Our commitment to include #BeCyberSmart each week this month did not anticipate that OCR would set a record for resolution announcements in September. This week we give you info to plan for next week’s activities for NCSAM plus a review of the Athens Orthopedic resolution agreement. A lot to cover!
In this episode:
Athens Ortho Settlement + NCSAM Week 2 – Ep 275
Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
NCSAM Week 2: Securing Devices at Home and Work[05:34]Beginning Oct 12, Week 2 of NCSAM brings in the importance of securing things at home as well as work. The point in the Champion guide for this week that really captured my attention was this one:
Our homes are more connected than ever. Our businesses are more connected than ever. With more people now working from home, these two internet-connected environments are colliding on a scale we’ve never seen before, introducing a whole new set of potential vulnerabilities that users must be conscious of.
Teleworking guidance from CISA: Telework Guidance and Resources
IoT tip sheet from CISA: DHS NCSAM 2019 – Social Media Cybersecurity. This one can be helpful this week and again next week when talking about healthcare specifically. It is not David’s version ID IoT tip sheet though!
Digital home tip sheet from CISA: 5 STEPS TO PROTECTING YOUR DIGITAL HOME
On the Cybersecurity Alliance site you can sign up for the Gone Phishing Tournament 2020 which will send a free phishing test to your team. This is a unique opportunity. They will be using the same phishing template for everyone that signs up. That will allow them to provide your click rate as well as how other organizations like yours scored. Good news, or even bad news, there will be very valuable information to submit to your leadership.
Webinars for NCSAM Week 2[11:07]This week has several very good webinars to share around your organization and even your vendors. You can sign up with the links below:
Date & Time
|October 13th 1pm CDT / 2pm EDT||Tips to avoid today’s cyber threats|
|October 13th 2pm EDT||Smart Devices Need Smart Security: Securing Your Business in an Internet of Everything World|
|October 14th 1pm||5 Reasons Why Software Security is More Critical Than Ever|
|October 15th 2pm||Cybersecurity in A Flash: Virtual Small Business Cybersecurity Summit|
This last webinar planned looks very interesting and different. Here is the description:
The 2020 Small Business Cybersecurity Summit is a 3-hour virtual workshop showcasing information and resources that small & medium-sized businesses can put into action to improve their security. What makes it flashy? The majority of the event will be presented in a flash talk format (each speaker will only have 5 minutes and 1 slide to communicate technical concepts to a non-technical audience). Can it be done? Yes. Will it be done? Yes. Join us to see how! In addition to the flash talk series, we’ll kick off with a live-streamed fireside chat discussing the current state of small business cybersecurity, and will conclude the event with a live Q&A session with experts and exhibitor demos.
There are 12 of those flash talks planned along with an opening session and a closing session.
These options along with your Cybersecurity Champion fliers and the other tools we already gave you provides you with a lot of variety to share with the different teams in your organization. Even share some of them on social media and with your family. This educational stuff is for everyone not just those at work.
Athens Orthopedic Clinic Settlement[16:29]I kept expecting to see this one come through earlier this year. It is right down the road from here after all. You do hear things around the virtual water cooler, so to speak. We have been discussing this one on the podcast since it made a very public splash in 2016. The OCR findings are pretty specific as well as the CAP so let’s get to it.
The big statement in the press release includes a paragraph preceding the obligatory quote from the Director that we always see:
“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.OCR Press Release
We just discussed the interview with Noonan that stated clearly they would look for cases with “longstanding, systemic noncompliance” for their enforcement. This one did drag on since 2016 but a lot happened in those years when it comes to the work and time the investigation required.
Here is what happened as defined by the resolution agreement findings, just to catch everyone up.
On June 26, 2016, a journalist from “www.databreaches.net” notified AOC that “a database of patient records” suspected to belong to AOC was posted online for sale. On June 28, 2016, a hacker group known as “The Dark Overlord” contacted AOC by email and demanded money in return for a complete copy of the database it stole without sale or further disclosure. It was determined, through computer forensic analysis, that the Dark Overlord had obtained a vendor’s credentials to AOC’s system and used them to gain access on June 14, 2016. While AOC terminated the compromised credentials on June 27, 2016, the Dark Overlord’s continued intrusion was not effectively blocked until July 16, 2016.
