Community Health Systems (CHS) Breach Brings New Focus on Network Security

March 31, 2014

The recent systems breach at Community Health Systems (CHS) is a wakeup call for all medical practices to take a closer look at the strength of their network security.  Virtually every medical practice utilizes some degree of Electronic Protected Health Information (ePHI) in their day-to-day operations. For example, ePHI may be contained in network servers, electronic health record systems (EHR), practice management systems, and billing records, in addition to the equipment that creates, maintains, transmits or stores ePHI.  Even practices that were previously exempt from HIPAA are considered covered entities under Texas law and must protect patient data.

CSO Online, a website that provides news, analysis and research on security topics, is reporting that the Heartbleed bug is to blame for the CHS breach. In April 2014, TMLT first alerted policyholders about the dangers of the Heartbleed Bug and encouraged all practices to assess possible vulnerabilities resulting from this threat.

In wake of the CHS breach, Tony Nelson, CISSP with Artanis Solutions, Inc. has a few practical tips for practices and their IT or network administrators to consider:

  • Firewall Security is minimum protection for your network and an integral part of your overall defense-in-depth network security:
    • Ensure your firewall rules are up-to-date and documented.
    • Configure your firewall to send alerts of suspicious network traffic to your IT/network staff (e.g. suspicious network traffic).
    • Firewall logs should be routinely reviewed by IT/network administrators.
  • Consider technology advances to detect and prevent network intrusion. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor and respond to potential malicious activity on your network.
  • Consider encryption of data at rest on your servers. Even if your network was hacked, an encrypted server would not allow protected or sensitive data to be accessed in a usable format.
  • Consider penetration testing. Penetration testing should be done annually to detect issues with network security.

The HIPAA Security Rule contains three categories of safeguard, outlined in the Security Matrix below:

  • Administrative
  • Physical
  • Technical

Each safeguard has a number of security standards that must be met by medical practices and their Business Associates.  The HIPAA Security Rule requires a covered entity to comply with the safeguards and standards.  Together with reasonable and appropriate Administrative and Physical Safeguards, successful implementation of the Technical Safeguards standards will help ensure that a covered entity will protect the confidentiality, integrity, and availability of ePHI.

The following Security Matrix is found in many HHS publications.

ADMINISTRATIVE SAFEGUARDS

Standards

Sections

Implementation Specifications (R)= Required, (A)=Addressable

Security Management Process

§ 164.308(a)(1)

Risk Analysis

(R)

Risk Management

(R)

Sanction Policy

(R)

Information System Activity Review

(R)

 

Assigned Security Responsibility

§ 164.308(a)(2)

 

 

Workforce Security

§ 164.308(a)(3)

Authorization and/or Supervision

(A)

Workforce Clearance Procedure

(A)

Termination Procedures

(A)

Information Access Management

§ 164.308(a)(4)

Isolating Health Care Clearinghouse Functions

(R)

Access Authorization

(A)

Access Establishment and Modification

(A)

Security Awareness and Training

§ 164.308(a)(5)

Security Reminders

(A)

 

Protection from Malicious Software

(A)

 

Log-in Monitoring

(A)

Password Management

(A)

Security Incident Procedures

§ 164.308(a)(6)

Response and Reporting

(R)

Contingency Plan

§ 164.308(a)(7)

Data Backup Plan

(R)

Disaster Recovery Plan

(R)

Emergency Mode Operation Plan

(R)

 

Testing and Revision Procedures

 (A)

Applications and Data Criticality Analysis

 (A)

Evaluation

§ 164.308(a)(8)

 

 

Business Associate Contracts and Other Arrangements

§ 164.308(b)(1)

Written Contract or Other Arrangement

(R)

 

 

PHYSICAL SAFEGUARDS

Standards

Sections

Implementation Specifications (R)= Required, (A)=Addressable

Facility Access Controls

§ 164.310(a)(1)

Contingency Operations

(A)

 

Facility Security Plan

(A)

Access Control and Validation Procedures

(A)

 

Maintenance Records

(A)

Workstation Use

§ 164.310(b)

 

Workstation Security

§ 164.310(c)

 

Device and Media Controls

§ 164.310(d)(1)

Disposal

(R)

Media Re-use

(R)

Accountability

(A)

Data Backup and Storage

(A)

TECHNICAL SAFEGUARDS

Standards

Sections

Implementation Specifications (R)= Required, (A)=Addressable

Access Control

§ 164.312(a)(1)

