Representatives from government and the private sector discussed the present state of healthcare cybersecurity, and experts discussed practical strategies for implementing the HIPAA Security Rule at the ninth annual “Safeguarding Health Information: Building Assurance through HIPAA Security” conference held from October 19–20, 2016 and co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Comprehensive, enterprise-wide risk analysis and risk management practices remained points of emphasis throughout the conference. OCR Director Jocelyn Samuels pointed to recent statements by the President and characterized digital threats as a public health crisis. Additional themes, which we outline in this post, also emerged.
Audit Program. Phase II of the OCR audit program is underway. There will be 200–250 audits total: more than 200 will be desk audits, with a much smaller number of “comprehensive” on-site audits beginning sometime in the first quarter of 2017. Any organization undergoing a desk audit may also be subject to an on-site audit.
OCR Senior Advisor Iliana Peters informed the audience that much of the $20 million collected this year from OCR enforcement efforts was funneled into the audit program, as the Congressionally-mandated program did not receive appropriated funds. OCR Deputy Director Deven McGraw emphasized that OCR views the audit programs as serving an overall educational function but warned that, as usual, the office has authority to open a compliance review any reason, including findings from an audit and especially if it finds a significant risk to PHI or an auditee does not respond to a request for documents.
In the covered entity selection process, organizations were pooled based on size, affiliation, location, public or private, group health plans and issuers, and providers were further categorized by type of care. While covered entities were drawn from the pools randomly, their selection was not conducted in any statistically significant way, and McGraw warned against attempts to extrapolate from any findings. OCR selected 167 covered entity auditees and is currently in the middle of reviewing submissions.
Desk audits of business associates will begin this month. The selection pool of business associates stems largely from the over 20,000 business associates identified by covered entities during desk audits. As with audits of covered entities, OCR will conduct a webinar for selected business associates and will provide multiple opportunities to ask questions when submitting documentation.
OCR emphasized it was too early to share any information at this time. The office is working to develop and share findings via email to the auditees and eventually release preliminary non-entity-specific findings. While OCR will not release any individual entity findings, such records, as information received in enforcement activities, may be FOIA-able. Sensitive data would be withheld from such findings according to the Privacy Act.
Cybersecurity Task Force. Under the Cybersecurity Act of 2015, HHS was tasked last year with formulating (1) a cybersecurity task force, (2) a preparedness report for HHS and the private sector; and (3) a set of industry-wide best practices and guidelines.
In an update, a representative from the Office of Emergency Management reported that the task force is making progress. The task force generated a lot of interest from individuals, and while it is federally coordinated, with representatives from HHS, DHS, NIST, and DOD/VA, the representative stressed that its efforts are industry-driven.
The last meeting of the task force is in December. The previous three meetings have included a portion open to the public, and the task force continues to welcome input from anyone with an interest and expertise in health IT. The law did not specify a due date for the task force report, but a report will likely be released in 2017, as the term of the task force expires March 2017.
Access Issues. After ONC’s report on data blocking last year, OCR has recently released an FAQ on the subject that Director Samuels highlighted in her keynote address. A business associate blocking access to PHI maintained on behalf of a covered entity may be a violation of HIPAA as an impermissible use—this includes a “killswitch” that renders data inaccessible to the covered entity. The business associate has an obligation to return PHI as provided for in a business associate agreement.
OCR fast-tracks urgent situations that involve the need for immediate access and a quicker response. Access complaints are the third most common type of complaint received by OCR.
Ransomware. Many speakers mentioned the threat of ransomware, and the conference dedicated an entire panel to the subject this year. Director Samuels called it a clear “scourge” and pointed to OCR’s ransomware guidance that shows how HIPAA compliance can help prevent, address, identify, and remediate such an attack.
