Watch to learn about HIPAA compliance and breach trends and time-saving tips to overcome HIPAA challenges.
This webinar was hosted on June 21st, 2017.
To view more recent content, visit https://www.securitymetrics.com/learn
In this webinar, Senior HIPAA Security Analyst Brand Barney (HCISPP, CISSP, QSA) covers:
Alright. We're gonna go ahead and get started. Thanks again for everyone's attendance. We're excited to be talking to you today. Our webinar today is current OCR and HIPAA trends, what you don't know can hurt you.
Our presenter will be Brand Barney, who is the senior HIPAA security analyst here at Security Metrics. He also has credentials such as HCISPP, QSA, CISSP.
And so we're excited to be hearing from Brand today. He's been at Security Metrics for ten years and has a lot of experience helping organizations of all sizes, technical knowledge, and needs in general. So we'll get a lot of great real world examples today from Brand.
Before we get started, a little bit about security metrics. We've been helping organizations comply with mandates, avoid security breaches, and recover from data theft since two thousand.
So once again, a lot of experience that hopefully all of you attendees can can learn from today.
We're gonna do a cup a couple housekeeping items here. The most common question we get is will we send out a recording and the slide deck for the present presentation?
So the answer is yes. You should receive both the recording of the presentation as well as the slide deck within the next few days, and we will just be sending that to the email that you used to register for the webinar.
So watch your inbox for that. Throughout the webinar, if you have any questions, please chat them in using the GoToWebinar control panel, and we'll address as many as we can at the end of the presentation.
If we don't have time to get to some of the questions, we'll reach out to you on an individual basis, make sure that you guys are taken care of.
So during today's presentation, Brand's gonna cover current HIPAA compliance and breach trends, lessons from recent HIPAA settlements, and time saving tips to overcome HIPAA challenges.
And before we get started and I turn it over to Brand, we actually wanna do a couple quick polls that'll just pop up on your screen there so that we have a better feel for who we're presenting to, and hopefully, we can make this as an effective presentation as possible. So what type of health care organization do you work for? So if you can select whether you're working for a covered entity, a business associate, and if you're not sure, that's fine. This will just help brand as he presents.
We'll give this another ten or fifteen seconds.
Awesome. It looks like the numbers are staying stagnant. So thank you all for your participation. That's gonna be really helpful as Brand presents.
I'm gonna we're gonna do one more poll that is kind of based around today's topic, and it's, do you keep up with OCR and HIPAA trends as well as just regulatory updates in general for, you know, HIPAA compliance?
So once again, we'll give this another fifteen or twenty seconds. This will, again, just help brand know the audience, and we're looking to make, you know, your hour with us as effective as possible.
Great. And time permitting, we may do a few more polls throughout the webinar. We'll let you know if they're coming so you can be watching for them, and hopefully that helps again with your engagement in making this productive for you. So with those polls done and with the agenda taken care of, I'm gonna turn the time over to Brand.
Alright, ladies and gentlemen. Thank you so much for taking time out of your Wednesday morning or afternoon, depending on where you are, to to sit with me and talk with me about, and learn a little bit about, some of the recent HIPAA compliance and breach trends, some some HIPAA settlements that we've seen recently.
And and most importantly, and what I think many people really want to know is what you can do. What are some time saving tips to overcoming HIPAA challenges?
Now when as, Colin had had had so kindly mentioned that I am the the senior HIPAA security analyst for Security Metrics. Now what that means is I'm the the security auditor that comes out to many organizations and helps them with their compliance and their security. Now I I I do believe we get all excited started and and I get too excited. I do believe that when we look at at security, if we're doing security correctly, I believe that compliance is gonna come as a direct result of that.
But, unfortunately, and as we're gonna talk about today, we're gonna see that many entities, no matter their size, so whether they're a large entity, a small entity, a covered entity, or a a business associate, those entities are losing their data at a very quick pace, lots and lots of data. So we're gonna talk I'd like to talk about that and kinda show you what what that means for you. So let's start out with what the current HIPAA compliance and breach trends are today. So from the the So from the the security metrics, HIPAA security rule report, that that we performed during the year twenty sixteen, we found that eighty nine percent of c suite, so so so major stakeholders within the organization, believe that they're HIPAA compliant.
What's interesting to me is that that was such a high number of those that felt like, hey. Yes. My organization, the employees that are that are that are working for me, and the associates that we share data with, they're doing the correct thing. This oftentimes was, a direct result in from my from my assessment as a direct result of, products. You know, they'll purchase a product and say, hey, it was marketed as compliant.
We went out and we purchased a firewall that said compliant. When I got set up with my EMR, that said compliant. So this idea that they're compliant really starts to to percolate to the organization. Now from eighty nine percent of the C suite believing that they're totally compliant, we see that only sixty seven percent of a compliance and risk officer will believe their compliance.
We do see a disparity there. Now I can tell you from my experience and boots on the ground in inside the organizations a lot like yours, oftentimes, I would say that towards the end of an assessment, they find that numb those numbers significantly decrease and are educated that they're not truly compliant. And just because we bought a product that said we were compliant, that didn't indicate compliance at any level or even security for that matter. What I also find really interesting is that as we look at at their security, we they oftentimes, we see that they don't understand their scope, HIPAA scope.
So what truly require is required to be compliant, but what also needs to be secured and how.
Now in addition to that, we we interviewed about fifty health care professionals who were responsible for HIPAA compliance about their patient data and data security.
Now these were organizations that are primarily from anywhere from zero to a thousand employees. So it could be a small provider's office up to a a fairly large business associate or a small hospital. So as we look at these things, we found that fifty percent of them stated that they encrypt patient data.
Now that is a, in in my opinion, that is a a high number, a high a high belief that they believe that's the case. I think when we looked across the industry, we're gonna start to see, that many people do believe that they have their data encrypted. One of the things that I wanna draw your attention to today, and as we start to talk about about compliance, breach trends, it's it's really easy to think that, well, we encrypt our data at maybe, say, our email, or we encrypt our data within our database, or we have full disk encryption on maybe, say, something like our laptops and things like that.
