On August 14, 2019, my colleague Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy and I presented the third part of our four-part PHI Disclosure Management webinar series. In this webinar titled “Cybersecurity in Health IT: Trend and Tips for Safeguarding PHI,” we discussed updates from the 2019 HIPAA Summit, the concept of “defense in depth,” security frameworks, top security threats and best practices for protecting your organization.
2019 HIPAA Summit
The HIPAA Summit focused on advances in security technology and increased government cybersecurity initiatives. Considering recent data breaches, healthcare organizations must build cybersecurity awareness programs that ensure HIPAA compliance. Here are four top priorities:
- Secure executive and board-level buy-in
- Provide ongoing training and education
- Perform an annual risk analysis
- Create a comprehensive incident response plan
The Summit featured a panel discussion including a representative from Anthem, Inc. who spoke about the company’s cyberattack and resolution agreement, the single largest individual HIPAA settlement in history of $16 million. The breach report filed with the HHS Office for Civil Rights (OCR) indicated that cyberattackers had gained access to Anthem’s IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. The investigation revealed the following risk factors:
- Failure to conduct an enterprise-wide risk analysis
- Insufficient policies and procedures to regularly review information system activity
- Failure to identify and respond to suspected or known security incidents
- Failure to implement adequate minimum access controls to prevent the cyberattackers from accessing sensitive electronic protected health information (ePHI)
Defense in Depth
In the traditional sense, defense in depth means applying a layered approach to protecting your assets, including a variety of techniques and technologies. The potential for leaving gaps in protection and the adoption of newer concepts such as zero trust should be reviewed. It is important to incorporate and execute on your security frameworks and risk management programs to ensure alignment while addressing cyber risks and threats.
Understanding your organization’s approach to security and risk management is critical. According to NIST, an effective security framework is based on five core tenets:
- Identification—inventories for asset management, governance and risk management
- Protection—access controls, awareness and training, protective technologies
- Detection—tools to detect threats and events, continuous monitoring, manual/automated alerting
- Response—planning, communications, analysis
- Recovery—planning, improvements, communications
Relevant Controls for HIM
We highlighted focus areas for HIM in two categories. The first is Access/Account Management which includes workforce security, information access and auditing. HIM has great visibility into these sensitive workflows along with a deep understanding of where, why and how information is being shared. They must work closely with other departments—human resources, IT and compliance to establish policies and controls that prevent improper access to PHI.
The second category is Administrative, Physical and Technical with emphasis on:
- Data classification—data flow mappings and sensitivity
- Roles and responsibilities—privacy, security and legal
- Information security awareness—education, training and policies
- Information handling—use and disposal
- Physical access—secure rooms
With the rise in requests for access to PHI by payers, attorneys and patients, ensuring secure rooms for access to electronic health records is essential.
As providers apply new technologies, workflows and practices to gain more efficiencies and secure operations, it’s important to engage privacy, security and legal teams early in the process. Help them understand the risks and identify any necessary corrective action plans (CAPs) up front.
In addition to lessons learned from the Anthem breach, attendees gained insights from other examples in which failure to conduct enterprise-wide risk analysis was a major contributor to cybersecurity breach. Understanding how OCR judged and accounted for those activities promotes effective privacy and security programs.
Top Cybersecurity Threats in 2019
Based on a survey of 2,400 cybersecurity and IT professionals, a recent Ponemon Institute Cyber Risk Report revealed the top five cybersecurity threats organizations are most concerned about in 2019:
- Third-party misuses or shares of confidential data
- An attack involving IoT or OT assets
- A significant disruption to business processes caused by malware
- A data breach involving 10,000 or more customer or employee records
- An attack against the company’s OT infrastructure resulting in downtime to plant and/or operational equipment
As healthcare organizations face increased risk of cybersecurity breach, third-party risk management is more important than ever. Rigorous due diligence is part of the risk analysis conducted by covered entities to ensure partners have HIPAA-compliant policies in place to safeguard PHI. Whether internal or outsourced, a standardized approach to understanding third-party security frameworks and policies is recommended.
The most important lesson learned for 2019 and years to come is clear: Perform an annual risk analysis and follow best practices for creating an appropriate incident response plan.
To learn more about strategies to protect your healthcare enterprise, fill out the form below to receive a copy of this webinar.