ZenGRC

Simply Powerful GRC

HIPAA

HIPAA Violations in the Workplace: What To Do & Prevention

· ·

A HIPAA Physical Safeguards Risk Assessment Checklist

HIPAA violations in the workplace apply to all companies, not just healthcare providers, but also covered entities and their business associates. Employers providing healthcare to their employees or requiring health information as part of disability benefits can violate HIPAA. With the ability for a HIPAA workplace violation to occur as part of everyday human resources activities, all companies need to be aware of how to protect themselves and their employees.

What is a HIPAA Violation in the Workplace?

What is HIPAA?

Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) intends to protect individuals’ health information when they moved from one job to another. The US Department of Health and Human Services (HHS) additionally passed the Privacy Rule in 2003, defining Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.” In 2005, the Security Rule update to HIPAA focused on electronically stored PHI (ePHI). Although separate from the Privacy Rule, the increased use of digital platforms for sharing healthcare information implicates more information systems than before.

What employee information qualifies as PHI or ePHI?

The HIPAA Privacy Rule incorporates any medical records or health plan records that you collect to administer your employee health care plans. It does not apply to employment records, even if they contain health-related information.
For example, if you ask an employee to provide health information to document sick leave or workers’ compensation, this information does not fall under the Privacy Rule. However, if you contact your employee’s healthcare provider, the information that the provider gives you falls under the Privacy Rule.

What does a Human Resources department need to know?

Many human resources departments incorporate medical benefits for the employees. If your company offers employees a covered health plan, then you need to determine whether you meet the threshold for complying with the Security Rule.
First, you need to look at the type of plan you administer and the number of people involved.

Does your plan cover 50 or more participants?
If the answer is yes, then the Security Rule applies.
If the answer is no:
Does a third party administer your health insurance plan?
If the answer to this question is yes, you need to worry about HIPAA Security Rule violations.
Do you function as the plan sponsor for a group health care plan (this includes using a vendor for your flexible spending accounts and employee assistance programs)?

Most likely, however, the answer to this last question is “yes.” The confusing part here is that even if only sponsor the plan, you may still be functioning as a plan administrator or someone who needs to review a third party vendor. For example, if you offer your employees a flexible spending account or employee assistance program, then the Security Rule applies.

What is a security management process?

Your first step to protecting your company from a workplace HIPAA violation lies in creating a risk analysis. You need to determine all the information your organization houses, where the data resides, and potential risks and vulnerabilities that can impact the confidentiality, integrity, and availability of ePHI.

Once you complete the risk analysis, you need to create security measures to reduce the likelihood of those risks and vulnerabilities. To diminish these risks, you need to establish policies, procedures, and processes that secure information. For example, you might want to create physical protections such as a lock that mitigate the risk of document theft or incorporate multi-factor authentication to protect devices from unauthorized use.

After establishing security measures, you need to ensure that they work. When you review your security measures, you want to look at them from both a technical and non-technical standpoint. During this evaluation, you may find that a security measure no longer protects your organization, and therefore, you need to adjust your controls to respond to employee, environmental, and technological changes.

What employee information needs to be protected to prevent a HIPAA workplace violation?

Even if you hire a third-party administrator to manage your health insurance program, your human resources department still has access to PHI and ePHI. If your HR department and benefits personnel coordinate the healthcare plan with your vendor, the information contained in those conversations may be subject to HIPAA.

How can an organization protect PHI and ePHI in that its HR department accesses?

First, your HR and benefits personnel should catalog the information transmitted, how they store it, and how they use it to perform their administrative functions.
Additionally, your HR department and benefits personnel need to understand that communications with the third-party service provider fall under the Security Rule, as does any information employees can submit through your intranet. Thus, you need to create policies and processes that protect information at rest and in transit. These protections need to incorporate your intranet, the internet, and emails with vendors.

Finally, your IT department needs to establish access controls. These should include types of administrative functions performed, systems used, applications with systems, functions within applications, data files, and fields within files. Then, HR and IT should work together to determine what employee groups need access to each of those and define who can read, create, modify, delete, search and change security settings for files.

How can I protect against perceived HIPAA violations?

The hardest part about determining whether a HIPAA violation occurred in your company is understanding who shared information and how they obtained the information.

HIPAA does not consider personnel files and records PHI. Thus, even if the records contain information about your employee’s health, HIPAA does not apply. However, employees may not understand this. Confused employees may file violations with the Office for Civil Rights (OCR). This investigation then costs time and money to defend.

