The Department of Health and Human Services Office for Civil Rights had a record year for settlements from its enforcement of the nation’s largest healthcare privacy law.
In 2018, OCR settled 10 cases and secured one judgment totaling $28.7 million in fines for healthcare provider and health-related companies’ violations of the Health Insurance Portability and Accountability Act (HIPAA). It is 22% higher than the previous record of $23.5 million in 2016.
That was due in part to the single largest HIPAA settlement in history of $16 million with Anthem Inc. The insurer agreed to pay HHS the settlement in October for a landmark 2015 breach that impacted nearly 79 million consumers.
An investigation by OCR found that the insurance giant failed to conduct an enterprise-wide risk analysis, regularly review system activity or identify and respond to a known threat.
The previous record settlement was $5.5 million in 2016.
The University of Texas MD Anderson Cancer Center was ordered to pay a $4.3 million penalty issued by an administrative law judge in June—the second summary judgment victory in OCR’s history of HIPAA enforcement. The cancer center faced penalties over three data breaches dating back to 2012 and 2013, when an unencrypted laptop was stolen from an MD Anderson employee and two unencrypted USB thumb drives containing information on 33,500 patients were lost.
An investigation found that MD Anderson had written encryption policies dating back to 2006, and an internal risk analysis found a lack of encryption on hospital-owned devices posed a security risk.
Fresenius Medical Care, which operates more than 2,200 dialysis clinics, along with outpatient cardiac and vascular labs and urgent care centers, agreed to a $3.5 million settlement after an OCR investigation revealed that the company failed to perform an accurate and thorough risk assessment, which led to five separate data breaches over a five-month period in 2012.
Cottage Health agreed to pay $3 million to OCR and “to adopt a substantial corrective action plan” after OCR received two notifications from Cottage Health regarding breaches of unsecured electronic protected health information affecting over 62,500 individuals in 2013 and 2015. Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Valley Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital in California.
This admission was made during a deposition in a lawsuit brought against Aetna by Gillen Washington, a 23 year old with common variable immune deficiency (CVID) who was denied coverage for an infusion of intravenous immunoglobulin (IVIG) four years ago.
California’s insurance commissioner, Dave Jones, is now looking into Aetna’s relevant protocols.
In this particular case, Iinuma admitted that he had minimal if any knowledge of the medical condition, common variable immune deficiency (CVID), that Washington suffered from. He was also not clear about what the most effective drug would be to treat the patients’s condition, the symptoms of CVID, or even the consequences of the abrupt discontinuation of therapy for the condition.
“Do I know what happens?” Iinuma said. “Again, I’m not sure…I don’t treat it,” according to the deposition, as reported by CNN.
Further, when asked by Washington’s attorney if it was his general practice to look at medical records as part of his decision making process, he replied that it was not.
Aligned Risk Management recommends password management software for all staff and especially for staff who work with a large number of external web application accounts.
A password manager can help encourage the use of long, complex, and unique passwords.
A password manager can reduce the need for users to commit their passwords to memory, making it less likely that they could expose their passwords inadvertently to social engineering attackers.
Automated password managers will fail to populate password fields on look-alike phishing pages, which can alert users that they are not accessing the system they expected.
Best practices recommended by the National Institute of Standards and Technology (NIST) endorse the use of password managers.
“Verifiers SHOULD permit claimants to use ‘paste’ functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.”
Requiring users to change passwords periodically may encourage them to create less secure passwords. It may have worked 20 years ago, but it doesn’t work anymore. Stop it. Just stop it.
According to cybersecurity firm SecureState, password complexity policies combined with password aging policies consistently lead, on large systems, to a predictable percentage of passwords chosen by users to serve as seasonal mnemonics, e.g., Spring2017 or January18!.
Periodic password changes mitigate only a small number of risks. Those risks can be more effectively mitigated by other controls, including two-factor authentication.
Cybersecurity research indicates that password aging policies provide only minimal security benefit because users will predictably create new passwords that can be easily guessed by an attacker who knows the old password.
“We believe our study casts doubt on the utility of forced password expiration. Even our relatively modest study suggests that at least 41% of passwords can be broken offline from previous passwords for the same accounts in a matter of seconds, and five online password guesses in expectation suffices to break 17% of accounts.”
A number of security experts have begun expressing skepticism about the utility of mandatory password changes, including Lorrie Cranor, Chief Technologist at the Federal Trade Commission, and Bruce Schneier, board member of the Electronic Frontier Foundation.
“But my favorite question about passwords is: ‘How often should people change their passwords?’ My answer usually surprises the audience: ‘Not as often as you might think.’ […] [U]sers who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.”
“The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they’re more likely to choose easy-toremember – and easy-to-guess – passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.”
Latest NIST standards no longer recommend periodic password changes.
“Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
After that, you’re on your own; you won’t get updates or security fixes.
If you still use Windows 7, it may be time to consider an upgrade.
Starting January 14, 2020, exactly one year from Monday, Microsoft will no longer support Windows 7. That means no more updates or security fixes for the operating system.
“Changes and upgrades in technology are inevitable,” said Brad Anderson, corporate vice president for Microsoft 365, in a blog. “And there’s never been a better time to start putting in motion the things you need to do to shift your organization to a modern desktop with Microsoft 365.”
Microsoft will continue to provide security updates for Windows 7 to business customers that pay for support, according to ZDNet, but not individual users.
Windows 7 was released in 2009 and is still one of the most widely used desktop operating systems. Windows 10 finally overtook Windows 7 in the desktop market at the end of last year, according to ZDNet. NetMarketShare’s December 2018 report showed that 39.2 percent of the machines they collect data from used Windows 10, while 36.9 percent used Windows 7, according to ZDNet.
In 2012, the software giant decided to extend five more years of support for all editions of Windows 7 for individual users.
A Risk Management Plan is the part of your compliance approach that plans, identifies, and analyzes risks.
Parts of a Risk Management Plan
Risk Response Plans
Risk is defined by the Project Management Institute as an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. Risk management is the process of identifying, analyzing, mitigating, and communicating risks.
All systems have vulnerabilities. The US Department of Health and Human Services defines a vulnerability as:
[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
The US Department of Health and Human Services defines a risk as:
The net mission impact considering the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular vulnerability and the resulting impact if this should occur.
Risks arise from legal liability or mission loss due to:
Unauthorized (malicious or accidental) disclosure, modification, or destruction of information; Unintentional errors and omissions; IT disruptions due to natural or man-made disasters; Failure to exercise due care and diligence in the implementation and operation of the IT system.
When a risk event occurs, it is no longer uncertain. It becomes an issue.
Risk is a function of the likelihood of a given threat exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization, mitigated by controls. The relationship among these five concepts forms the basis of our risk assessment approach, which can be thought of as a formula:
The risk level is calculated using three underlying components:
Likelihood: The probability of the event happening. How likely is it that a threat acts on the vulnerability?
Impact: The consequences of the risk event. What happens if the threat acts on the vulnerability?
Effectiveness of Existing Controls: Existing controls and their effectiveness at mitigating risk. What is being actively done to mitigate the effects of a risk?
Likelihood × Impact − Controls ⇒ Risk Level
To illustrate, a plane crashing into your office has a high impact, but a low probability. In fact the probability is so low that the overall risk is probably insignificant. On the opposite end of the scale, a road construction project getting delayed due to rain is an event with a low impact but a high probability of occurrence. Thus, it is a significant risk.
What projects have been completed in the past and what unexpected issues occurred?
What was the response of the organization?
What permanent changes were made? Were they justified?
Did the response cause a corresponding loss of business?
Did the response cause a corresponding loss of future projects?
Another part of the risk planning portion of the Risk Management Plan is the definition of risk levels. Here is an example:
Very Low: The event is highly unlikely to occur under regular circumstances.
Low: The event is unlikely but should be noted by the project team.
Medium: The event has a normal chance of occurring and the project team should be aware of it.
High: The event has a reasonable chance of occurring. It should be regularly discussed and mitigation actions taken.
Very High: The occurrence of the event should be actively managed and mitigation actions taken.
Aligned Risk Management breaks down risk levels into four categories: Negligible, Marginal, Serious, and Critical.
Theoretical risk. Unlikely to be a serious concern.
Vulnerability is very unlikely to be exercised, OR
Existing controls are highly effective at mitigating the risk, OR
Potential impact on security, privacy and availability of ePHI is low
Unlikely to be an immediate concern, especially in light of other, more severe risks.
Some likelihood that vulnerability could be exercised
Existing controls provide some effective mitigation of risk
Potential for significant impact on operations. Effective Risk Management or reasonable plan for such recommended in near future.
Vulnerability is likely to be exercised
Existing controls provide inadequate mitigation of risk
Potential for significant impact on security, privacy or availability of ePHI
Failure to implement controls required by HIPAA. Potential liability and exposure to penalties. Potential for malicious exploitation. Exercise of vulnerability could cause mission-critical damage to business operations. Prompt intervention strongly recommended.
Vulnerability is very likely to be exercised or is currently being exercised
Existing controls provide little effective mitigation of risk
Potential for high or even catastrophic impact on security, privacy or availability of ePHI
A good brainstorming tool is to consider the assumptions made by the project. Most projects have disclaimers in their underlying contracts absolving the performing party of various obvious risks, but what about the next most obvious ones?
What assumptions has the project budget made?