It was determined that 208,557 individuals were affected by this breach. Due to the breadth of system applications affected, a variety of protected health information (PHI) was exposed including patient demographic information (name, date of birth, social security number, etc.), clinical information (reason for visit, “social history,” medications, test results, medical procedures, etc.), and financial/billing information (health insurance information, payment history).[28:23]Here is the list of “potential violations” they found. Since this is a resolution agreement the CE doesn’t admit that they did these things they just agree to make sure they never do these things to resolve the issue and make it go away.
- The requirement to prevent unauthorized access to the ePHI of 208,557 individuals whose information was maintained in AOC’s information systems.
- Until August 2016, the requirement to maintain copies of AOC’s HIPAA policies and procedures.
- From September 30, 2015 to December 15, 2016, the requirement to implement sufficient hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
- Until August 7, 2017, the requirement to enter into business associate agreements with three of its business associates, Quest Records LLC, Total Technology Solutions, and SRS Software LLC.
- Until January 15, 2018, the requirement to provide its entire workforce with HIPAA training.
- The requirement to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by AOC.
- The requirement to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
In addition to the settlement payment to OCR (and all the experts and attorneys involved over the last 4 years) they are going on a 2-year corrective action plan that includes many of those specifics we have seen recently.
Within sixty (60) days of the Effective Date and annually following the Effective Date, AOC shall review all relationships with vendors and third party service providers to identify business associates. AOC shall provide HHS with the following:
a. An accounting of AOC’s business associates, to include the names of business associates, a description of services provided, the date services began, and a description of the business associate’s handling of/interaction with AOC’s PHI; and
b. Copies of the business associate agreements that AOC maintains with each business associate.
I can not tell you the number of times we hear from clients how they don’t need to review all their vendors; they just need to worry about the ones they know are BAs. Now, you see why we make sure we ask for the entire list and compare to the BAAs they have on file.
Risk Analysis and Management
AOC shall conduct and complete an accurate, thorough, enterprise-wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by AOC or its affiliates that are owned, controlled or managed by AOC that contain, store, transmit or receive AOC ePHI. As part of this process, AOC shall develop a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI which will then be incorporated in its Risk Analysis.
Then you have the approval loop until OCR signs off on the SRA.
Within sixty (60) calendar days of HHS’s approval of the Risk Analysis, AOC shall develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis. The plan shall include a process and timeline for implementation, evaluation, and revision. The plan shall be forwarded to HHS for its review.
And another loop for OCR approval begins. Before making a clear point about the SRA one more time. How often do we hear folks say they only need to do one every 2 or 3 years still? Looks like that just will not cut it any longer.
AOC shall annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by AOC, affiliates that are owned, controlled, or managed by AOC, and its engaged business associates, and document the security measures AOC implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level. Subsequent risk analyses and corresponding management plans shall be submitted for review by HHS in the same manner as described in this section until the conclusion of the CAP. Revisions to policies and procedures in this section shall be made pursuant to Section V.D.5 below.
Policies & Procedures
This section includes a specific list not just one or two things that must be done as we just saw in the 5 patient access resolutions.
Am I shocked by that list? No. Also not shocked that there is more.
Then it is the normal process we see in settlements that say you need to review and modify your policies and procedures as needed. Follow that will the implementation and training required to make sure the workforce knows what they are supposed to be doing.
After all of that, though, this part that comes next was pretty interesting to see added in here.
After this it gets into the normal stuff we see for training, incidents, etc. As we get more of these specific CAP details the reasons to follow exactly what they see keep adding up. If you haven’t taken the time to review them with your team, don’t keep putting it off.
Yes there is a lot to unpack here.
First, #BeCyberSmart! Share this information with colleagues, friends, family and the community.
Second, pay attention to what is going on around you. If you aren’t taking care of your HIPAA obligations there are clear messages that it will not be acceptable excuses when you get caught. At the rate of 28,000 complaints per year and hundreds of data breaches, it is just a matter of time before you will be caught up in something that exposes your lack of commitment to protecting the privacy of your patient information.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM