.st0{fill:#FFFFFF;}

Podcast

What Would You Do? – Ep 360 

 June 17, 2022

By  Donna Grindle

Share0
Tweet0
Share0

How many of us know what we don’t know, or at least, willing to admit we don’t know what we don’t know? Today, we are going to find out as we cover a few potential data breach scenarios and ask “what would you do – report it or not?”

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

What Would You Do? – Ep 360

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[06:47] Breach notifications must be made without undue delay. Here is what that part of the law says: “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach”.

There are some cases bouncing around right now that have to do with the time frames of notifications between business associates and their upstream covered entities. The Business Associate Agreement must include a requirement to report an incident to their upstream. An important note is the law does not require that the BAA allow the BA the same 60 days. We have had BAs tell us that they don’t need to report that quickly.

We recommend that clients do not accept that in a BAA they sign with their downstream. Instead we recommend 3-5 days from discovery of a potential breach. Also, consider making it clear that you want to be notified about any incidents where they evaluated it as a breach and determined it did not require patient notification.

405(d) Tip of the Week

[16:11] Practice #7: Vulnerability Management

Vulnerability Management Poster

For Small Organizations:

  • Schedule and conduct vulnerability scans on servers and systems under your control to proactively identify technology flaws.
  • Conduct web application scanning of internet-facing web servers, such as web-based patient portals. Specialized vulnerability scanners can interrogate running web applications to identify vulnerabilities in the application design.
  • Conduct routine patching of security flaws in servers, applications (including web applications), and third-party software. Maintain software at least monthly, implementing patches distributed by the vendor community, and always patch critical vulnerabilities within 14 days.

For Medium/Large Organizations:

In addition to instituting the tips for Small Organizations be sure to incorporate the following:

  • Implement Host/Vulnerability Endpoints Scanning. In this model, vulnerability scanners are leveraged to identify weaknesses in OS or third-party applications that reside on endpoints and servers.
  • Utilize strict configuration management and change management procedures. Also,
  • a testing plan should be part of the change management process. It should include a vulnerability scan of new network connectivity (such as a firewall change) or a new system function or service.
  • Establish a routine of penetration testing. These types of tests are sometimes called red teaming; the goal is to actively exploit your own environment before malicious actors do.

What Would You Do?

[23:24] The American Journal of Managed Care published a study regarding the decisions that health care privacy officers make about reporting a data breach – To Report or Not Report Health Care Data Breaches. The PDF of the report, including the eAppendix Questionnaire can be found here.

123 privacy officers, all who are members of the American Health Information Management Association (AHIMA), were surveyed regarding their choices on whether to report a breach to OCR.

Conclusions: Study findings show there are gray areas where privacy officers make their own decisions, and there is a difference in the types of decisions they are making on a day-to-day basis. Future guidance and policies need to address these gaps and can use the insight provided by the results of this study.

What would you do if you got the survey?

[25:25] Scenario #1:

If a breach of patient PHI occurs in the future that is not clearly identified as reportable, will you report or not report?

Results: 39% of respondents chose to report.

[26:51] Scenario #2:

Your healthcare facility was unlawfully entered. The individual who broke in potentially had access to 450 paper patient records that were held in that office. There were no security cameras to record events, although office supplies were gone through, only a printer with no PHI was taken. Your policies and procedures are up to date, however they do not specifically address breach determination for break-in for your facility. All policies, procedures, training and risk assessment and management are in compliance. Your next step is to review the four factor risk assessment to determine if the potential breach is reportable to the patients and the Office for Civil Rights. Upon review:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. – The records are paper based and include multiple types of unsecured PHI including sensitive patient identifiers.
  2. The unauthorized person who used the PHI or to whom the disclosure was made. – The unknown individual who broke into the facility was not authorized to view the records and their intent is unknown.
  3. Whether the PHI was actually acquired or viewed. – Employees cannot distinguish if the records have been disturbed, accessed or read.
  4. The extent to which the risk to the PHI has been mitigated. – No records were missing.

Choose one of two options, ‘report’ or ‘do not report’.

Results: 73.2% of respondents chose to report.

[32:01] Scenario #3:

An employee at your facility clicked on a link from a Phishing email which led to a ransomware attack on your facility. Payout was required and access was restored to your system. The attacker potentially had access to 750 unsecured (unencrypted) patient records in the system. All policies, procedures, training and risk assessment and management are in compliance. Your next step is to review the four factor risk assessment to determine if the potential breach is reportable to the patients and the Office for Civil Rights. Upon review:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. – The records are electronic based and include multiple types of unsecured PHI, including patient identifiers.
  2. The unauthorized person who used the PHI or to whom the disclosure was made. – The attacker was not authorized to view the records. No idea of whether other malware was left behind.
  3. Whether the PHI was actually acquired or viewed. – The system cannot distinguish if records were viewed or copied.
  4. The extent to which the risk to the PHI has been mitigated. – malware infection was removed and PCs reformatted and reloaded.

Choose one of two options, ‘report’ or ‘do not report’.

Results: 91.9% of respondents chose to report

[38:38] It was interesting that the study pointed out that in their evaluation the decisions to report OCR not to report were directly related to the level of education the individual has had, whether it’s credentialed certification, a bachelor’s degree, whatever. The more education you have to understand these things, the less likely you are to report and the others are more likely to err on the side of caution because they’re not sure. Basically, if somebody’s not trained to do this properly, they are probably not making good decisions.

And… that’s why we have said time and time again that you can’t possibly be the Privacy and Security Officer for your organization and do it properly if the only training you have is the exact same training as everybody else in the workforce gets. Officers need a different level of training in order to be able to make good decisions when it comes to reporting data breaches.

Guess what? The PriSec Boot Camp is a great place for your

Privacy and Security Officers to get that level training.

Go to top

You don’t know what you don’t know. And many times people blindly take the advice from someone else who doesn’t know what they don’t know. So, wouldn’t it be better to get the proper training to learn what you don’t know and find out how to design and implement a privacy and security program in your organization properly?

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: