduct an annual HIPAA security risk analysis (HSRA) to determine risks and vulnerabilities across the organization and assist with the development of mitigation action plans for the remediation of identified vulnerabilities. In accordance with the HIPAA Security Rule,3 an accurate and thorough assessment must be conducted to address the potential risks and vulnerabilities to ePHI. Results of the HSRA should be documented, and mitigation steps should be assigned to responsible parties to implement security measures.
- Ensure procedures to regularly review IS activity are implemented. Most information systems provide audit controls with a reporting mechanism to document activity, and log management platforms can aid in documenting and examining IS activity.
- Review audit logs periodically (e.g., monthly). Document these processes within organizational policies and procedures.
- Review organizational security policies and procedures annually or in response to operational changes that could affect ePHI. Operational changes may include, for example, additions to technical infrastructure, environmental disasters, and physical modifications to the facility. Because the security of ePHI is dependent on the physical and technical barriers that are implemented, policies and procedures should be updated as soon as any operational changes take place.
- Implement hardware, software, and procedural mechanisms to record and examine IS activity. These mechanisms can be automated or procedural, but sufficient user and system information should be documented to include at least the type and result of the event, the user ID associated, and the program/command used to initiate the event.
As illustrated by the L.A. Care investigation and settlement, threats to cybersecurity are always just a click away, and bad actors never stop looking for a foothold. By implementing key cybersecurity strategies to protect ePHI, providers, payers, and business associates will be better positioned to avoid breaches and well prepared in the event of a potential breach or security incident and any related investigation.
PYA’s IT Overwatch program helps organizations remain vigilant. As a part of Overwatch, our clients receive access to a comprehensive risk management program that addresses all elements of IT infrastructure, process assessments, data governance, and risk management. PYA also conducts an annual HSRA for Overwatch clients. Any risks associated with technical and non-technical policy evaluation are documented by PYA, and mitigation steps are outlined. Moreover, PYA provides policy and procedure analysis and advisory services to ensure existing policies meet HIPAA privacy or security requirements.
With experts in healthcare, compliance, and IT, PYA works hand-in-hand with Overwatch clients. If you have questions about PYA’s IT Overwatch, cybersecurity strategies, healthcare compliance or regulations, strategic planning, or any other area related to healthcare systems, our executive contacts would be happy to assist. Contact them by email or by calling (800) 270-9629.
Resources
1 https://www.hhs.gov/sites/default/files/breach-report-to-congress-2021.pdf