New Security Rule Guide Coming – Ep 367 

An updated version of the security rule guide that we’ve all been waiting for! NIST has developed a cybersecurity resource guide on implementing the HIPAA Security Rule. It provides key activities, descriptions and sample questions to help covered entities and business associates comply with the HIPAA Security Rule. This guide has tons of good information in it. So, listen in as we discuss some of the cool stuff we picked out.

In this episode:

New Security Rule Guide Coming – Ep 367

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

New Security Rule Guide Coming – Ep 367

NIST SP 800-66r2 initial public draft, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

As we all know, the HIPAA Security Rule focuses on protecting the CIA (confidentiality, integrity, and availability) of ePHI that a covered entities and business associates CReMaTe (creates, receives, maintains, or transmits) from reasonably anticipated threats, vulnerabilities and impermissible uses and/or disclosures.

This NIST Cybersecurity Guide…

In the executive summary, they point out that entities may implement the HIPAA Security Rule more effectively if they are shown controls, catalogs and cybersecurity activities that align with each of the standards.

The thing I liked most about this guide is that they do a section for each of the HIPAA Security Rule safeguards. They go through HIPAA, and they start 164.308(a)(1). Here’s what the standard is, here are the key activities to meet that standard, and here’s the description of those activities. But then the column I got all excited about was sample questions to ask. Not only should you be able to answer the questions, you need to be able to prove it.

There are tons of these questions, but here are a few that I felt were really important to cover.

Security Management Process (§ 164.308(a)(1))

HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations.

The first key activity that is listed before conducting a risk assessment is to identify all ePHI and relevant information systems. This is step one of step one and it is the step that we always say that everybody misses. If you don’t do this first step, you can’t perform a thorough risk assessment.

It gives a description of what those activities are, like identifying where ePHI lives in your organization – where it comes and goes, moves around and is stored. This includes all systems that store, process, or transmit ePHI, including mobile devices, medical equipment, and medical IoT devices. Many times we hear clients say things like “all our ePHI is in the EHR, we don’t have it on our individual computers” when we know good and well they most likely do. A good suggestion here is to start by assuming every device across the organization has ePHI on it, then prove that it doesn’t.

Here are some of the sample questions I pulled out under the Security Management Process activities section that you should be able to answer, and prove:

• Is the current configuration of organizational systems documented, including connections to other systems?
• Has responsibility been assigned to check all hardware and software – including hardware and software used for remote access – to determine whether selected security settings are enabled?
• Is there an analysis of current safeguards and their effectiveness relative to the identified risks?
• Have all processes involving ePHI been considered, including creating, receiving, maintaining, and transmitting it?
• [15:42] Is executive leadership and/or management involved in risk management decisions?
• Does the regulated entity need to engage other resources (e.g., external expertise) to assist in risk management?
• Has the regulated entity used the results of risk assessment and risk management processes to guide the selection and implementation of appropriate controls to protect ePHI?
• Has the regulated entity assured compliance with all policies and procedures by its workforce?
• Has a cost-benefit analysis been conducted to determine the reasonableness of the investment given the security risks identified?
• Has the regulated entity documented an organizational risk assessment/management policy that outlines the duties, responsible parties, frequency, and required documentation of the risk management program?
• Is there a formal (documented) system security plan?
• Is there a formal contingency plan?
• Is there a process for communicating policies and procedures to the affected employees?
• Where will audit information reside (e.g., separate server)? Will it be stored external to the organization (e.g., cloud service provider)?
• Where will monitoring reports be filed and maintained?

5.1.2 Assigned Security Responsibility (§ 164.308(a)(2))

HIPAA Standard: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.

Here are a few of the sample questions:

• Who in the organization:
  • Oversees the development and communication of security policies and procedures?
  • Is responsible for conducting the risk assessment?
  • Is responsible for conducting risk management?
  • Handles the results of periodic security evaluations and continuous monitoring?
  • Directs IT security purchasing and investment?
  • Ensures that security concerns have been addressed in system implementation?
• Does the security official have adequate access and communications with senior officials in the organization, such as executives, chief information officers, chief compliance officers, and in-house counsel?
• Who in the organization is authorized to accept risks from systems on behalf of the organization?

5.1.3 Workforce Security (§ 164.308(a)(3))

HIPAA Standard: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

Here are a few of the sample questions:

• Are there separate procedures for voluntary termination (e.g., retirement, promotion, transfer, change of employment) versus involuntary termination (e.g., termination for cause, reduction in force, involuntary transfer, criminal or disciplinary actions), if reasonable and appropriate?
• Is there a standard checklist for all action items that should be completed when an employee leaves (e.g., return of all access devices, deactivation of logon accounts [including remote access], and delivery of any needed data solely under the employee’s control)?
• Do other organizations need to be notified to deactivate accounts that the workforce member had access to in the performance of their employment duties?

5.1.5 Security Awareness and Training (§ 164.308(a)(5))

HIPAA Standard: Implement a security awareness and training program for all members of its workforce (including management).

Here are a few of the sample questions:

• Are there current, relevant threats (e.g., phishing, ransomware) about which personnel need training?
• Do staff need training on any particular organization devices (e.g., medical IoT) or technology that pose a risk to ePHI?
• Is there a procedure in place to ensure that everyone in the organization, including teleworkers and remote personnel, receives security awareness training?
• What type of security training is needed to address specific technical topics based on job responsibility?

Whew! That was a lot right there. There are plenty more key activities, their descriptions and sample questions for each of the HIPAA Security Rule standards. But just the ones we covered today should give you plenty of things to make sure you have answered and have it documented so you can prove it.

Take a look at the first draft of the NIST Cybersecurity Resource Guide for Implementing the HIPAA Security Rule. This draft is out for comment, so if you have any, they give you a list of things they are looking for answers to. There will probably be at least one more draft for comment. But whether this version is adopted or not, it gives us a great tool to start using as a guide to implement better cybersecurity practices and safeguards and being able to prove it within our organizations.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.