Your HR department should develop policies and procedures that secure records employees perceive as protected. For example, you may want to train management regarding inappropriate questions that appear to invoke PHI. Although HIPAA does not regulate these, employees may not realize that and try to establish a claim.

How ZenGRC Enables HIPAA Compliance

ZenGRC eases the compliance burden by providing organizations seed content for mapping their controls across a variety of standards and frameworks. This speeds the onboarding process and also enables gap analysis.

Healthcare providers can choose from HITRUST, COBIT, COSO, ISO, PCI DSS, and NIST frameworks to ensure proper IT HIPAA compliance. Moreover, business partners seeking to become HIPAA compliant as they scale can quickly view their current compliance using our gap analysis tool and determine how much additional work they need to do.

For more information about using ZenGRC to ease the HIPAA compliance burden and to speed the process of scalability, schedule a demo.

HIPAA Password Requirements & How To Comply With Them

· ·

Understanding the HiTrust Certification Process

The Health Insurance Portability and Accountability Act (HIPAA) consists of the Security Rule and Privacy Rule which govern the protection of Protected Health Information (PHI) and electronic Protected Health Information (ePHI). The 2009 HITECH Act created for violation categories related to varying degrees of penalties, overseen by the Office for Civil Rights (OCR). The increased value of ePHI records on the Dark Web and rates of data breaches in the healthcare industry reinforce the importance of passwords as administrative and technical safeguards for protecting patient information.

HIPAA & Passwords

How are passwords related to HIPAA compliance?

HIPAA requires appropriate authentication methods for ePHI access. Additionally, it requires ongoing management of that access. However, HIPAA does not incorporate prescriptive measures for authentication methodologies or password complexity. Despite the regulation’s silence, organizations seeking HIPAA password compliance have resources.

The OCR traditionally defers to the National Institute of Standards and Technology (NIST) for technical guidance which offers the first step to understanding password requirements. Moreover, in 2007, a group of healthcare leaders, organizations, and interested parties founded the HITRUST Alliance which established a cybersecurity framework focused on risks specific to the healthcare industry. Combining insights from both the NIST Cybersecurity Framework (NIST CSF) and HITRUST Cybersecurity Framework (HITRUST CSF) help provide direction for healthcare organizations.

What are the NIST password management suggestions?

In June 2017, NIST released Special Publication 800-63B. The publication provides technical recommendations for choosing authenticators and authentication processes to be used at different Authenticator Assurance Levels (AALs). Despite not being prescriptive, the suggestions set forth establish regulatory acceptability levels.

A summary review of the ALLs notes that the provide increasing levels of assurance over an organization’s authentication choices. For example, an AAL1 requires linking single-factor or multifactor authentication to a specific individual. AAL2 includes proof of possession and control of two different authentication protocols as well as approved cryptographic techniques. AAL3, the highest level of assurance, requires a hardware-based authenticator as well as one that is resistant to impersonation, although one device may meet both of these.

Overall, AAL1 requires the minimum security requirements while AAL3 requires the highest level. For example, to achieve a basic level of authentication strength, organizations need to use any of the following:

  • Memorized Secret
  • Look-Up Secret
  • Out-of-Band Devices
  • Single-Factor One-Time Password (OTP) Device
  • Multi-Factor OTP Device
  • Single-Factor Cryptographic Software
  • Single-Factor Cryptographic Device
  • Multi-Factor Cryptographic Software
  • Multi-Factor Cryptographic Device

AAL3 authentication requires a combination of authenticators from the following list:

  • Multi-Factor Cryptographic Device
  • Single-Factor Cryptographic Device used in conjunction with Memorized Secret
  • Multi-Factor OTP device (software or hardware) used in conjunction with a Single-Factor Cryptographic Device
  • Multi-Factor OTP device (hardware only) used in conjunction with a Single-Factor Cryptographic Software
  • Single-Factor OTP device (hardware only) used in conjunction with a Multi-Factor Cryptographic Software Authenticator
  • Single-Factor OTP device (hardware only) used in conjunction with a Single-Factor Cryptographic Software Authenticator and a Memorized Secret

As evidenced by the lists, the different AALs require very different complexity levels. Thus, not every password management requirement matches to every organization.

What are the HITRUST password management suggestions?

