HIPAA Omnibus: Testing Breach ResponseExpert Discusses a Variety of Compliance Challenges
As a result of the new breach notification requirements under the HIPAA Omnibus Rule, it's critical for organizations to test their breach response plans, says security specialist Andrew Hicks.
See Also: A Guide to Passwordless Anywhere
"Testing is absolutely critical to this. What they need to do beforehand is understand or make sure that mechanisms are in place to identify a breach," Hicks says in an interview about the results of the 2014 Healthcare Information Security Today survey (transcript below). The survey found that only 30 percent of the approximately 200 healthcare organizations that participated in the poll have conducted a test to see if their breach notification plans will work in a real breach situation.
"The bottom line is, you don't want to find out you had a breach from the press; you want to know from the inside and then move forward as necessary," says Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire. "So within a [breach response] policy, you need to define what a breach is, define escalation procedures and documentation requirements ... You have to make sure you have the right people involved; you have to have legal, IT in some cases, privacy compliance officers - they all need to be involved."
It's also critical that the person within an organization ultimately responsible for managing breach response is clearly identified, he says. "You don't want someone from the inside reporting a false positive to the media with regards to a breach. You want that to be handled by a specific individual in the organization," he says.
In the interview, Hicks also discusses:
- Risk assessment challenges many entities encounter;
- Why it's challenging for many covered entities to identify business associates;
- Tips for improving overall HIPAA compliance.
Hicks has more than 10 years of experience in IT governance, including responsibilities specific to IT security, risk management, audit, business continuity, disaster recovery and regulatory compliance. His experience also includes implementing and managing IT internal control programs relative to maintaining Sarbanes-Oxley, HIPAA, HITECH Act and PCI regulatory compliance.
Lack of a Plan
MARIANNE KOLBASUK MCGEE: Why do think a quarter of organizations still haven't yet put a HIPAA Omnibus compliance plan into place and what are the risks to organizations that are still putting that off?
ANDREW HICKS: It looks like most of those survey takers were covered entities, right? So it is surprising to me that 25 percent of them still don't have a plan in place. I think that number is high, and shouldn't be that high, because HIPAA is 15 years old now. [Some] possible reasons for that [are], companies are seeing the cost of HIPAA compliance. They're being forced into compliance. So there are some cost-prohibitive reasons, budget constraints; many see it as too time-consuming or not enough internal resources. Then you also have the smaller covered entities that may not even understand what their obligations are with regards to HIPAA. When you look at the risk factors, we all know there are breaches out there; there [are] penalties, both monetary and civil. The biggest thing now that we're seeing is reputational risk. I know ... the Target breach wasn't healthcare related, but that is a great example of what a reputational risk will do to an organization in terms of sales and customer trust.
Struggling with HIPAA Compliance
MCGEE: Why do you think organizations are struggling with the particular tasks survey respondents named, such as providing patients access to electronic health records and revising breach assessment notification procedures?
HICKS: I think those responses represent a pretty common trend. We all know that training and logical access has always challenged covered entities. Logical access, whether it's for internal or external access, is always going to be a problem; we just need to face that. It's proven that most breaches happen from internal mistakes, and organizations continue to struggle with that at the whole "minimum necessary" concept that's backed by solid access provisioning and decommissioning processes. When you look at it from a business associate management standpoint, we've seen it in the workplace. A lot of covered entities, as sad as this may sound, don't even know who their business associates are. In some cases they're good at executing the BA [agreements], but all they have as far as information about those BAs is the actual contract itself and a signature that they can't tie back to a specific entity. So that is a risk that we see today.
We see CEs that are pushing their business associates through archaic processes that involve spreadsheets and questionnaires, which is very difficult to manage through. Then we've also seen business associate agreements that are being managed by administrative personnel that don't really have any understanding of what HIPAA is, or the implications there. These should be managed by legal counsel or other compliance-type officers. When you flip it over and look at the BA vantage point, looking upward at the CEs, many of these smaller service providers don't understand what a business associate is; therefore, they don't want to sign these agreements because they have legal implications.
Unaware of Federal Regulators
MCGEE: Do you think it's possible that some organizations are still unaware of what the federal regulators expect when it comes to breach assessment under HIPAA Omnibus?
HICKS: Yeah, absolutely. We've already touched on some of the biggies, but there's some other things that we're finding out in the workplace. Organizations still have not raised the concept of a risk analysis. They still confuse it with a HIPAA compliance assessment or their HIPAA compliance initiatives. A risk assessment is totally different; in fact, it's the No. 1 requirement of the HIPAA Security Rule.
When we do our assessments, we've found that, of the assessments that we do, 90 percent of those are really lacking and struggling with good policy and procedure management, both in designing policies, managing the content, and reviewing them on a periodic basis. Lastly, which is really the new hot topic in the healthcare industry, is business associate management. It's a new concept in terms of what needs to be done. We know that business associate agreements are not good enough anymore to keep your name out of the newspaper. Having a good process that gives you visibility into how your business associates are actually managing your data, how they're safeguarding and protecting it, is critical for a covered entity when considering vendors and going through that contracting process.
MCGEE: What are the first steps that organizations should take in making formal changes so that what they're doing in terms of assessment breaches is jiving with what OCR expects under a HIPAA Omnibus?
HICKS: The first thing they need to do is get away from the harm-based approach that was introduced by the HITECH Act. The new approach is risk-based under the Omnibus Rule. So basically the risk-based approach will require organizations to perform, more or less, an immediate risk assessment if a breach or suspicious activity occurs. This all needs to be defined in their policies. Secondly, you've got to test now and often, especially with changes to an organization.
