HIPAA: get serious about identifying your organizational cybersecurity risks

Authored by Janice Ahlstrom: FHIMSS, CPHIMS, HITRUST CCSFP, RN, BSN

HIPAA audits overview

In December 2020, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released its 2016-2017 HIPAA Audits Industry Report that reviewed selected healthcare entities and business associates for compliance with the HIPAA Privacy, Security and Breach Notification Rules. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires periodic audits of covered entities and business associates regarding their compliance with HIPAA. OCR conducted audits of 166 covered entities and 41 business associates. The summary results of the OCR audits note that most covered entities failed to:

• Provide all of the required content for a Notice of Privacy Practices
• Provide all of the required content for breach notification to individuals
• Properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee
• Implement the HIPAA Security Rule requirements for risk analysis and risk management 

The OCR audits also concluded that most covered entities met the timeliness requirements for providing breach notification to individuals, and most covered entities that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until healthcare entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

In the fall of 2020, a joint cybersecurity warning was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and HHS. This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain(1). 

Healthcare organizations have become the preferred target for cyber hackers. Recent figures published by Check Point Software Technologies, indicate a sharp increase of 25% in cyberattacks over the months of November and December 2020 and January 2021 compared to the period prior to November 2020. 

The healthcare delivery landscape is complex. Nearly 75% of both large and small healthcare organizations outsource some portion of their (IT) services. The sheer volume of outsourced services creates an imperative to know that both covered entities and their Business Associates (BAs) have implemented both cybersecurity and Health Insurance Portability and Accountability Act (HIPAA) safeguards to protect patient health information (PHI) and electronic patient health information (ePHI)(2).  

Why risk assessment is needed

Nearly 73% of hospitals with over 300 beds, and nearly 81% of providers with under 300 beds use outsourced IT solutions, according to a 2018 Black Book survey of over 1,030 hospital IT leaders(3).

The Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data found that nearly 90% of healthcare organizations surveyed suffered a data breach in the past two years. Further, 45% had more than five data breaches in the same time period(4).

By the conclusion of 2020, the HHS OCR had received notification of at least 560 healthcare organizations experiencing data breaches in 80 separate incidents. In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. There was a 25% increase in healthcare data breaches in 2020(5). 

The volume of IT outsourcing and the sheer volume of records breached tell us that current cybersecurity measures are falling short and assurance approaches and BA warranties made in BAAs are not working as intended. 

Enforcement actions taken by OCR

In late 2019, the OCR announced a new HIPAA enforcement initiative to tackle noncompliance with the Right of Access standard of the HIPAA privacy rule. The HIPAA Right of Access standard – 45 C.F.R. § 164.524(a) – gives patients the right to access, inspect and obtain a copy of their own protected health information in a designated record set within 30 days of being requested.  

The HHS OCR settled 19 HIPAA violation cases in 2020, with $13,554,900 paid to OCR in settlements. Since late 2019 there have been 14 penalties for noncompliance with the HIPAA Right of Access; 11 of the 14 occurrences happened in in 2020(6).

Reasons for the other eight HIPAA enforcement actions were:

• Lack of risk assessment
• Breaches with a phishing incident that went on for months and another via a website with U.S. mail disclosures of PHI
• Stolen laptop that was not encrypted
• Improper termination of employee access rights

What you can do

Healthcare organizations must have well-defined risk management plans that include proactive service provider management to provide both cybersecurity and HIPAA assurance. Further, risk management must increasingly focus on vulnerability detection and management of cybersecurity threats.   

The healthcare industry needs an evidence- and risk-based approach for assuring cybersecurity and HIPAA compliance for covered entities and their BAs. 

HIPAA risk assessment

The HIPAA Security Rule requires covered entities and their BAs to safeguard ePHI via reasonable and appropriate security measures. One requirement of the Security Rule is risk analysis. Covered entities and BAs are required to conduct a thorough and accurate assessment of the threats and vulnerabilities that could negatively impact the confidentiality, integrity and/or the availability of ePHI per 45 CFR § 164.308(a)(1)(ii)(A). Risk analysis assists covered entities and BAs in identifying and implementing needed safeguards to adequately protect ePHI.

Although the Security Rule requires risk assessment, there has been a good deal of confusion over the years regarding how to adequately conduct and document a thorough and accurate risk assessment. In July 2010, OCR issued its original guidance on risk assessment(7). While the 2010 OCR guidance provided clarity for some, it did not provide clarity for all. Therefore, in April 2018, OCR issued a newsletter entitled, “Risk Analysis versus Gap Analysis - What’s the Difference?”  This newsletter stressed that risk analysis is a tool to conduct a comprehensive evaluation of the enterprise in order to identify all ePHI as well as the risks that may negatively impact ePHI. Risk is defined as the assessed likelihood of the threat source exploiting a vulnerability and causing harm to ePHI. OCR further explained their expectations for the content of risk analysis needed to meet the regulatory requirement along with the essential elements that are to be included in the scope of the analysis(8).

HIPAA gap assessment

In July 2018, HHS updated its audit protocols to include provisions of the 2013 Final Omnibus Rule. The updated audit protocols cover performing gap assessments for both the HIPAA Privacy and Security Rules.

The HIPAA Security Rule Administrative Safeguards Standard §164.308(a)(8)(i) requires evaluation. The standard defines “evaluation” as performing periodic technical and nontechnical evaluation, based initially upon the standards implemented under the rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, and establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart(9). 

In contrast to a HIPAA Security Rule risk assessment, a Security Rule gap assessment provides assessment of the Security Rule controls that are missing or in place. Gap analysis is used to review an entity’s compliance with the standards and implementation specifications of the Security Rule. Threats, vulnerabilities and risk ranking required in risk analysis are not typically provided in a gap assessment. Best practice would include conducting both HIPAA risk and gap assessments as both are required by the HIPAA Security Rule.

Conclusion

Healthcare organizations and their business associates are confronted with a myriad of threats from organized cybersecurity criminals, hackers and potentially nation states in addition to internal actors.  To safeguard the ePHI and comply with the HIPAA Security Rule, covered entities must receive meaningful and ongoing assurance from its contracted business associates and vice versa. The assurance must address both the scope and implementation status of information security and risk management programs as well as the security and compliancy of business operations with the HIPAA Security Rule.

We recommend that all healthcare organizations conduct ongoing risk assessment and gap assessment in compliance with the HIPAA Security Rule. Further, obtaining a HIPAA risk and gap assessment by a third party at least every other year can provide a fresh perspective and added assurance that your organization has not missed any areas of non-compliance and is current with industry best practices.     

For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.