The HITRUST Alliance released v.9 of the CSF after the release of the NIST Special Publication, establishing 19 controls to align with SP800-63B. Many covered entities choose to comply with the HITRUST CSF since it incorporated ISO 27000, COBIT, HIPAA, NIST, PCI DSS, FTC Red Flags, HITECH Act, and several other standards, including state requirements.

The HITRUST CSF provides sector-specific controls targeting different healthcare provider needs. For example, physicians can use tokens, smartcards, or biometrics as authentication methods instead of, not in addition to, passwords. Tapping a smartcard rather than typing in a password intends to speed the authentication process allowing the physician to more rapidly provide care.

What are the HITRUST password complexity suggestions?

HITRUST allows organizations to choose a level of compliance. When reviewing the password management requirements, the different compliance requirements between the levels give insight into how HITRUST allocates responsibility based on risk.

A Level 1 organization must require passwords that
are not displayed when entered, are changed in the event of a possible system or password compromise, and allow user identity verification before performing password resets.

Level 2 organizations must incorporate all of the Level 1 requirements and also include several additional protections. The passwords must be protected from unauthorized disclosure and modification when stored and transmitted, cannot be included in any automated log-on process (e.g., stored in a macro or function key), and must be encrypted during transmission and storage on all system components. Additionally, organizations must create temporary passwords that are unique to an individual and not guessable.

Finally, Level 2 organizations must require users to sign a statement attesting to the confidentiality of personal passwords and group passwords.
HITRUST’s standard and framework aggregation incorporates several suggestions for creating a strong password. Password complexity aligns with CMS implementation, FEDRAMP, HIX, and PCI DSS. For users, FEDRAMP requires a minimum 12 character password length while HIX has a shorter requirement of 8 characters. The CMS, FEDRAMP, and HIX implementations all require a password to include one capital letter, one lowercase letter, one number, and one special character.

Organizations seeking to be HIPAA compliance should create a password policy clearly defining a strong user password and engage in security awareness training for all employees.

How ZenGRC Enables HIPAA Compliance

ZenGRC eases the compliance burden by providing organizations seed content for mapping their controls across a variety of standards and frameworks. This speeds the onboarding process and also enables gap analysis.

Healthcare providers can choose from HITRUST, COBIT, COSO, ISO, PCI DSS, and NIST frameworks to ensure proper IT HIPAA compliance. Moreover, business partners seeking to become HIPAA compliant as they scale can quickly view their current compliance using our gap analysis tool and determine how much additional work they need to do.

For more information about using ZenGRC to ease the HIPAA compliance burden and to speed the process of scalability, schedule a demo.

A HIPAA Technical Safeguards Risk Assessment Checklist

· ·

Understanding the HiTrust Certification Process

The HIPAA Technical Safeguards Requirement focuses on storing electronic Protected Health Information (ePHI). While the Security Rule focuses on security requirements, the technical safeguards requirements focus on the technology. Healthcare providers, covered entities, and business associates must undergo audits to prove regulatory compliance so that they can assure new customers of their security posture. Beginning the road to HIPAA compliance requires assessing security risk and mitigation controls.

A HIPAA Technical Safeguards Risk Assessment Checklist

What is HIPAA?

HIPAA was enacted in 1996 to protect information as people moved from one job to another. The US Department of Health and Human Services (HHS) additionally passed the Privacy Rule in 2003, defining Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

In 2005, the HIPAA Security Rule focused on electronically stored PHI (ePHI). This update created three types of compliance safeguards. “Administrative safeguards” refers to policies and procedures that show compliance. Physical safeguards include controlling access to data storage areas. Technical safeguards incorporate communications transmitting PHI electronically over open networks.

Who is a healthcare provider?

According to HIPAA, healthcare providers include doctors of medicine or osteopathy who are authorized to practice medicine or surgery (as appropriate) by the State in which they practice or any other person determined by the Secretary to be capable of providing health care services.

If a person or organization engages in practicing medicine or helping treat sick people, HIPAA applies to them.

What is a covered entity?

HIPAA defines covered entities as health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically.

What is a business associate?

This term broadened HIPAA’s reach. The law defines a business associate as any person or entity that involves use of or disclosure of protected health information on behalf of or while providing a service to a covered entity.