Remembering kind of, you know, what I said in the previous slide, we have to consider scope here. So anywhere, what I want you to be thinking about as we go through this entire presentation, be thinking about where data is created, so, protected health information or electronic protected health information. Where is it created? Where is it transmitted?
Where is it received? And where is it maintained? So those four things. And we gotta be considering each of the so if we look at encryption, for example, are we encrypting data everywhere that it's gonna be transmitted? So that could be, you know, over a web protocol. That could be through email.
It could be through, you know, all kinds of text messages. How about the data that's being stored, data at rest? What about our database, and things like that? So fifty percent, I I do think, is a little bit high, but, this is, you know, about fifty health care professionals that said they were doing it. It. Now interestingly, fifty two percent stated that they review their firewall rules at least annually. And I think this number, according to my assessments on-site, I think this number is really, really high.
An annual review of firewall rules typically is not done for most organizations, however, is required. I recommend that you're doing that about twice a year. So every six months, you're looking at your firewall rules and asking, are these things, one, secure? Two, does that make us compliant?
And three, are they even needed? What we see a lot of times with firewall rules is a lot of redundancies. A lot of people have a lot of access, they shouldn't. So and remembering here's another interesting thing that comes up with firewall stuff is a lot of people are partnering with another vendor who maintains or configures their firewall devices.
One of the things that I caution people of is that that vendor may be doing a fantastic job, but the question is, do you know what rules are are set up? Do you know what needs to be there? Are they truly following these rules? We're gonna kinda talk about that in a in a couple slides, mentioning business associate agreements and so forth.
So I get excited about that. Alright. So we also found that thirty seven percent stated they were using some type of multi factor authentication, oftentimes called two factor authentication, when they're remote accessing their protected health information or their networks that maintain and protect PHI.
Now, multi factor authentication, when we typically look at this, it'll be three things. It'll be something that you know, something that you have, and something that you are. So first factor might be your username and your password. A second factor could be something like biological, so maybe a retina scan or a thumbprint.
Maybe not as common for most organizations, and and certainly not the cheapest option for most people to do, but is an option. And then it could be something that that you that you have as well. And so we might see this, very common with things like the Google Authenticator That's an option. So it's typically like a token that's sent when you're trying to authenticate to something.
So thirty seven percent found that they or stated that they were compliant with using that. Now, when we look at a lot of the breaches that are taking place today, not just in the health care industry, but in all industries, what we're finding is that attackers are coming in through, insecure login credentials. They're coming in through remote access. And we'll talk about that, in a few slides.
But one of the things I want to encourage you today to do is start to investigate and ask yourself, are you the thirty seven percent or are you, are you going to fall short of that? And I'd say that most people do. And then lastly, is unique login credentials.
A whopping sixty six percent stated that they had unique login credentials. And one of the things that I want to caution here, is oftentimes, in fact, when I've come out to most entities, whether they're a business associate or a covered entity of any size, most of the time, this is usually a zero percent compliance for the first assessment. Oftentimes we have overlooked credentials or shared credentials. We might see something like, a non unique login, something like admin or guest or nurse one for a nursing station.
We also find that there's a serious problem within the health care industry of physicians' providers sharing their credentials with their staff members, which I I can tell you, from experience makes the forensics investigation an absolute nightmare. You don't wanna be doing that, not just because it's a compliance, a compliance cost to you, but the actual cost later will be, oftentimes more than most people wanna bear. One of the things that I wanna talk about is some of the top organizational vulnerabilities that we are finding within the health care, the health care industry. Now this is interesting, and I get asked the question a lot.
Well, Brand, I'm a I'm a business associate that helps with, you know, billing and invoicing, or maybe we have some some type of secure messaging solution.
Or they'll say, hey, Brand. We're just a small doctor's office. I've got less than ten employees in my office. Are the the organizational vulnerabilities or the top things, these top threats here, Are they the same for me as they're going to be for everybody else? And I tell you, oftentimes, the answer to that is yes. It could be for the really, really large organizations down to the small organizations.
Resources, the more resources an entity has, the oftentimes, the more that they can put into and begin to remediate these things, but, we oftentimes don't see that. And that happens for a variety of different reasons, which I'll talk about coming up. But first is the insecure remote access. We've kinda talked about this already, And this is going to continue to be an issue.
You don't oftentimes see this one reported nearly as often to HHS OCR. I'll tell you the reason that happens, it happens for many vulnerabilities, is because most people don't know that they're being exploited, because they don't have, the proper configurations or security protocols when it comes to remote access. They just have no method to know. But but I think the number one thing we can we can take from this list would be our employees.
This one I don't see going away anytime soon. In fact, I probably don't ever see this going away. Our employees are some of our greatest risk to us. The employees, it may be the way that they've been trained or have not been trained, maybe the way they handle data, mobile devices, the way they connect, the things they do they're not supposed to do, and sometimes just human error.
So we're going to talk about that a lot. We do see this one, getting reported to HHS OCR quite frequently.
And in my experience, boots on the ground in organizations, I get very passionate, excited to help people understand the types of risks their employees present to us. We've seen a lot of the BYOD, which is the bring your own device. Now, you know, oftentimes we're looking at people that are bringing in, like, their private owned devices, things like laptops, cell phones, and attaching them to our company networks. This is presenting a lot of risks to our organizations.
But it's also the the the thing I want to draw your attention to and I want you to be thinking about is the devices that are being taken, maybe say home. So the physician, he's taking his his laptop home because he's always working. He or she is always working.
The nurse who who constantly has, you know, notes to be filling out, or the developer in your organization who needs to be doing, you know, constantly working on code or enhancement requests. We need to be thinking about where those those devices are are going when they leave organizations and the types of maybe possibly even less secure networks that they're being attached to. So, all types of security weaknesses are being presented because we have to address this BYOD issue. Third parties are going to continue to be an issue.
And and many of the breaches that I've seen this year and some of that I want to talk about coming up, third parties have been one of the biggest reasons we see that. And and so if you're the third party, if you're the business associate that potentially brings risks to a covered entity, we're going to talk about what you can do, what you need to be considering. But if you're also using a business associate, they do a lot of great work for us, and we we certainly cannot continue to enhance the lives of the patient if we don't use these third parties. So we need to consider what we do to secure it.
