How many of us know what we don’t know, or at least, willing to admit we don’t know what we don’t know? Today, we are going to find out as we cover a few potential data breach scenarios and ask “what would you do – report it or not?”
In this episode:
What Would You Do? – Ep 360
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Sep 12, 13, 14 and 15
PriSecBootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[06:47] Breach notifications must be made without undue delay. Here is what that part of the law says: “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach”.There are some cases bouncing around right now that have to do with the time frames of notifications between business associates and their upstream covered entities. The Business Associate Agreement must include a requirement to report an incident to their upstream. An important note is the law does not require that the BAA allow the BA the same 60 days. We have had BAs tell us that they don’t need to report that quickly.
We recommend that clients do not accept that in a BAA they sign with their downstream. Instead we recommend 3-5 days from discovery of a potential breach. Also, consider making it clear that you want to be notified about any incidents where they evaluated it as a breach and determined it did not require patient notification.
405(d) Tip of the Week
[16:11] Practice #7: Vulnerability ManagementVulnerability Management Poster
For Small Organizations:
- Schedule and conduct vulnerability scans on servers and systems under your control to proactively identify technology flaws.
- Conduct web application scanning of internet-facing web servers, such as web-based patient portals. Specialized vulnerability scanners can interrogate running web applications to identify vulnerabilities in the application design.
- Conduct routine patching of security flaws in servers, applications (including web applications), and third-party software. Maintain software at least monthly, implementing patches distributed by the vendor community, and always patch critical vulnerabilities within 14 days.
For Medium/Large Organizations:
In addition to instituting the tips for Small Organizations be sure to incorporate the following:
- Implement Host/Vulnerability Endpoints Scanning. In this model, vulnerability scanners are leveraged to identify weaknesses in OS or third-party applications that reside on endpoints and servers.
- Utilize strict configuration management and change management procedures. Also,
- a testing plan should be part of the change management process. It should include a vulnerability scan of new network connectivity (such as a firewall change) or a new system function or service.
- Establish a routine of penetration testing. These types of tests are sometimes called red teaming; the goal is to actively exploit your own environment before malicious actors do.
What Would You Do?
[23:24] The American Journal of Managed Care published a study regarding the decisions that health care privacy officers make about reporting a data breach – To Report or Not Report Health Care Data Breaches. The PDF of the report, including the eAppendix Questionnaire can be found here.123 privacy officers, all who are members of the American Health Information Management Association (AHIMA), were surveyed regarding their choices on whether to report a breach to OCR.
What would you do if you got the survey?
[25:25] Scenario #1:Results: 39% of respondents chose to report.
[26:51] Scenario #2:- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. – The records are paper based and include multiple types of unsecured PHI including sensitive patient identifiers.
- The unauthorized person who used the PHI or to whom the disclosure was made. – The unknown individual who broke into the facility was not authorized to view the records and their intent is unknown.
- Whether the PHI was actually acquired or viewed. – Employees cannot distinguish if the records have been disturbed, accessed or read.
- The extent to which the risk to the PHI has been mitigated. – No records were missing.
Choose one of two options, ‘report’ or ‘do not report’.
Results: 73.2% of respondents chose to report.
[32:01] Scenario #3:- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. – The records are electronic based and include multiple types of unsecured PHI, including patient identifiers.
- The unauthorized person who used the PHI or to whom the disclosure was made. – The attacker was not authorized to view the records. No idea of whether other malware was left behind.
- Whether the PHI was actually acquired or viewed. – The system cannot distinguish if records were viewed or copied.
- The extent to which the risk to the PHI has been mitigated. – malware infection was removed and PCs reformatted and reloaded.
Choose one of two options, ‘report’ or ‘do not report’.
Results: 91.9% of respondents chose to report
[38:38] It was interesting that the study pointed out that in their evaluation the decisions to report OCR not to report were directly related to the level of education the individual has had, whether it’s credentialed certification, a bachelor’s degree, whatever. The more education you have to understand these things, the less likely you are to report and the others are more likely to err on the side of caution because they’re not sure. Basically, if somebody’s not trained to do this properly, they are probably not making good decisions.And… that’s why we have said time and time again that you can’t possibly be the Privacy and Security Officer for your organization and do it properly if the only training you have is the exact same training as everybody else in the workforce gets. Officers need a different level of training in order to be able to make good decisions when it comes to reporting data breaches.
Guess what? The PriSec Boot Camp is a great place for your
Privacy and Security Officers to get that level training.
You don’t know what you don’t know. And many times people blindly take the advice from someone else who doesn’t know what they don’t know. So, wouldn’t it be better to get the proper training to learn what you don’t know and find out how to design and implement a privacy and security program in your organization properly?
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.