This broad definition incorporates everyone from third-party administrators assisting in the healthcare claims processing area or certified public accountants whose advisory services involve accessing protected health information. Functionally, if a person or company may at any time see any information that identifies a patient, the healthcare provider or covered entity should make sure the business associate is HIPAA compliant.

What Can I Do To Get Compliant?

Risk assessments are the first step to HIPAA compliance. The risk assessment helps determine the locations of greatest vulnerability. The Office of the National Coordinator for Health Information Technology created the Security Risk Assessment Tool to help organizations identify their most significant risks by establishing 156 questions.

Within those 156 questions, the Security Assessment Tool breaks them up into three categories: administrative safeguards, technical safeguards, and physical safeguards.

What are technical safeguards?

The HIPAA Security Rule requires that covered entities and business associates protect ePHI by creating controls to create a secure IT environment. Leaving ePHI unsecured creates both a legal liability under HIPAA but also places confidentiality, integrity, and availability of patient information at risk.

Risk Assessment

  • Create an inventory of all information systems within your environment including hardware, software, applications, and electronic devices.
  • Review roles and responsibilities for information risk.
  • Determine risk associated with remote access
  • Review business associate roles and risks to ePHI.
  • Identify information system components and electronic devices with data capabilities.
  • Review key audit events, such as activities that create, store, and transmit ePHI, to create risk-based categorizations for audit timings.
  • Assess and measure intentional or malicious disclosure risk arising out of information transmission or reception.
  • Review authentication requirements to ensure scalability, practicality, and security when balancing ease of ePHI access and protected information systems that adequately mitigate risk.
  • Assess and measure unintentional or malicious information access or modification when being prepared to transmit or when being received.

Technical Safeguards Plan and Policy

  • Establish technical policies and procedures for electronic information systems maintaining ePHI focusing on authorized access.
  • Share with workforce members access control policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
  • Share with workforce members procedures that enable implementation of access control policy and associated access controls.

User Authorization/Segregation of Duties

  • Review user activities for creation, storage, and processing of ePHI within information systems.
  • Separate workforce member duties and service provider duties to define ePHI access authorizations to support segregation of duties.
  • Use the principle of least privilege/minimum necessary access for ePHI.
  • Enforce role-based access control (RBAC) policies based on workforce member and service provider duties and needs.

Identification and Authorization

  • Share with workforce members identification and authorization policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
  • Create unique identification for each workforce member within a group account to establish accountability.
  • Assign a unique name and/or number to track and identify user activity.
  • Establish and implement registration process including supervisory authorization for new identifiers.
  • Prohibit reuse of information system account identifiers.
  • Identify information system components and electronic devices with auto log-off capabilities.
  • Implement electronic procedures that limit activity time and terminate session automatically.
  • Enforce session locks for inactivity or user request.
  • Establish rules for continuing session lock until user reestablishes access with appropriate identification and authentication procedures.
  • Incorporate authentication measures such as passwords, tokens, biometrics, or some combination of these to create multifactor authentication.
  • Establish short-term emergency accounts allowing emergency access.
  • Create automatic removal or deactivation of emergency accounts once business operations return to normal.

Contingency Plan and Policy

  • Establish and implement procedures for obtaining ePHI during an emergency.
  • Cleary define emergency and circumstances triggering contingency plan including natural and environmental threats as well as human threats such as unauthorized employee or service provider access.
  • Identify individual responsible for activating emergency access method.
  • Ensure RBAC policy defines workforce and service provider roles and access based on defined user roles.
  • Implement RBAC policies and employ audited and automated access control mechanism overrides for emergency situations.
  • Establish an alternate storage site with necessary agreements to permit storage and retrieval of exact copies of ePHI.
  • Ensure alternate storage site provides information security safeguards comparable to your own.
  • Identify roles and responsibilities for ePHI access and critical information systems needed during an emergency within contingency plan.
  • Incorporate into contingency plan essential activities and associated requirements including roles, responsibilities, and process to restore systems, including emergency access termination and reinstitution of normal access controls. Share with workforce members the contingency planning policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
  • Establish predetermined time period and implement restoration capability of information systems to match this period.

Systems and Communications Protection

  • Implement encryption and decryption mechanism for ePHI.
  • Implement cryptographic mechanisms to prevent unauthorized ePHI disclosures.
  • Implement cryptographic mechanisms to detect information changes during transmission unless physical security controls protect information.
  • Share with workforce members a systems and communications policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

Information Integrity

  • Implement policies and procedures to protect ePHI from improper alteration or destruction.
  • Implement technical security measures to protect ePHI transmitted over an electronic communication network.
  • Implement security measures to ensure ePHI transmitted electronically is not improperly modified without detection prior to regulatory disposal time.
  • Incorporate “Identification and Authorization” and “Systems and Communications” protections as part of guarding against threats and vulnerabilities to information integrity.
  • Establish and implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed improperly.
  • Use integrity verification tools to detect unauthorized changes.
  • Implement procedures to verify the identity of a person or entity seeking ePHI access.
  • Provide management notification of any discrepancies during integrity validation.
  • Share with workforce members an information integrity policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

Internal and External Audit Requirements

  • Identify and periodically review and update key audit events such as activities that create, store, and transmit ePHI.
  • Identify and periodically review and update key audit even events that are significant to securing information systems and their environments to support ongoing audit needs.
  • Determine audit scope and frequency based on risk categorization of key audit events.
  • Share with workforce members an audit and accountability policy addressing purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
  • Implement hardware, software, and/or procedural mechanisms that record and examine information system activities if those systems contain or use ePHI.
  • Configure information systems and components so they automatically capture and generate audit records.
  • Ensure these records contain information establishing event type that occurred, when it occurred, where it occurred, its source, and the outcome.
  • Collect identity information for individuals and subjects of the even.
  • Periodically review or analyze information system audit records for indications of inappropriate or unusual activity.
  • Provide audit reduction and report generation capability that supports on-demand audit review, analysis, and reporting requirements that does not alter original content or time ordering of records.
  • Conduct backups of user-level, system-level, and security-related documentation for ePHI.
  • Test continuity and emergency operations to ensure activation of emergency access.
  • Test RBAC policies to ensure the assigned individual has appropriate emergency mode access and permissions to ensure continuity.
  • Allocate audit storage capability based on audit types and audit processing requirements and configure systems to periodically transfer audit records to an alternate system or media for effective storage utilization.

For information on how ZenGRC can help your organization get compliant more quickly, schedule a demo.

A HIPAA Security Rule Risk Assessment Checklist For 2018

· ·

ECG monitor display

The HIPAA Security Rule focuses on storing electronic Protected Health Information (ePHI). Healthcare providers, covered entities, and business associates must undergo audits to prove regulatory compliance so that they can assure new customers of their security posture. Beginning the road to HIPAA compliance requires assessing security risk and mitigation controls.

A HIPAA Risk Assessment Checklist

What is HIPAA?

HIPAA was enacted in 1996 to protect information as people moved from one job to another. The US Department of Health and Human Services (HHS) additionally passed the Privacy Rule in 2003, defining Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

In 2005, the HIPAA Security Rule focused on electronically stored PHI (ePHI). This update created three types of compliance safeguards. “Administrative safeguards” refers to policies and procedures that show compliance. Physical safeguards include controlling access to data storage areas. Technical safeguards incorporate communications transmitting PHI electronically over open networks.

Who is a Healthcare Provider?

According to HIPAA, healthcare providers include doctors of medicine or osteopathy who are authorized to practice medicine or surgery (as appropriate) by the State in which they practice or any other person determined by the Secretary to be capable of providing health care services.

If a person or organization engages in practicing medicine or helping treat sick people, HIPAA applies to them.

What is a Covered Entity?

HIPAA defines covered entities as health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically.

What is a Business Associate?

This term broadened HIPAA’s reach. The law defines a business associate as any person or entity that involves use of or disclosure of protected health information on behalf of or while providing a service to a covered entity.

This broad definition incorporates everyone from third-party administrators assisting in the healthcare claims processing area or certified public accountants whose advisory services involve accessing protected health information. Functionally, if a person or company may at any time see any information that identifies a patient, the healthcare provider or covered entity should make sure the business associate is HIPAA compliant.

What Can I Do to Get Compliant?

Risk assessments are the first step to HIPAA compliance. The risk assessment helps determine the locations of greatest vulnerability. The Office of the National Coordinator for Health Information Technology created the Security Risk Assessment Tool to help organizations identify their most significant risks by establishing 156 questions.

Within those 156 questions, the Security Assessment Tool breaks them up into three categories: administrative safeguards, technical safeguards, and physical safeguards.

What is the Administrative Safeguards Requirement?

The administrative safeguards requirement focuses on developing, documenting, and implementing policies and procedures to assess and manage ePHI risk.
As an initial review, organizations should consider the following questions to developing appropriate safeguards:

Risk Assessment
  • Create an inventory of all information systems, electronic devices, and mobile media
  • Identify threats, vulnerabilities in technology, processes, workforce, and vendors to determine the likelihood of a data breach and estimate potential harm.
    Develop and implement a risk assessment policy that identifies essential activities addressing purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and facilitation procedures that outlines procedures and risk assessment controls.
  • Share documented risk assessment policy with workforce members responsible for mitigating threats and vulnerabilities.
  • Review unauthorized or inappropriate access to ePHI that can compromise data confidentiality, integrity, and availability as well as potential unauthorized disclosure, loss, or theft.
Security Plan and Policy
  • Create a security plan that includes a continuity plan, emergency access plan, disaster recovery plan, and vendor management plan.
  • Develop, document, and share with workforce members a security planning policy and training that addresses purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and procedures that outlines procedures to implement security and controls associated with it.
  • Determine appropriate sanctions for individuals who do not comply with information security policies and determine documentation of execution for these sanctions.
  • Create audit procedures and system monitoring procedures to ensure no inappropriate access to information.
  • Periodically review documentation and update if it is affected by operational or environmental changes.
  • Establish a senior-level executive security official to develop and implement policies and procedures to protect against business associate and covered entity risk and authorizes access to information systems
  • Ensure the individual responsible for security has adequate education and experience to review system capabilities, vulnerabilities, and mitigation practices to support management security purchases.
User Authorization/Segregation of Duties
  • Segregate workforce member duties and service provider roles in a way that defines access to ePHI
  • Establish and share with workforce members an access control policy that defines the purpose, scope, roles, responsibilities, management commitment, coordination expectations, and compliance requirements.
  • Employ least privilege/minimum necessary access principles to ePHI.
  • Create and enforce role-based access control (RBAC) policies that provide access based on job description and responsibilities.
  • Develop processes that restrict access to digital or non-digital media containing ePHI and enforce them.
  • Establish authorization and supervision of locations of ePHI and workforce members who can access ePHI.
  • Develop procedures allow the IT department to create, enable, modify, disable, and remove accounts based on users’ group and role membership as well as account privileges for each account.
  • Establish and maintain a list of authorized organizations or personnel that identifies their access level to facilities, information systems, and ePHI.
  • Establish and enforce processes that monitor security roles and responsibilities of third-party providers with access to facilities, information systems, and ePHI.
  • Implement procedures that define appropriate role-based access to ePHI.
  • Assign risk designations and screening criteria for each position defined within role-based authorization document.
  • Establish policies and procedures for screening individuals before granting access authorizations.
  • Establish and implement policies and procedures that terminate access when workforce member access needs change.
  • Develop policies and procedures to retrieve all security-related organizational information system related property upon workforce member role change.
  • Periodically review current and on-going logical and physical access authorizations.
  • Modify access based on workforce member role changes and operational needs.
Security Awareness Policy
  • Develop, document, and share with workforce members a security awareness policy and training that addresses purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and procedures to ensure workforce members understand security awareness.
  • Review and update security awareness training and policy to ensure that it aligns with current systems and threats.
  • Ensure workforce members engage in updated training when role-based authorizations change or in response to system changes.
  • Ensure security awareness training simulates cyber-attack, unauthorized access, or opening malicious email attachments that teach workforce members about spear phishing attacks.
  • Retain training records for all workforce members and business associates.
  • Establish procedures and oversight for patching systems, installing software, enforcing software installation policies, and compliance monitoring.
  • Monitor information systems to detect attacks, indicators of potential attacks, and unauthorized local/network/remote connections.
  • Monitor information system facility physical access to detect and respond to physical security incidents, periodically review physical access log, and coordinate review/investigation result with the incident response team.
  • Share information about security alerts, advisories, and directives with workforce members.
  • Establish procedures for guarding against, detecting, and reporting malicious software.
  • Employ automated mechanisms and tools that help track security incidents to collect and analyze information.
  • Establish authorization policies and procedures that outline password requirements, including length, changes, the suggested frequency of changes, privacy requirements, and importance of safeguarding passwords.
Incident Response Plan
  • Establish incident response training that aligns with workforce member roles and responsibilities.
  • Establish mechanisms to identify and respond to suspected or known security incidents, including mitigation steps and documentation requirements.
  • Establish and share incident response policy with workforce members that outline the purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and facilitation procedures for security incidents.
  • Provide incident response training to information system users consistent with incident response policy.
  • Test incident response capability and document effectiveness of results.
  • Implement preparation detection, analysis, containment, eradication, and recovery responses as part of incident response policy.
  • Establish incident handling activities with contingency planning activities that incorporate lessons learned from ongoing incident handling activities into incident response procedures.
Contingency Plan
  • Develop and implement a contingency planning policy that identifies essential activities addressing purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and facilitation procedures that identify critical information systems and ability to access ePHI.
  • Ensure contingency plan incorporates a variety of emergencies such as fire, vanadalism, system failure, or natural disaster.
  • Establish procedures that identify essential activities, roles, and systems required for full information system restoration, including but not limited to establishing emergency access and restoring standard access controls.
  • Review and update contingency policy regularly.
  • Establish and implement procedures to create, maintain, and retrieve exact copies of ePHI including an alternative storage site whose security safeguards align with established procedures.
  • Conduct backups of information system documentation at the user-level, system-level, and security-related level.
  • Employ audited and automated overrides of role-based access control policies for emergency situations.
  • Test continuity and emergency operations.
Third-Party Monitoring
  • Implement policies and procedures that establish, document, review, and modify a third-party’s access to workstations, transactions, or programs and processes.
  • Ensure that covered-entities have obtained appropriate assurances that business associates safeguard information.
  • Document third-party and fourth party assurances through written contracts or other arrangements.
  • Review contracts to ensure they contain requirements discussing legal issues regarding ePHI disclosure safeguards used when not listed in the original agreement,and reporting requirements for security incidents.
  • Develop processes to create and maintain a list of authorized maintenance organizations or personnel and that access to facilities, information systems, and ePHI matches roles.
  • Establish third-party monitoring process that reviews security roles and responsibilities.

Information Retention Policy

  • Retain information as required by federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
  • Ensure retention includes full life-cycle, including but not limited to disposal of information systems.
  • Document record retention lasts 6 years from creation date or when it was last in effect.
  • Provide an audit reduction and report generation capability that allows on-demand audit review, analysis, and reporting without changing information or ordering of records.
  • Ensure role-based authorization to records retained.

For information on how ZenGRC can help your organization get compliant more quickly, schedule a demo.

Regulatory Compliance in Healthcare Organizations

· ·

2017 acted as a call to action for those in the healthcare industry. Patient Health Information (PHI) incorporates everything hackers need to steal identities and compromise an organization’s reputation. Therefore, protecting PHI, and more importantly, electronic patient health information (ePHI) means that healthcare organizations need to be more diligent ensuring that their daily compliance activities match their policies.

Healthcare Regulatory Compliance

What Regulatory Compliance Requirements Affect Healthcare

Although the Health Insurance Portability and Accountability Act (HIPAA) gets the most screen time, organizations involved in healthcare need to incorporate the Health Information Technology for Economic and Clinical Health Act( HITECH) compliance as well. Although interrelated, 2009’s HITECH specifically intended to promote information technology while protecting privacy and security concerns regarding ePHI.

HITECH modified not only HIPAA but also the Social Security Act. Thus, understanding how the different regulatory compliance puzzle pieces fit together became more difficult.

How HIPAA and HITECH Are Similar

The Health and Human Services Department (HHS) oversees both HIPAA and HITECH compliance.

Healthcare organizations most often focus on HIPAA compliance because it established the Privacy Rule setting national standards regarding medical record and PHI protection. Since the Privacy Rule’s adoption in 2000, HHS made only one modification 2002 thus establishing it as one of the first information security and privacy regulations.

The Office of the National Coordinator for Health Information Technology (ONC) promotes healthcare quality by promoting health IT and establishing guidelines for electronic health records (EHRs) and securing ePHI to protect privacy.

Thus, while HIPAA and HITECH integrate with one another, they come with distinct foci. HIPAA focuses on protecting privacy and expands beyond information systems. Meanwhile. HITECH focuses specifically on information technology and preserving electronic information.

How HIPAA and HITECH Differ

While HIPAA and HITECH have many similarities, they also differ on several important details.

