OCR Director Delivers Reminder of the Human Component of Cybersecurity in Healthcare
October 16, 2019
Roger Severino, director for the Office of Civil Rights (OCR), delivered an address on October 16 in Washington D.C. to provide a broad overview to recap recent HIPAA enforcement efforts conducted by OCR, along with advice for covered entities to think proactively about protecting their patients’ medical records given the constant threat of attack from bad actors and data exposure. Here are a few key takeaways from his presentation involving HIPAA matters.Training Employees as a Major Component to Safeguard from Attacks
Two of the main areas of concern continue to include phishing attacks and FTP attacks/hacking attacks as a way in for hackers. The tech side has played a bigger role in recent breaches. Ransomware is a real threat. Entities should make sure they have all the necessary safeguards, which includes firewalls and “especially training your employees,” according to Severino.He explained that phishing attacks occur when employees let their guard down because of social engineering. He cautioned that phishing attacks are getting better. No longer do the emails appear to come from a foreign country or contain obvious misspellings. Simply put, Director Severino stated “If you are part of an entity and don’t have a program for testing your employees with fake phishing emails, consider doing that.” He added, “It is almost becoming standard because we’re getting so many phishing attacks and that is one of the primary ways of protecting yourself from viruses, phishing, and ransomware.” Additionally, make sure your staff understands there can be fake tech support attempts. Finally, he said that another human factor is weak authentication protocols: the movement to two factor authentication allows you to have less frequent password changes when using this method.In short, do not ignore the HUMAN SIDE as a security threat. Educate and train your employees. Educate them to not share passwords. Educate your Human Resources folks to make sure former employees are stripped of their access, passwords changed, tokens and keys taken the day they are dismissed.Right to Access Rule UpdateDuring his address, Director Severino commented that the Office of Civil Rights is looking to see if there is a need to address the “right to access” rule. For example, it should not be difficult for records from one provider in one state to be sent to a provider in another state, but oftentimes, entities require the patient fill out a request or authorization to facilitate. In other words, Director Severino believes there is nothing in place to guarantee that the patient’s records would be sent without the patient requesting his/her own records and doing all the work him/herself. OCR is exploring expanding the rule so that this sharing of medical information and be seamless and automatic.Doctors May Disclose Information to a Family MemberHe reminded the audience that OCR has issued guidance to clarify that HIPAA does, in fact, allow providers to disclose information to a family member if the member is involved in the patient’s care, if it is an emergency and the patient is incapacitated, or if there is a threat to health or safety (which include the patient’s own health and safety). OCR is also considering modifying the standards for what counts as a threat to make sure that providers are “fully empowered to address these life and death situations.” He believes entities are using the shield of HIPAA to say they are not allowed to release information and OCR is going to try to take down those shields so that providers understand better that there are times where information can be disclosed to loved ones, and in some cases, law enforcement.Reconsideration of Notice of Privacy PracticesThe Office is evaluating whether it continues to make sense to require incoming patients to sign acknowledgement of the Notice of Privacy Practices, when very few people read the Notices anymore. The HIPAA regulations currently state that the patient’s signature must be requested and if the patient does not sign, then the provider has to document the efforts to get the signature and retain that paperwork documenting the efforts and the refusal. Director Severino acknowledged that this has created “millions of pieces of paper that [OCR] has not used in [their] enforcement actions.” He queried: “Has this signature requirement become an unnecessary barrier to healthcare? Is it worth keeping?” OCR has submitted these questions to covered entities for feedback. The Director encouraged everyone to respond to these inquiries if interested in these issues. This is “your chance to give input on what [OCR is] doing as an agency,” he said.Patients Control Sending PHI to Third-Party AppsHe pointed out that the OCR has issued an FAQ on health apps as this is a growing area in the industry. “One of the first things you need to realize is that covered entities do not have a monopoly power over their patients’ or their customers’ PHI.” If a patient requests her information to be sent to a health app, so long as the provider does not view the app as a threat to the provider’s system for malware or viruses, the patient request