And interconnectedness interconnectedness, excuse me, is going to be an issue. Everything has to connect to date. And especially as we look at it at quick patient care, this will be an issue. So let's talk about to increase ransomware attack.
Now this is all the this is all the rage today, and it's certainly something that that gets hit in the health care industries, the media. So we we recently heard, it was a little over a month ago, about WannaCrypt, which is also known as WannaCry.
This was used in a an extremely large cyber attack that affected just over a hundred and fifty countries.
Now what we see here, victims were told, victims of this wanna crypt were told that they could free up their machines, get their data get back, get their patient data back if they paid roughly the equivalent of the US three hundred dollars in what's called Bitcoin. So in a way to, make your payment anonymous and and virtually universal with Bitcoin. Very some interesting reads if you haven't read about those. Now the the ransomware what I find interesting about this ransomware and many ransomwares is they'll they'll typically put a timer on them. This particular one was saying that it was gonna delete the files that people had within seven days if no payment had been received.
Now the as I'm gonna kinda talk about, we're gonna there's a lot of ways to protect against this. I think this attack, especially this very large, very, publicized attack, it wasn't completely and utterly avoidable. But unfortunately, many organizations didn't have secure, processes in place to be able to even to think about it. They had never done that.
So things like backing up, properly patching and updating systems, which can be a real challenge as we look at some of the the vendors that we have to use. They might say something like, well, you have to use Windows XP to be able to use our product. And so you've gotten real used to doing that, but not maybe realizing the security threat that Windows XP is presenting to you because it's not being updated, it's not being patched. And we got to look at our employee training to make sure that everybody is on the same page.
Now let's let's talk let's switch gears for a moment. Let's talk about some of the recent lessons from, our our our most, scandalous HIPAA settle settlements that we've seen. Now I could probably spend all day talking about this as I am very passionate about it. One of the things that I wanna draw your attention to when we when we start to look at this is the the the dollar amount that the these entities have been penalized. So we see things, you know, in the, you know oftentimes, they'll typically come in right around two million dollars, most entities.
And that is a variety of different entities in size, whether they be the business associate, or they be the covered entity.
So we'll see things like to give you some examples, we'll see things like University of Mississippi Medical Center, you know, was penalized two point seven million dollars. We see things like Advocate Health Care Network at five point five. Now that's from a a theft of a desktop computer, a loss of laptop. So things that realistically are pretty simple to avoid, but this the settlement, I would tell you, the payment is incredibly hard to to avoid here. So let's talk about our first example.
And and this is all public information. You can find, all of this information on h h s dot gov, and I highly encourage that you're reading that. We kinda mentioned earlier in you keep up with OCR. You keep up with these updates and and HIPAA trends.
Great place to start is h h s dot gov. You can go and read the electronic code of federal regulation too if you get if you're really excited about it. That can be a little more boring for some entities and certainly difficult to understand, but, but interesting all the same. So when we look at at Memorial Health Care System, what we see here is they were penalized five point five million dollars, in February of this year.
Now what happened was m h MHS or Memorial Healthcare Systems had reported to HHS OCR that the protected health information of approximately or just a little over a hundred and fifteen thousand individuals had been impermissibly accessed by its employees, and then impermissibly disclosed to an affiliated physician's office staff.
The logging credentials of former employees of that office had been used to access the ePHI that was maintained by Memorial Healthcare Systems on a daily basis. So we see that this other physician's office staff was accessing Memorial Healthcare System's, patient data, and they were doing that daily. Now as as we look at this, what happens is they were doing that daily completely without detection.
MHS had no idea this was going on. This this took place from the dates of April, two thousand eleven to April twenty twelve, and that affected roughly eighty thousand individuals.
What we need to to consider here is oftentimes we think of, and and I talk about this frequently, so if you've if you've ever heard me speak, you'll know, that we look at breaches. We look at hacks and and and those items, and we think, you know, government sponsored. We think of groups like anonymous. We think of the the the shady attacker behind a computer in Russia or China.
And they're very, very common to talk about, very, Hollywood to talk about. And I will tell you from experience, I do know that these people exist, and it's certainly a problem. And they are attacking and removing data from health care organizations all over the world.
But oftentimes, when we look at the top risks, what you didn't see there was hackers or Russian hackers or China hackers. It's an issue. It is certainly a top organizational risk, but but when we look at things like employees, that becomes one of our greatest risks to us because we're gonna start with disclosing information that we shouldn't have been disclosing, and we're gonna start to see massive penalties for it.
This could have been could have been avoided in its entirety. Now what I found interesting was that five point five million dollars for roughly a hundred and fifteen thousand individuals. Now if we look at somebody like CardioNet, this is really recent. This is just two months ago, actually.
They were required to pay two point five million dollars and so on. Let me tell you how this is a little different. The settlement first involved a, is the is the very first involving a wireless health system provider. So CardioNet provides, remote mobile monitoring and rapid response to patients, at risk for cardiac arrhythmias.
Now, we we see that in twenty seventeen, we're assessed a two point five million dollar penalty for these guys. We know that that happens. But in January twenty twelve, so five years ago, a little over five years ago, CardioNet had reported to HHS, OCR that a workforce member's laptop had been stolen when they had parked their vehicle outside that their home.
Now what this means, laptop had contained ePHI of just under fourteen hundred individuals.
So we see a two point five million dollar penalty for a smash and grab. So somebody comes in, smashes the window, takes the laptop that has ePH on it. We don't know definitively what was done with that that PHI. We don't know if anything was done with the PHI.
But what we can say is that the the laptop was stolen. It was not encrypted. So data was not protected, and they are penalized after they've reported it two point five million dollars for a four less than fourteen hundred individuals. Now I think one individual is too too many.
I think that, you know, that our patients are are are most important thing to us. Our customers, if you're a business associate, is some of our most important things to us. That's our revenue. I don't know anyone that got into the health care industry that went into this and and enjoyed the word brand degradation or attrition or loss of public or community trust or partner trust.
But these things are happening, so but it's interesting. I I would be very curious to see, what what CardioNet's revenues were. Does that is that the kind of penalty that could put these guys out of business? And we don't know that.
One of the things with, CardioNet that we also saw was that they had they really targeted HHS really targeted one of the remediation items was that they hadn't performed a risk analysis. Now we're gonna kinda talk about what this is in a few minutes, but the risk analysis was one of the biggest things that they focused on, and and I find that incredibly interesting that that that penalty had been assessed because they hadn't done it or they hadn't done it properly. Now when we look at this last example here, this is Memorial Hermann Health System.
Now this is a very another common one, but I wanna draw your attention to the fact that this isn't large hacker groups that are coming in and stealing it. Certainly nothing quite to the extent of of WannaCrypt, our our our ransomware. But we see that with Memorial Hermann Health Systems, they are penalized and ordered to pay two point four million dollars, this year, for an improper use and disclosure.
Some patient names had been disclosed in a press release, and they were, again, required to pay that. So you're gonna see a variety of different breaches, but what we are seeing and what I continue to wanna illustrate for you guys is the the human element here. We can buy the products. We can buy the products that say that are marketed as a compliant or as a secure thing. We can put the effort in, and I don't think too many people are putting a whole lot of effort into truly securing their devices, and I want to talk about that coming up. But but one of the things we do see is the human error, and it's going to continue to be a problem. So we need to take the time, and you're taking the time today, which I think is so wonderful, but we need to take the time to truly get invested, to truly be empowered, to to become more secure, and to start following policies and procedures, if we have them, assuming.
Alright. So looks like we have another poll that we wanna pull up here.
This this is what the the question here is based on these settlements, so the settlements we've talked about, what is your confidence level in your own HIPAA compliance efforts? Again, Again, kinda help me understand these. Are you are you feeling very confident in in what you or maybe your staff, potentially even your partners are doing for you? Are you feeling extremely confident? Do you feel fairly confident just a a normal confident, or are we feeling not confident at all? And we'll give you a couple a couple more seconds here, maybe ten seconds to fill this out. It's very interesting to to see the types of levels of of of people's impressions for their compliance and what they believe they're doing.
Oftentimes, we may do be doing the correct thing or we believe we do we are, but our partners may not be. Or what we see is the IT staff don't truly know what they're doing. So excellent. Alright, guys.
Thank you. Appreciate you filling that out. Alright. So what I what I'm excited to talk about is what can you do?
Yeah. That's what I get asked. When I'm when I come out to organizations, no matter their size, all over the world, in fact, no matter no matter their industry even. So this this, has this idea of it doesn't matter if you're health care or not.
It's what do I do? That's the question everybody wants to know. Brand, how do I fix this? How do I become HIPAA compliant?
You know, when we look at HIPAA compliance, if we're a covered entity, we know that we have to adhere to the privacy role. And I'd say oftentimes, many people are, you know and according to our poll, many people are feeling pretty confident in that area. But if we if I ask the question or if I change that poll to, how do you feel about your security rule compliance, encryption, file integrity monitoring, intrusion detection, transmission security? How do you feel there?
And does that change at all? And oftentimes, it does, but a lot of people become aware of this and recognize that they need to make changes. So if we're a business associate, we're going to be asking them questions of, I need to make sure that I'm security rule compliant. I'm contractually obligated to do so.
I need to make sure I'm compliant with a breach notification. And this is different than, this is no different, excuse me, than the the covered entity. So the same rules. Your scope may be slightly different.
We need to consider that. But we also have to ask the question as a business associate, what what privacy rule requirements are we gonna be required or are we contractually obligated to to adhere to? A lot of I can tell you from experience, a lot of business associates today are overlooking that element. They don't know what they're being required to do.
But one of the first things I like talking about or I like educating people on, it's not about finding time. It really is about maximizing the time you have. And I can tell you, I do understand, the time we have or maximizing the time we have may be a very small amount of time. Especially, it could be a very small resource that we have to dedicating to it.
But I can tell you some I'm gonna give you some tips here to maximize your efforts and your time. First, and this this if you haven't done this already today, this is one of the top top things to get done, easy to do, quick win, low hanging fruit as I like to say.
We need to make sure that we have assigned the proper personnel, with proper responsibilities in our organization. So you first need to assign a privacy officer or official, and then you need to make sure that a security official is assigned. Now, unfortunately, in some organizations, that's going to be you. That's going to be one person who does both duties.
That means you have a lot on your plate to to try and digest, to understand as we look at, again, as we look at, again, back to privacy rule, security rule, and breach notification. There's a lot of data there to understand, and I don't fault you if if you haven't gotten as far as you'd hoped you were gonna get, maybe, say, within the last year, two years, ten years, it certainly is an overwhelming obstacle. But it is expected of HHS OCR that you do assign it. I walk into a lot of organizations who are doing a decent job with their security.
Maybe some of their tools are working as they should, but something simple like this has not been assigned, and so, we see a lot of errors that begin to to pop up as a result. We need to make sure that we we have those people properly trained on their responsibilities as well. And what oftentimes needs to happen in your organization, no matter your size, you need to make sure that we have considered an appropriate committee to properly support their, efforts and agendas. Things like, you know, business continuity, security, breach and infraction responses.
Excuse me.
And what I get excited about, and this is you can do this today. If you haven't done this already, we talked about this just briefly at the beginning of the presentation, please do this. This is all this is where the fun gets. This is where you will start to understand and maybe even start to increase your confidence in your compliance, or you'll start to see for those of you that were able to answer, you'll start to see your confidence potentially decrease. And I don't know that that's a whole lot of fun, but I can tell you you'll start to be able to be more confident in that answer.
Where I believe you should start is after you've had people properly assigned and we know who's responsible for this, let's start asking the question where and how is patient data created, received, transmitted, and maintained?
Now for some of you here, some of the business associates, you may not be creating patient data. You're you're you're a business associate. You're not a CE. You're not a health health care provider in any manner. You're not an insurance plan, like, a a clearinghouse. You don't create patient data, and that's okay. But but the question of, well, how do you receive data and from whom?
Where is that data transmitted? Is it sent to a a processor potentially? Does somebody is it being done for billing? Do we have to share data for, marketing purposes or, for for any other, other need?
And where do we store data? So for both of of you entities, I want you to be asking this question. What you can do, and it's it's a really fun exercise. It's one of the very first things I do.
So if you were to call me today and say, Brandon, I want you to come out to my organization and help me understand my confidence in this. Am I really compliant? Am I actually secure? Am I gonna lose my patient data?
Are we currently losing patient data? One of the first things I do is I sit down and I ask these questions, where and how is the patient data created and received? What a lot of people do, and this this assumption happens all the time in organizations, people will say, well, Brand, it's all the data is in my EHR. That's the only place it goes.
It's in the EMR. It it it I don't have patient data outside of there. So I'll say, okay. Well, tell me how how do you create patient data?
Like, walk me through the flow. I'll say, well, Brand, the patient comes into the front desk or they make an appointment on online or maybe through a web portal depending on on your experience and your organization, they'll say, oh, okay. Well, do you where do you put that information? They'll say, oh, it's in our scheduler and our EMR.
I say, excellent. Wonderful. So they go back and see a doctor. Yes. So they go back and see the physician, and they go through a whole check-in process, blood pressure, the works.
Right? And it could be for all different types of people here. But for this example, oftentimes, that data can be written down. It's written down on a piece of paper.
We got a patient note. Patient called in, wants to know, hey. Is this medication still correct?
I need to write this down. So I put these these notes because I get busy, I put those in an Excel spreadsheet.
I put that patient data in Word documents.
We have letters to our patients, denials, access denials, things like that, in letter format, and those are saved in whatever folder and documents folder in your in your in your PC. Well, again, all of that data, the eighteen unique identifiers of PHI, that's all if you have any of it, you're in scope for compliance, and and you need to be considering where it's going to be protected. What you do with that is you're going to want to take that and understand it, whether you're a CE or a BA. You want to understand the systems that are in scope. So that'll certainly be every time will be your firewall.
That's gonna be your your database server. It's gonna be, syslog if you have, WSUS.
Lots of technical terms I know, and I apologize. But it's gonna be oftentimes more than just the server that is housing your EMR. It's systems that connect to or they're systems that can impact the security of PHI or the systems that they reside on. So we need to perform a risk assessment or what's called a risk analysis in in HIPAA.
Now we know that a lot of people have been penalized because they just haven't done this. We recommend that you do this at least annually, at a minimum. I believe, however, that a good way to make business decisions in our organization, the way we do that, is through risk analysis. It's understanding what a risk appetite is and then understanding what type of threat that that what it means to us in our organization.
And so we we oftentimes say after any significant network change, has been made, you should be identifying the new threats and vulnerabilities to those systems, the system components, to your data, to you, to the patient. So risk assessment is a extremely valuable tool. This can be done on your own. A lot of people choose to do this on their own.
And, unfortunately, a lot of people get in way over their heads or the the the risk assessment hasn't been done very well. There are a lot of different vendors out there that can help you do that, up to and including security metrics even. So I recommend that you sit down and go through your flow. Understand your where your data is today.
It is going to be absolutely valuable to you. When you do that, when we sit down, we we need to look at what are the risks, the threats, and the vulnerabilities to our digital and physical environments. So it could be something like, well, you know, if, you know, we're maybe parked on our businesses has street access to a very busy road. We don't have video monitoring, and our servers that are not encrypted are sitting in a non monitored, nonsecure area where somebody could smash the window and and take them.
It could be that, you know, they're sitting next to the the restroom, a public restroom. And and I give these examples because I've actually seen this often. I've seen this many times, and people don't consider that. When we look at the digital vulnerabilities, we look at the electronic, we need to be considering systems that oftentimes have not been reviewed, that oftentimes are not considered in scope for compliance.
A lot of people just think about that EMR. They think about their development platform if you're a business associate. They'll say, well, you know, I I develop code on production, so my test environment is not in scope. Right?
My firewall can't possibly be in scope, and and and, again, all of these things would be incorrect assumptions. We we should be looking at the internal and the external risk threats and vulnerabilities as well, which can be challenging. One of the the the frameworks that I really like to use, and if you've got a pen and paper, I advise you to write it down, is NIST, so that's n I s t eight hundred dash thirty. So NIST eight hundred dash thirty, really truly excellent, framework to use.
And at a minimum, if you need a sleep aid at night, I I use it all the time and fall asleep to it and often. So maybe not the most exciting and thrilling read, but extremely valuable for you to begin to do it.
And like I said, a lot of entities out there can help you to simplify your efforts or even just do that for you. But this is not only will reduce your risk, help you to understand your risk, but this is gonna this will will take you out of that willful negligence category should you have a breach or noncompliance effort or be found to be noncompliant.
Once we've found all the risks, it's kind of like going to a physician, right? If I go to a physician and the physician says, hey, brand, your blood pressure's high, and we want to reduce that. And there's a variety of ways we can do it. Hey, you need to stop stressing so much.
Probably should stop eating those, you you know, those delicious chicken sandwiches you love from McDonald's. You really gotta start exercising. He's gonna come up with a plan. He or she will come up with a plan for me, specific to me and to to what's going on.
And in in your environment, you need to be doing the same thing. Consider your risks, document everything, and then come up with a strategy to begin remediating. And one of the things that I wanna say is I don't believe there is such an environment without risk. It doesn't exist.
Every environment will have risk. What we need to do is discover and determine what a risk appetite is and what we need to be doing to to lower that. What you can't do, and it's certainly unadvised, but would not be compliant and certainly wouldn't be secure, is accept every risk, and that's what a lot of organizations are doing today. They're saying, I'm gonna accept all the risk and we're gonna just accept the fact that we're not compliant.
We're gonna accept all this risk, and that that's why people are losing their data. That's why data is is is being pulled from their organizations.
Another really great time saving tip is to train your staff regularly. We know that the human element can't go away, but we can begin to make sure that our staff members are properly trained and understand their role for the protection of PHI or ePHI and what they should do. So if you have a front office desk administrator, he or she would not be responsible for managing your firewall rules. They don't need to understand that it has nothing to do with them, certainly not something we want them to ever touch or have access to. But we need to make sure that they are trained on their direct responsibilities.
What if we have developers within an organization? So if you're maybe, say, a business associate and you have a couple of developers, you know, working on your APIs or your your web applications, whatever your code may be, if they're going through and doing that, you need to make sure those people are following the proper and best coding practices, which we'll talk about here in a minute. But we need to make sure that those things are done. I like to tell organizations, and and this is absolutely true, holds up all over the world, security needs to come top down.