Although HITECH extended HIPAA, HIPAA remains focused on breach notification and privacy to protect against fraud and identity theft.

Meanwhile, HITECH distinguishes itself from HIPAA since it created restructured civil and criminal compliance penalties. Moreover, it extended the breach notifications requirement beyond covered entities and incorporated business associates.
Finally, from an information technology perspective, compliance managers should focus on the importance of effective encryption. Even should a malicious actor breach the ePHI, effective encryption mitigates rule violations. Thus, if the encryption effectively makes the information unreadable, the organization breached may not be fined.

However, proving effective encryption additionally means being in compliance with the NIST Federal Information Process Standard. Thus, healthcare regulatory compliance requires understanding your organization’s IT architecture.

How HITECH’s Compliance of Medicare and Medicaid Impact HIPAA Business Associates

Understanding healthcare regulatory compliance requires understanding overlaps between business associates, their information, and how that can impact the overall supply chain.

The definition of Business Associate incorporates and person or entity not covered entity’s workforce member who provides services to or performs functions or activities for a covered entity.

Traditionally, the Omnibus Rule’s definition of Business Associate brings healthcare management companies, healthcare plans, and healthcare payment organizations under the arc of HIPAA and HITECH. However, for those working with Medicaid, additional services may be incorporated under these compliance requirements.
For example, HITECH and HIPAA consider Medicaid’s Non-Emergency Medical Transportation (NEMT) to be a Business Associate under the Omnibus Rule. Thus, despite being nothing more than a network of transportation brokers, information collected remains subject to these healthcare regulations.

Thus, organizations need to determine their location in the supply chain to ensure no HIPAA or HITRUST violations as well as to decide whether or not they want to assume the regulatory compliance risk if they choose to scale.

What the Board of Directors Needs to Know

Organizations looking to shift into the healthcare sector need to ensure that their Board recognizes the compliance implications. Providing the appropriate level of Board oversight requires visibility into both the healthcare landscape as well as the organization’s current compliance environment. Moreover, should an organization decide to incorporate healthcare providers or their vendors as part of its business plan, the Board of Directors needs to understand how they fit into that supply chain.

Under HIPAA, vendor risk creates corporate risk. Thus, whether your company sits at the top of the supply chain, in the middle, or at the bottom, any interaction with HIPAA regulated entities means you need to be compliant also.

Thinking about HIPAA and HITECH violations as dominoes in a row, if one domino falls so do all the others. Thus, vendor management’s importance may increase if you decide to expand into the healthcare industry.

How Automation Eases the Healthcare Regulatory Compliance Burden

ZenGRC’s SaaS platform enables organizations to visualize compliance gaps. Regulatory compliance no longer needs to act as a barrier to new markets. As you map controls to a particular standard or framework, ZenGRC allows you to assign that control to other standards or frameworks that it satisfies.

The first step for successful implementation of the Health Information Trust Alliance Cybersecurity Framework (HITRUST CSF) is to engage in a CSF Self-Assessment with the help of a CSF assessor. CSF assessors are consulting firms that HITRUST approved to perform the assessment. Using this information, you can gauge your system and regulatory requirements to help determine your risk and scope.
For example, an organization currently ISO 27001 compliant may be using a firewall. If you choose to incorporate PCI DSS compliance, a firewall is also an accepted control. Assuming that you want to expand to acting as a healthcare provider payment processor, you need to determine whether this control maps to HIPAA and HITECH compliance.

Once you set up your controls in ZenGRC, it automatically maps current controls to new standards as you add them. This means that your ISO 27001 controls will be mapped to your new PCI DSS compliance framework. All you need to do now is determine what additional controls you need to incorporate.

The HHS Office of the Inspector General (OIG) offers a guideline that discusses all the parties involved in your compliance efforts, from your employees to your Board of Directors. Automation helps you better communicate with your organization’s various stakeholders, providing them with the right information for their needs.
A HIPAA compliance audit is similar in that an audit management software that provides a single source of truth can help you save time. Saving time saves money because your employees can focus on securing your environment.

With an automation tool like ZenGRC, you can monitor your compliance while storing all your necessary documentation in one place.

ZenGRC’s compliance management software provides a risk dashboard that gives insight into the effectiveness of your ongoing monitoring so that you can meet internal audit standards.

Not only does this simplify incorporating new standards into your overall landscape, but it also means that you can expand your business into revenue streams that seemed too onerous before.