Testing Breach Notification Plan
MCGEE: What is the best way for organizations to test their breach notification plan before they have an actual incident?
HICKS: Testing is absolutely critical to this, but what they need to do beforehand is understand or make sure that mechanisms are in place to identify a breach. So they need to have login capabilities in place, anonymous alert numbers available to employees, and be searching social media sites for potential data breach information. The bottom line is, you don't want to find out you had a breach from the press; you want to know from the inside and then move forward as necessary. So within the policy, you need to define what a breach is, define escalation procedures and documentation requirements. ... You have to make sure you have the right people involved; you have to have legal, IT in some cases, privacy compliance officers, they all need to be involved. You don't want someone from the inside reporting a false positive to the media with regards to a breach. You want that to be handled by a specific individual in the organization.
I would say that you need to walk through the breach risk assessment process using those four breach reporting conditions that the Office for Civil Rights has identified in the Omnibus Rule. So you need to walk through those, understand what [they] are, how they may apply, [and] maybe use a scenario-based testing procedure to test [them]. Lastly, you need to understand the breach reporting requirements. There are specific guidelines in there regarding the timeline, how you contact affected individuals, how you contact the media or when you contact the media, as well as your upstream covered entities and ultimately the OCR.
Pushback from BAs
MCGEE: Where do you see the most pushback from BAs in terms of the demands that they're getting from their covered entities related to HIPAA Omnibus and HIPAA compliance?
HICKS: We all know that business associate agreements are the new thing out there. They're being thrown around the industry like they're candy; but in some cases what we're seeing is that covered entities are asking their business associates to jump through all kinds of hoops to prove they're compliant. While I completely agree that a business associate agreement is not enough, forcing all business associates to go through costly assessment, like a HITRUST certification as an example, may not make the most sense for every single type of business associate. I think these organizations need to do a risk-based approach and consider the size, complexity and ultimately the risk that a business associate gives back to that covered entity as a way to manage them appropriately.
MCGEE: Do you think it's possible that more organizations are experiencing breaches than they realize? Is it possible that incidents are not being properly assessed for breach notification under HIPAA Omnibus, or perhaps not being detected or reported at all?
HICKS: I think the [survey] results are on par with what I would expect from a covered entity. Those make sense, those jive with what we're seeing. Business associates, on the other hand, I would expect much worse. In many cases, these business associates are being pulled into compliance by their covered entity. Some of these may be billing companies or paper-shredding companies - these are the guys that have no ties to the healthcare industry except through their covered entity. These are the guys that don't know what HIPAA is, they're still spelling it with two P's and one A. So for this reason, I completely agree that many breaches are going unnoticed. I think we're going to see that number go up substantially in the next two, three, four years, until these business associates really understand what they're on the hook for. In fact, we've also seen that the Office for Civil Rights actually beefed up their staff in support of these 2014 audits coming down the pipeline, as well as the expectation that the breaches are going to go up. The penalties and enforcement responsibilities will go up as well.
Improving Data Breach Protection
MCGEE: What's the best way that organizations can improve their breach detection?
HICKS: Breach detection isn't really new, it's just a different approach. Again, I always say you have to have good systematic controls in play. You have to have good central logging mechanisms that are backed by strong monitoring mechanisms. Things like data loss prevention are always great as a way to minimize the flow of network segmentation. You have to consider ultimately the flow [of data], and you want to really restrict that to as minimal as a footprint in the organization as possible, as well as restricting access to only those that have a specific need for accessing that data.
Lastly, it's reported all the time how critical training is. It really is. Employees need to understand what PHI is, why it's important, what the acceptable uses are, and in this case, what they need to do if a breach is suspected. What are the proper reporting channels for identifying and notifying of a potential breach?
Improving HIPAA Compliance
MCGEE: What is the best thing covered entities can do to improve their overall HIPAA compliance?
HICKS: Most covered entities, they're kind of over the first threshold. They have decent policies and procedures in place. In my opinion, the biggest emerging risk is how covered entities are managing their business associates, as well as the risk that they present to the CE's data and reputation. This is why [Coalfire] created HIPAA Central as a way for covered entities to have visibility, be in compliance and assess risk. From a BA standpoint, if they're going to manage protected health information as part of a business process, they need to come to terms with HIPAA. They need to embrace it, understand it, [and] go through the HIPAA risk assessment process and make an effort to be compliant. At the end of the day, it's their name that's going to be in the newspapers and press, and their name is going to be tied to a breach, fine, [or] penalty. They need to come to terms with it and really start embracing and implementing the proper controls. So really the bottom line here is any organization, whether it's a CE or a BA, need to comply with HIPAA when they create, receive, maintain, or transmit PHI data. Whether they're doing that internally or externally, they just need to understand what those requirements are and ultimately what they're on the hook for with regards to their compliance initiatives.
A Security Grade
MCGEE: How would you grade the overall state of information security among healthcare entities and business associates?
HICKS: From what we're seeing out there, I would probably say a C for covered entities, maybe a B-minus. For business associates, I would say maybe an F, or a D at best. I mean, these are the guys that they're still spelling HIPAA with two P's and have no idea what they're on the hook for. They're in that complete triage mode with regards to meeting compliance and understanding why their covered entities are pushing them down this business associate path.
MCGEE: Would you say they have a lot of work to do before they improve their grades?
HICKS: I think we've seen, with what OCR has published in the 2012 [audit] protocol and in their findings, a lot of things tie back to doing a risk assessment, having policies and procedures in place, [and] doing training; encryption is an excellent [step]. Those ... are really the top priorities and have been for a long time with regards to just kick-starting their compliance program.