Security cannot and does not work if it's coming up bottom up. So unfortunately, if you're one of those listeners and that's how you're feeling today, hey. I've got, you know, this bottom up approach. I encourage you to share this webinar with your stakeholders and help to encourage them that when we have security come top down and people are properly trained, we're gonna start to see much more compliance, far better security.
And as I said, nobody got into doing this to to lose data, to to to hurt a patient. That's never been our goal, and I don't believe that people want to do that. So what can we be doing to protect them? We can be training them on things like policies and procedures, train them on their responsibilities for protection of PHI.
Another great thing to train them on is phishing. Now we hear about this a lot, and some people understand it, some people don't. At a high level, phishing is you're you're probably familiar with this if you've opened your Gmail recently or you've opened your email and you've seen that. Hello.
I am the prince of Nigeria, and I have a million dollars for you if you will only give me your bank account information. That's a phishing email. Or, hey. If you click on this link, you will win a free laptop, you know, or the new the newest the newest iPhone.
We see those types of emails come through, and they're pretty pretty easy to spot. That's a phishing email. What that that's designed to do is just a lot like real life phishing. You throw it put some bait on a on a hook and throw it into the water.
Yeah. There's lots of fish in the pond. We know that eventually we will get a bite on that hook, so you probably disregard the the million dollars that you have from a crown prince because you know that's not real, because you know that's a scam and that is it's negative. But I can tell you that a lot of the true phishing emails, they are really well crafted, and they are sometimes hard to spot, even for security professionals like myself.
Let me give you some tips and tricks on what to to watch for even be training your staff on. You should be looking for email requests that that are asking for sensitive information. They could be sense sensitive information that says, hey. You must reset your encryption, here.
Click on this link. That it's gonna ask you for something. It's always gonna be sensitive. It's or it's gonna tell you something that you have and that's sensitive has changed.
We see that a lot as well, and so it's a call to action. Second, we look for things that are oftentimes people that are really doing a good job at phishing, it'll be somebody you know, or it'll be it'll certainly appear to be somebody that you know. So you should be looking for things like incorrect or missing names. We oftentimes see email addresses, the sender email address that's mismatched.
So it's it's just one letter off or there's a dot that's inappropriate somewhere within the the domain. We also in times oftentimes, we'll see these phishing attachments or phishing emails that'll come through with an unsolicited attachment. It's click this thing, click this link, open this PDF, open this executable.
Again, train your staff to watch for these things, And we'll oftentimes see things like company links that don't truly match a legitimate URL. So at first glance, you might look at it and say, boy, that looks legitimate, but it is not, and and we need to be aware of it and train our staff.
We also should be training our staff on and training all of our people on social engineer the social engineer threat.
Typically, we see, a lot of attacks that are coming through today that have come through from the social engineering platform. So these are people that are gonna pose to be, somebody that's just querying a lot of information from you. It could be somebody that comes in and pretends to be a janitor, IT services, could be somebody in the public sector, telecommunications. The the social engineer in your organization, the social engineer in your organization, is going to get a lot of information from you or can get a lot of information from you because you didn't know not to tell them, or it looks innocent what you're telling them.
I tell you, this happens a lot in in organizations. They'll say, hey, Brand. Can you can you socially engineer my employees to give you stuff that they wouldn't? And I've done this before.
And getting people to tell me stuff they shouldn't is extremely easy. So you need to be helping your staff and constantly talking about this.
Physical security training. And I've I've talked to this. I don't wanna spend too much time here because I I beat the horse to death, but we need to be training our staff members in our organization to look for physical security threats and to make sure that those things are being properly protected. We're gonna see things, and we see it in a lot of organizations, tailgating or people that are are out in our dumpsters and are diving into the dumpster, or maybe they're coming in through the trash. Maybe we have, like, a trash slide or something like that from our organization. They're coming from in from that into the organization.
We're also gonna see things like locked doors. So we see and I've seen this in in several organizations, unfortunately, but somebody says I say, where is your server? Can you show me where your server is? And they'll say, oh, sure.
It's in our bathroom. We keep it under the bathroom sink because it's cold, because it's cool in there, and it keeps our server cool. Well, that would be a physical security problem you have today. Your patients have direct access.
Anyone using that bathroom has direct access to your secure your server. Whether they know what to do with it or not is entirely irrelevant. It's that is a physical security vulnerability. So we want to make sure their organization is properly prepared to handle these types of threats.
We need to make sure that properly prepared to handle these types of threats.
We need to make sure that we're considering, and things that we can be doing today to make sure that we're properly protected, is looking at the business associate agreements.
Every single entity that touches your data, that views your data, that views the systems, that's that manage your data needs to have a business associate agreement. When you look out at the the target breach, it was actually where that started was, if you're familiar with Target breach, but when Target was breached, it started from another vendor called Fazio. It's an HVAC vendor.
Now they I'm I'm very very certain that they would have proper business associate agreements in place, But but it's not just required just to check the box and comply. It really should be a foundation for ensuring that those business associates understand what they're supposed to be protecting, that it's properly signed off, and that you're doing something to monitor their compliance and their security. It's a very powerful tool. We are seeing a lot of people that are coming in today.
They're onboarding new business associates and that haven't had a business associate agreement in a long time. So remember that you need it. But it's also important to remember that you really can't hide behind the BAA, and I see this a lot. There gets a lot of there's what we call a lot of finger pointing or, there's a trend of passing the buck, and and then believing that we're protected because, hey, I signed a business associate agreement.
Doesn't that protect me? And the answer to that is it certainly can protect you to some degree. It doesn't remove the risk. As I said, there's no such thing as an environment without risk, so it doesn't remove risk from you.
There's going there's always gonna be some shared liability between the covered entity and the business associate. And remember, all parties that are involved, whether it be the business associate or the covered entity, those people and when we look at HHS OCR, their names will be published. That's a it's a very public, real experience. And one of the things that I encourage everyone to remember is if you're in a a smaller community or if you're in a the type of industry that there's very little option for people to go to, that type of, a black eye from a breach or from a breach of contract and those things can really be damaging.