What assumptions has the project schedule made (completion date, milestones, etc.)?
What expertise or prior experience does the company have in this work? How long ago was this experience? What areas require additional training?
Which relationships are being assumed to be strong that are not necessarily (owner, sponsor, client, contractor, consultant)?
How many previous projects with similar components have been completed successfully? What were the project issues?
Stay tuned for Part 2 of Aligned Risk Management’s series, Critical Parts of a Quality Risk Management Plan.
Aligned Risk Management helps healthcare organizations streamline and simplify HIPAA compliance efforts so that you can get back to providing the critical services your patients need. Our expert consulting staff works with you to ensure the privacy, security, and integrity of your systems. This specialized knowledge makes us the leading consulting firm for HIPAA compliance and healthcare risk management.
We’ll play defense so you don’t have to…
Defense of protected health information and the security of your systems is important to the safety of your patients. But it is also critical to the success of your practice. Data privacy concerns make headlines every day, and healthcare companies are especially vulnerable to the effects of unaddressed risk. Patient concern is growing. Regulations are poised to become more demanding. You want to concentrate on better serving your patients, and we make that possible.
…but our process doesn’t stop with just a risk assessment.
It doesn’t stop there. Risk management is a process, so our program includes regular follow-ups to make sure that you are successful. We assist in implementing recommendations and in documenting your efforts to ensure your success in case of an audit. Together, we’ll find high-value solutions that really matter, instead of wasting resources on unnecessary tools or time-consuming procedures that do not fit the way your organization operates.
Compliance with HIPAA can feel overwhelming. The most frequent question we hear is “Where do I start?” Start right here with Aligned Risk Management, and put yourself ahead of the curve.
HIPAA fines are up. Audits by the Department of Health and Human Services are up. 2019 is shaping up to be a rather tumultuous and dangerous year for healthcare providers as they ramp up to address their HIPAA privacy obligations.
And here are four steps to start out ahead this year….
1. Do SOMETHING.
There are so many different ways to start tackling another aspect of HIPAA. Are you wanting to make some headway in implementing technical safeguards? Great! Two-factor authentication. What about administrative safeguards? Awesome. Update your workforce sanctions policy and make sure it’s realistic. What about physical safeguards? Get those contingency operations plans updated. Whatever you decide to do, you’ll have to start somewhere.
“When eating an elephant take one bite at a time.”
Creighton Williams Abrams Jr.
I never said that eating the HIPAA elephant was going to be easy. But since you have to, you might as well start with one bite at a time. Approach HIPAA like you would an elephant and you’ll be surprised at just how much you can accomplish in a short period of time.
2. Business Associate Agreements
I’ve seen a lot of embarrassingly insufficient business associate agreements (BAA). As a recap, a “business associate” is likely a vendor to a healthcare provider, other than a member of the workforce of a covered entity, who provides certain services to a covered entity. Remember, this service directly involves access by the business associate to protected health information (PHI).
Among other confusing relationships that can exist between entities, a covered entity can be a business associate to another covered entity.
As part of your approach to HIPAA in 2019, perhaps it’s time to evaluate the relationship between yourself and your vendors, or between yourself and your clients. Are you a covered entity? Are you a business associate? Do you have business associates?
Once you’ve done some review of those relationships and you’ve identified all your vendors and business associates, it’s time to review those business associate agreements.
Cookie cutter policies aren’t going to cut it. In this industry, so highly regulated by HHS, it’s highly unlikely that you’ll get away with taking any shortcuts. Let’s tackle your policies and procedures and how they relate to the realistic operations of your organization.
Are they accurate? I mean, do your policies accurately reflect how your workforce carries out their day-to-day operations? If you’re documenting in your policies that your workforce implements rigorous access revocation procedures upon employee termination, but this isn’t being practiced regularly by your IT staff, that’s not good. You’re saying that you’re doing this, but if that can’t be proven and is likely to be disproved by the dozens of former employee accounts that haven’t been deactivated, HHS will certainly have a field day. At your expense.
Don’t let that happen. Get on top of your policies and procedures. Make sure they’re honest and truthful. Maybe it’s time to actually change some operations and procedures to better protect patient privacy. Maybe you’ll learn something about your own organization. It’s another bite you can take out of the HIPAA elephant. It’s getting smaller!
4. Risk Assessment
Calling in the experts can be totally nerve-racking. You’re inviting others into the sensitive operations of your organization, exposing your internal practices to a stranger. We’re not the bad guys. We’re here to help you.
Updating your risk assessment can give you invaluable insight into modern best-practices that you weren’t aware of. It can make you aware of problematic business operations that really ought to be corrected and streamlined.
And best of all, you’ll get a great plan for continuous improvement: a plan consisting of the best actionable steps you can take to make the most impact in mitigating risk at your organization.