Most healthcare organizations are playing catch-up when it comes to building or updating an ePHI security plan...
to reflect today's cybersecurity risks, said David Chou, vice president and chief information and digital officer at Children's Mercy Kansas City. His own organization lacked a truly comprehensive security policy and procedures when he came on board in May 2016, when Chou began building their modern-day ePHI security program. "It's a journey," he said.
Here are four areas to consider when building your ePHI security program:
- Update your log management configuration: Sure, your organization has a log management tool in place to comply with HIPAA, but are all web servers, devices, load balancers, firewalls, systems, proxy servers and content security appliances configured appropriately to identify everything coming into or out of your organization? To protect and secure patient data, you must know who is accessing various systems and data, and what they're doing with the information -- in real time, Chou said.
- Implement a comprehensive security framework: A growing number of healthcare organizations, including Children's Mercy, are working toward implementing the health IT testing infrastructure developed by the National Institute of Standards and Technology. The infrastructure is designed to enable scalable, multipartner, automated, remote capability for current and future testing needs.
- Cast a wide net when shopping for a security risk assessment tool: These tools can vary in price by tens of thousands of dollars, said Tampa-based healthcare and IT attorney Tatiana Melnik. She recalls how one vendor quoted a five-physician medical practice at $30,000, while a different vendor quoted $8,500. "The services were nearly identical," she said. "One vendor was just a bigger name. They went with the lower-priced vendor."
And double-check whether the tool includes a vulnerability scan. "Most vendors will not include a vulnerability scan at their basic price point, but you can't perform a good vulnerability analysis without one," she said.
- Update your incident response plan: If you're devoting more time, money and resources toward sniffing out cybersecurity weaknesses, you'll undoubtedly find what you're looking for. So be sure your plan reflects today's cyberthreats, as well as any organizational changes, Melnik advised.
Consider that about 40% of the corporate and in-house counsel attorneys say their healthcare organization's plans are too generic, lack specific guidance for the types of incidents their organizations might face and haven't been adequately tested, according to a 2016 survey by Bloomberg Law and the American Health Lawyers Association.
When a risk to ePHI security is uncovered, your organization should have someone in place who is qualified to determine the context, scope and magnitude of the vulnerabilities, and whether and how the organization should respond, Melnik said.
This was an expensive lesson learned for the University of Mississippi Medical Center. In 2016, it agreed to pay a resolution amount of $2.75 million and adopt a corrective action plan to settle multiple alleged HIPAA violations. An investigation by the Office for Civil Rights concluded that UMMC had been aware of various risks and vulnerabilities to its systems for several years, but had not engaged in any significant risk management activity until after a breach occurred.
Technology risk assessment eases HIPAA audit preparation
How HIPAA helps protect health information
Is HIPAA compliance sufficient protection for PHI?