So I encourage you to make sure you protect yourself and understand this. Now, HIPAA regulations and HIPAA mandates that that you do something or you take action if you happen to know, and that can be a challenging thing, if you do know or even suspect that a business associate is not HIPAA compliant. You really need to be doing this. What I recommend to all entities is they do this previous to onboarding.
What we need to also do is develop secure code. Now we kinda talked about this. I had jumped ahead, but we need to make sure that we develop secure code, and then we test it. This is so important.
We need to make sure that all of our code that is being developed within our organisations is properly handled, that we can handle cross site scripting, cross site request forgeries, blind SQL injection attacks, which all may be very technical and and and geek speak, as we like to say, but these are these are real vulnerabilities. These are things that are going to cause us to have problems within our organization and to lose data. And I have been to a lot of organizations that have lost their data because they didn't consider it. They didn't think about their code as as being attacked.
So remember that. OWASP top ten, truly a phenomenal guide if you haven't read it. The OWASP top ten, definitely recommend it. They have community meetings that are really awesome to go to as well.
We should be making sure that we configure and review all of our logs. Now we're gonna have a lot of logs, antivirus, application, firewall, EMR logs, file integrity monitoring, intrusion detection, intrusion prevention. Some things that you need to know here is that if you're not reviewing the logs, that's as good as a as a paperweight. It does nothing for you.
There's no real value. You should be making sure that you review logs real time or at least daily, and you're gonna be looking for something that is outside of the behavior of normal, not normal traffic. Maybe with file integrity monitoring, we see a file that explodes in size. It's a very sensitive file, critical file that explodes inside.
You need to know if that is that a normal behavior? Did malware or something just get, injected within this file? We should know that. Permissions are changing.
Again, your logs are such a powerful tool. But this is where I tell people when they bought a compliant product, they typically don't think to look at their logs, and the products don't do that for you. They just don't. Now in a recent survey, SecurityMetrics in our twenty seventeen, Guide to HIPAA Compliance, we had interviewed fifty two health care professionals who stated, that they forty four percent of those had been assigned somebody or had assigned somebody to review their logs daily, so an incredibly low number.
When we look at these these the next couple items, what I wanna draw your attention to is here vulnerability scans.
A lot of people this is or I'm not I'm not talking about antivirus. I'm not talking anything like that. I'm talking about internal and external vulnerability scans. They're looking for vulnerabilities that can be exploited by an attacker, whether they're internal to your organization or external.
You should be performing those as often as possible, but at a minimum, you're required to perform those at least quarterly and after any network change. Lots of different vendors out there can do this for you, So it not doesn't need to necessarily be something that you're managing or watching all the time, and a lot of people come with a lot of support for it. So I I really encourage you to get on board. If you're not performing vulnerability scans, for those that maybe felt a little more confident in their compliance or or who maybe didn't know. If you're not doing internal and external vulnerability scans, I would tell you today you're not compliant.
You're not, doing technical and nontechnical reviews of system components at least annually. So when we look at evaluation within HIPAA, this is not being performed and you wouldn't be compliant here, and it certainly wouldn't be secure. Or or, well, maybe let's change that. You wouldn't know if you were secure or weren't secure. And that's kind of a dangerous thing. Right?
Another interesting idea here, another thing that's that that a lot of people are talking about and a lot of their vendors in the health care space are doing is called penetration testing. Now I'm not talking about pulling out a bunch of pens and seeing the the ink level, even though I like to tease the pen testers on that. Penetration testing is is a good way to look at it as an ethical hack. It's a good way to to test your critical systems, a lot like a scan, but actually has a person behind that that's driving, that's testing the vulnerabilities to see, are they truly exploitable? It is incredibly valuable for your organization to perform it. Some things that you need to consider here is internal, external, scan. So we should be testing, like, our APIs, our our web applications, internal and external.
We should be testing also segmentation. So let's say we have some systems, that are that are considered in scope or that we said weren't in scope. We should test those too and make sure that they're truly segmented.
Alright, guys. That's a whole lot to chew on. Let's talk about what the big takeaways are today, what the things you need to to really come away from this, or I hope that you come away from this with, an understanding.
First, it's understanding that that we do are seeing an incredible increase in attacks against the health care industry. One of the things that that's important to note here is that you you can't possibly know all the attacks that are going on. We can't measure them because too many entities say, hey. We're compliant.
We're secure. They don't know they've had a breach, so they're not recording it. So the number that we see, the amount of attacks we see is those that are public. And I I suspect and have said for many years, this number is far greater than than what we're seeing.
OCR settlements, and audits are continuing to increase, and, again, that's HHS dot gov. I highly encourage you to look at it. We should be making sure that you're performing a risk analysis and that you can do that. You can start that process today.
NIST eight hundred thirty, if you forgot. So NIST eight hundred thirty, really wonderful. Or or find a vendor that can come in. Third party will come in and help you do that.
Make sure that you're educating and training your employees. Get these guys pumped up, excited to protect your data because they are awesome. Your employees want to protect you, and they want to protect your data. So you should be training them at least every month on their responsibilities and what they can do.
Make sure that everybody has an assigned agreement, agreement, a business associate agreement. You should definitely be able to go out today and look at all of your business associates in a list and ask, does this per person have a business associate agreement? When was it signed? What does the business associate agreement say?
Did we sign their business associate agreement, or did they sign ours? Was that canned template text that we just found on the Internet, or has that properly been vetted in are we covered? Are we protected? And I would tell you from far too many assessments that I've been on, far too many business associates and covered entities, they are not doing a very good job here.
There is room to improve. And lastly, document everything. When we look at the the negligence that, or the the penalties, the the settlements that are put in place. Negligence continues to come up as a category, willful negligence and others.
So document everything that you're doing and then make sure you really do it. Don't just say you're doing it. Really perform those things. It will give you so much bang for your buck.
I I can assure you of that. If you need a vendor to help you do these things, that's understandable, and there are plenty that can do that. Alright, guys. I really appreciate you making it to the webinar today.
I just wanna open it up. Do we have just a couple minutes left? I would love for you guys to ask any questions that you're that you're that are gnawing at your mind. Go ahead and chat those into the the GoToWebinar, chat, and, we'll we'll get those answered here here briefly.