Risk Analysis. A running theme of the conference was a major lesson learned from Phase I of the audit program and breach investigations: the failure to conduct an “accurate and thorough” risk assessment. McGraw pointed to three challenges in risk analysis: (1) a scope problem where an organization does not account for all ePHI in the enterprise and leaves out vulnerable areas such as mobile devices, laptops, some server farms, or entire wings of property, or only focuses on EHRs; (2) a timing problem where a risk analysis is either not done frequently or at all before a breach—five years without an updated risk analysis in this changing digital environment is likely too long; and (3) a resources problem where the organization has an implementation plan with a 10 year life cycle, but a data breach occurs in year 1 or 2, or with a risk assessment complete, the organization takes no action to address vulnerabilities or decides to delay action until some future time.
Information Sharing. According to ONC Chief Privacy Officer Lucia Savage, entities sharing threat and attack information are vital to create an effective “Cyberhood Watch” program. ONC awarded a grant to the National Health Information Sharing and Analysis Center (NH-ISAC) to create a financially sustainable model for a non-membership-based information and sharing analysis organization (ISAO). ONC’s goal is to ensure less disparate information sharing. In addition, small organizations or entities located in rural areas that can’t afford to be members in these organizations or to collect their own information will have an opportunity to share and access threat information. DHS has guidance on sharing threats for every sector, as required by the Cybersecurity Act of 2015, and OCR has guidance on sharing threats without sharing PHI. Regulators throughout the two days reiterated that it should be easy to remove PHI when sharing threat information, as these disclosures are not waived under HIPAA.
Data Breach Trends. Theft, loss, and improper disposal of PHI continue to be the majority of breach reports. Hacking/IT error breaches affect the largest percentage of individuals or records, however, although they account for only 13 percent of breach reports. Peters discussed trends in the approximately 1,700 large breaches of PHI (i.e., affecting 500+ individuals) reported to OCR to date. Of these breaches, 40 percent of the incidents involved theft or loss of mobile devices, other portable electronics, laptops or desktops containing unencrypted PHI. In addition, 23 percent involved paper records, and Peters urged the audience not to forget to manage paper records properly and include them in risk analyses. OCR separately noted that there have been approximately 239,400 reported breaches affecting <500 individuals to date.
OCR has reached a record number of settlements this year. Director Samuels summarized key takeaways from a few recent cases:
- Changing any aspect of the technology environment should trigger a reevaluation to address any new risks presented (St. Joseph Health allegedly installed a new server with default settings that allowed ePHI to be publicly accessible through internet searches)
- Business associates have many of the same responsibilities as covered entities (Catholic Health Care Services allegedly did not have any evidence risk analysis, a risk management plan, or policies in place governing the removal of devices from its facilities)
- Encryption remains the gold standard of protection of information (OHSU allegedly failed to enter into a business associate agreement with a cloud services provider, didn’t reevaluate risks after evidence of incidents of theft or loss, and failed to take action after identifying lack of encryption as a risk)
- Number of individuals affected is a significant factor in assessing settlement amounts (Advocate Health Care, with a $5.55 million settlement, involved a breach affecting 4 million individuals)
Guidance and Other Cybersecurity Tools. Government officials continue to solicit feedback about what areas industry requires additional guidance. During Q&A sessions, attendees praised some of the recent guidance and tools (e.g., access, ransomware, cloud computing, mobile health apps). OCR announced that social media and text messaging guidance documents are in progress, targeting release in the first quarter of 2017. OCR is also close to finalizing short guidance on sharing with friends and family expected to be released later this year.
ONC’s Security Risk Assessment tool remains the most downloaded of the resources provided on healthit.gov. The tool was developed with significant input from OCR, and, as a downloadable Q&A, it is housed on the downloading computer, without worry that any responses are being transmitted to a government agency. Using the assessment tool will not fix security vulnerabilities, however, and entities will still need to formulate a plan to take action to remediate any identified risks.
* * *
The conference agenda is available here, and presentation slides should be available through the conference website shortly.
See the recap of last year’s conference here.
Shee Shee Jin, an associate in our Washington, D.C. office, contributed to this post.