should be honored. If the release is to a third-party that the provider/entity does not have a Business Associate Agreement (BAA) with, it is appropriate to release the information at the patient’s request (again, absent a threat to the provider’s own systems). The entity/provider is not liable for what happens after the PHI goes to the app, provided the app is not acting on behalf of the covered entity. “Buyer beware” when it comes to the patient. Of course, if the app is the entity’s own app, then a BAA is needed and there is responsibility for what happens when the PHI is disclosed. Director Severino, however, noted that “we need to play a role in informing folks on what the lay of the land is” and people need to know that the app they are using may try to sell their information, give it to researchers, market it, etc., as well as the threats that may occur because of where the server for that app is stored. He suggested entities provide the information to the patient’s app when the patient requests it, but give a disclaimer and say that the entity is not responsible if it goes to a third-party app that is not affiliated with the covered entity.Updates to Enforcement of HIPAA from the OCRDirector Severino also shared what has been done on the enforcement side.Procedures for Access to PHI When Employees LeavePagosa Springs Medical Center (Colorado): Google calendar was used to book clients and make appointments. It was available to all staff who managed the calendar. There were two problems: (1) an employee left the company but retained access to the calendar (had the password/credentials); and (2) Pagosa did not have a BAA with Google for this calendar. Director Severino reminded the audience that many companies (Google, Microsoft, etc.) have “enterprise” versions of their apps that are HIPAA-compliant and for which the Business Associate will sign a BAA. Entities and providers should make sure they have a strong policy/procedure in place for how to deal with terminated employees or employees who have left the company. Settlement with OCR: $111,400.Open FTP Access to a ServerCottage Health (California): Server was breached with 62,000 lab and diagnostic results. The entity had an FTP server that was accessible without proper password controls. There was a tech support issue and during the overhauling of the server, it was not configured properly and left “open.” The lesson here is to make sure you have a proper risk analysis/assessment to identify these threats. The risk analysis should be considered when there are changes to the servers, etc. The same checklist that is part of the risk analysis should be done at times like these. Settlement with OCR: $3 Million.Another Open Server, Left Open After WarningsTouchstone Medical (Tennessee): 300,000 patient records were available to the world and searchable by Google and indexed on their pages (names, address, SSN, etc.) The FBI informed them AND OCR that the entity had its FTP servers allowing uncontrolled access. Touchstone first denied there was a problem. It did not take the “hint” from the FBI/OCR and continued to leave it open for some time afterwards. Pay attention to the red flags! Settlement with OCR: $3 Million.Lack of Risk Analysis Leads to Hacker BreachMedical Informatics Engineering (Indiana): hackers obtained user ID and password. MIE self-reported to OCR. The breach impacted 3.5M people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach. Settlement with OCR: $100,000.Social Medial PitfallsElite Dental (Texas): The entity violated HIPAA when responding to a negative YELP review. Read more about this settlement between OCR and Elite Dental from Shuttleworth & Ingersoll Associate Attorney Hayleigh Hansen-Boardman.Setting a Precedent for Enforcement of Right to AccessBayfront Health St. Petersburg (Florida): This was OCR’s first case involving patient’s right to access and the enforcement involved only one patient. The patient wanted the records of her unborn child (fetal heart rate records) and was denied access for nine months. Under the rules, an entity must respond and provide within 30 days. Bayfront did not comply and so the OCR took action. “This is the first of what we expect to be several enforcement actions on the right of access.” OCR feels they have done a lot of campaigns to educate on the right to access and it is a problem so it is time for “serious enforcement.” Settlement with OCR: $85,000.OCR Chooses Cases to Send a MessageWith enforcement, Director Severino commented that his Office is “not out to bankrupt companies to make a point.” The OCR chooses cases based on their importance and the message.He also stated during his presentation that the Elite Dental case demonstrates the fact that OCR will “go for big cases and small cases.”Future Focus of Enforcement ActionsThe OCR is “moving away from the laptops” and more doing more regarding the right of access as the OCR sees that as a need. They also see future enforcement actions related to hacking and IT breaches. If there is a theft of a stolen laptop that is encrypted, the OCR presumes that the PHI is safe.OCR encourages entities to subscribe to their cybersecurity newsletter as it addresses the latest topics and threats.