Alright. Great. Thank you, Brand. That was great. And as you said, a lot to chew on.
So as a reminder, because I'm sure most of you will need to review it with so much information, we will be sending out a recording of the webinar as well as the slide deck, and we'll send that in the next few days to the email address you used to register for the webinar. So, hopefully, that's helpful. You can share it internally. You can share it with your business associates, whoever you think would benefit from this information.
We've already received a few great questions.
So we'll we'll go ahead and dive in. We only have a few minutes. And if we don't get to your question, no problem. We'll reach out to you on an individual basis.
Brandon, you you referenced NIST eight hundred thirty a few different times. Where can they get a copy of this so that they can follow the framework?
Definitely. So so that's a a it's a great question. NIST eight hundred thirty, I'm very excited and passionate about it. It's something that all all one needs to do is open up a a a browser web browser, type in NIST, so all caps, n I s t eight hundred dash thirty, and and that's public information.
It's free information, and it is an incredibly powerful tool, a tool that even I use and many assessors like me even use. Security metrics, the risk analysis that we use, is based on NIST eight hundred thirty with a a blending of Octave, if you're familiar with that. But, again, all that's public, and all that's free. You should be doing that today.
Awesome. What what's a good way or what are some recommendations to if someone hasn't chosen a security officer, a good way to identify or choose a security officer in an security officer in an organization?
I love that question. That is a phenomenal question. So one of the things that I advise people to do, because we wear a lot of different hats in our organization, one of the things I advise them to do is not always put that burden on your IT or your head IT because they oftentimes we have to be careful of the person who's implementing stuff for us saying that, yes, we are truly the compliant to me. There should be some, separation of duty here. So what I recommend, if you're a small doctor's office, typically, it's unfortunately gonna fall on fall on you, the office administrator.
But you should be using a committee and kind of as I mentioned earlier, using a committee to help you make those decisions.
Privacy typically goes to the most legal entity in the office, or to, we oftentimes see people's attorneys. It would be inappropriate to say that the security official would be the attorney. It's kinda like a unicorn. Many many, lawyers don't truly know how to do security, silly there, but you get the idea.
So what I advise you to do is say, okay. What privacy, who can we give this to that's got more legal mindset? Set? And then in your organization, it should be somebody, that has a little bit of security background and can work with both the c suite, so executives and management, but then down on a more human level because we're gonna be working with our IT professionals.
We're gonna be working with database administrators. We're gonna be working with all kinds of people to to verify that each control is properly in place to a reasonable and acceptable amount. Great.
What are some of the specific rookie mistakes that you see come up when someone's crafting a business associate agreement? What are some of the things maybe they're leaving out that they should be including and some just general mistakes that you see?
Oh, heck. Yeah. That's that's also a great question. Hey. You guys you guys are awesome. Great question. So, oftentimes, what we see is we see a lot of redlining, that takes place within business associate agreements as we're sending it back and forth.
No matter who you are, whether the BA or the CE, the we do get a lot of redlining. Somebody says, hey. That's not reasonable. Hey.
I can't do that. What happens, though, and we see this as I come in and do the assessment, what happens is we see and I don't think anyone's being sneaky, but we call it being sneaked in. Something that came in without notice, whether the business associate agreed to something, and said, hey. Yeah.
We're we're gonna adhere to all these things within the privacy rule, but they have no method to do that or to to understand it even.
We we also see that, you know, that's an unrealistic expectation, if you will. And so that happens a lot. So a lot of people today are not adhering to what the contractual language says.
My advice is to really review your business associate agreement and say, are we actually doing it? Now not to knock the the online agreements. There are fantastic agreements online, and most of them do cover the the bare minimum, but but we should be going above and beyond. For you covered entities out there, you really wanna make sure that you include something that talks about their the compliance and security and possibly even says that they need to to to show it.
We're seeing a lot of business associates that are being told, hey. You can't be given our data until you demonstrate your compliance. I get that all the time. I see it all the time.
People are calling me and saying, hey. I have to get compliant right now or be able to at least prove it because this covered entity can't share it with me until I've proven it. So that's kind of another rookie mistake. A lot of people don't include that, and trying to go back to your business associates later and tell them to do it is challenging.
Great.
And we're just a minute over, but we're gonna do one last question, I think, because it leads we kind of are led into with the BAA talk. So someone asked and brings up, you know, some BAs believe that HIPAA compliance is only they only need to satisfy the privacy rule and are unaware of the security rule. So do you have any recommendations on how to get business associates' attention on the security rule and, you know, getting them started?
Absolutely. So so one of the things that that you can do and and and should be done is prior to engagements called proper due diligence. It's helping them to understand that that HIPAA does apply to them. HIPAA does certainly apply. And this we see this in things like the omnibus ruling. So you can go out and and and give them the omnibus ruling.
A h h s dot gov has a lot of really powerful language that should be shared with them. But but more importantly, we have to say and and I believe and see a lot of success here, is we say, look. You cannot have my data till you're able to demonstrate you've done some bare minimums here. Do a risk analysis.
Help us get an attestation of your compliance. And somebody like myself, and that's why I get called in a lot, is somebody like myself will come into the business associate and say, okay. Let's ask what your scope is. Your scope must be considered, and so we do consider that and put that in for whomever they decide they wish to give it to.
So they may give it to their covered entities and say, at a high level, these are the things we cover. We cover our infrastructure as a service. We cover, you know, the these softwares, this billing, whatever it may be. This is the environments that were assessed and found to be compliant.
If you're not requesting it, it is my assessment that you're you're you're making mistakes there. And and I would think you want to close that gap up as quickly as you could, because that that liability is on both of you, both the business associate and the covered entity. But like we said with Fazio and Target, Target was the big name. Everybody knew who that was.
Very few people had heard of Fazio prior to that breach, so, consider that.
Great. Thank you.
Again, we wanna thank everyone for their attendance today.
We have a few other questions that will reach out on an individual basis. They're a little more specific to your organization, and we're out of time. So we wanna be sensitive to that. One last reminder that we'll send out the recording in the slide deck in the next few days. Again, we appreciate your time and look forward to helping you learn more about HIPAA in the future.