Unique User Identification

(R)

 

 

Emergency Access Procedure

(R)

 

Automatic Logoff

(A)

Encryption and Decryption

(A)

Audit Controls

§ 164.312(b)

 

Integrity

§ 164.312(c)(1)

Mechanism to Authenticate Electronic Protected Health Information

(A)

Person or Entity Authentication

§ 164.312(d)

 

Transmission Security

§ 164.312(e)(1)

Integrity Controls

(A)

Encryption

(A)

ORGANIZATIONAL REQUIREMENTS

Standards

Sections

Implementation Specifications (R)= Required, (A)=Addressable

Business associate contracts or other arrangements

§ 164.314(a)(1)

Business Associate Contracts

(R)

Other Arrangements

(R)

Requirements for Group Health Plans

§ 164.314(b)(1)

Implementation Specifications

(R)

 

POLICIES AND PROCEDURES AND DOCUMENTATION REQUIREMENTS

Standards

Sections

Implementation Specifications (R)= Required, (A)=Addressable

Policies and Procedures

§ 164.316(a)

 

Documentation

§ 164.316(b)(1)

Time Limit

(R)

Availability

(R)

Updates

(R)

TMLT formed the Product Development and Consulting Services department to respond to changes in the health care industry and physician practice needs.

TMLT has invested tremendous resources in our claims and risk management services to provide expert advice to our insured physicians.  One of the primary objectives of our department is to expand the access to this expertise on a fee-based consulting basis – with current policyholders and prospective clients – including developing new products to meet evolving medical professional liability market needs.

TMLT is ready to help physician practices meet with their To Do List as needed.

To Do List

Solution

POLICIES AND PROCEDURES - REVIEW AND UPDATE

HIPAA and Texas Medical Privacy and Security require you to have updated policies and procedures

 TMLT Privacy and Security Toolkit

  • The toolkit guides practices with existing policies through a review and highlights what revisions need to be made.
  • It also guides practices, just developing policies and procedures, to understand the HIPAA rules and Texas law.

NOTICE OF PRIVACY PRACTICES (NPP) - REVIEW AND UPDATE

Recent changes to HIPAA (Omnibus Rule) and Texas Medical Privacy and Security require you to revise your Notice of Privacy Practices

 Notice of Privacy Practices

  • An important document that tells your patients how you will use and disclose their protected health information (PHI).
  • Changes with Omnibus require you to review and revise your NPP.
  • Changes to Texas law require you to notify patients if you electronically disclose PHI.

BUSINESS ASSOCIATE (BA) & BUSINESS ASSOCIATE AGREEMENT (BAA) - IDENTIFY ALL BAs & REVIEW AND REVISE BAAs

BAs are now held to the same requirements under HIPAA as Covered Entities (CE)

 Business Associates and Business Associate Agreements

  • Identify all your BAs, anyone who you share your PHI with.
  • Determine if you had an existing BAA with them prior to March 26, 2013 à if yes, you have until September 22, 2014 to get an updated BAA signed.
  • If you did not have a BAA, get one signed as soon as possible.
  • Learn more about BAs and BAAs in TMLT’s Privacy and Security Toolkit.

SECURITY RISK ANALYSIS

 

  • TMLT staff can conduct a Security Risk Analysis for your practice.
  • Security Rule requires a Risk Analysis if you do electronic billing or have EHR.
  • Meaningful Use requires a Risk Analysis annually.

TRAINING

Physician and Staff HIPAA Training

 TMLT Privacy and Security Toolkit

  • Includes “Introduction to Developing Physician Office Training”.
  • TMLT can develop training for your office.
  • Texas law is more stringent than Federal Law on training.

KNOW YOUR STATE LAW

 

 TMLT Privacy and Security Toolkit

  • The Comparison Tool highlights Texas and federal law differences.

For additional information on TMLT’s Toolkit, Risk Analysis or consulting services; call Stephanie Downing at 1-800-580-8658.  

Previous Flipbook
The Reporter Volume 3 2014
The Reporter Volume 3 2014

HIPAA and Meaningful Use Audits are on the way; Medical Record FAQs: Answers to your top 18 questions (CME)...

Next Article
U.S. Department of Health and Human Services, Office for Civil Rights Provides Bulletin on HIPAA Privacy in Emergency Situations

HHS and OCR are reminding HIPAA-covered entities and their business associates that protections of the HIPA...

Request onsite HIPAA training from TMLT staff certified in health care privacy compliance.

CONTACT US