By Jane Ehrhardt
“HIPAA is the biggest regulated gray area out there,” says Aaron Woods, manager of security services at Dynamic Quest. “HIPAA states that to protect patient information, you must do what is feasible and what you can afford.” The generality in these guidelines has led healthcare entities to falsely believe that some IT security protocols are HIPAA compliant.
“Security is not the same as compliance,” says Ron Shoe, president of SIP Oasis. “If you mandate multifactor authentication (MFA) and everybody uses it to log in, that is still not HIPAA compliant. HIPAA auditors need to see written policies requiring MFA and attestations to using MFA from all employees, along with monitoring reports proving MFA was in place.”
Those policies and reports must be retained for six years. “Compliance lives in the past,” Shoe says. “Like with OSHA, HIPAA requires proof that the protections were in place when the problem started, which could have happened years before when a negligent employee clicked on something that allowed spyware in to sit undetected.
Many healthcare professionals complain that HIPAA is too burdensome, a stick with no carrot. But, in fact, following HIPAA standards can save a provider from big problems. For example, HIPAA practices recently saved a medical lab that faced a lawsuit when a woman working at the lab told her daughter that the daughter’s husband had been tested for STDs. The husband sued the lab. The lab won the case because the documentation required by HIPAA proved the mother-in-law had signed an understanding of non-disclosure, attended a training through their portal, and had attested to completing it, proving the lab wasn’t at fault.
Besides a lack of documenting their IT protocols, practices also make the mistake of assuming anything in the cloud is HIPAA compliant. “The cloud is still vulnerable, just in different ways,” Woods says. “In 2018, two of Allscripts data centers fell victim to a SamSam ransomware. The attack affected 1,500 of their customers using their cloud-based EHR. So ask your hosting environment for their documents on how they’re protecting your data on their system, including your role if they get breached. Add that to your HIPAA handbook, so when you get audited, you’ve done your due diligence.”
Mobile devices present another HIPAA blind spot for healthcare entities. “The mandate is for encryption, when it comes to protected health information (PHI) on phones, tablets, and computers used outside the network,” Shoe says. “If the data is accessed using both a secured, compliant portal and app to access it on the device, then it meets HIPAA standards. But the portal also needs to be reporting who is logging in.
“The rule needs to be that if a phone is going to access PHI, in any form, then it is subject to anything a computer is. The ideal is for staff to use devices devoted solely to business purposes, and only those corporate devices can access PHI. That allows IT to remotely shut them down or wipe them clean when lost or if a threat appears.”
Three months ago, someone stole the laptop from a remote worker in a large dermatology group. Not only was the machine not encrypted or protected by MFA, the practice could not state whether PHI had been stored on the laptop. “They had no policy in place about where data could be stored,” Woods says. “So they had to report to HIPAA that data may have been breached.”
Even in the office, PHI floats among devices unknowingly exposing data, such as scanning patient documents into a scanner and sending it to a computer. “If you’re not cleaning that scanner out, you have sensitive information on your devices,” Woods says. “For HIPAA compliance, all of these exposures and how they are being addressed need to be documented in policies.”
“Set things up as zero trust,” Shoe says, as a way to interpret HIPAA compliance. A zero trust approach to IT assumes that any person, device, or service attempting to access the practice’s data, even from inside the network, cannot automatically be trusted.
That means monitoring network activity. “If you’re not monitoring, how do you know what’s broken or what’s going on?” Woods says. He recently got a monitoring alert at one client that a staffer was visiting a suspicious website. It turned out that the user had downloaded a TOR browser, which is designed for anonymous web surfing and often used to access the dark web.
If monitoring or any other security measure is too costly, note that in the practice’s risk assessment and policies. “Write that you looked into full-blown monitoring and couldn’t afford it,” Woods says. Then describe the actions taken to mitigate the risk, such as inhibiting the ability of users to install software and keeping security patches and software updated.
“The common misconception is that HIPAA mandates perfection,” Shoe says. “What they actually mandate is a to get better every year.”