The recent systems breach at Community Health Systems (CHS) is a wakeup call for all medical practices to take a closer look at the strength of their network security. Virtually every medical practice utilizes some degree of Electronic Protected Health Information (ePHI) in their day-to-day operations. For example, ePHI may be contained in network servers, electronic health record systems (EHR), practice management systems, and billing records, in addition to the equipment that creates, maintains, transmits or stores ePHI. Even practices that were previously exempt from HIPAA are considered covered entities under Texas law and must protect patient data.
CSO Online, a website that provides news, analysis and research on security topics, is reporting that the Heartbleed bug is to blame for the CHS breach. In April 2014, TMLT first alerted policyholders about the dangers of the Heartbleed Bug and encouraged all practices to assess possible vulnerabilities resulting from this threat.
In wake of the CHS breach, Tony Nelson, CISSP with Artanis Solutions, Inc. has a few practical tips for practices and their IT or network administrators to consider:
- Firewall Security is minimum protection for your network and an integral part of your overall defense-in-depth network security:
- Ensure your firewall rules are up-to-date and documented.
- Configure your firewall to send alerts of suspicious network traffic to your IT/network staff (e.g. suspicious network traffic).
- Firewall logs should be routinely reviewed by IT/network administrators.
- Consider technology advances to detect and prevent network intrusion. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor and respond to potential malicious activity on your network.
- Consider encryption of data at rest on your servers. Even if your network was hacked, an encrypted server would not allow protected or sensitive data to be accessed in a usable format.
- Consider penetration testing. Penetration testing should be done annually to detect issues with network security.
The HIPAA Security Rule contains three categories of safeguard, outlined in the Security Matrix below:
- Administrative
- Physical
- Technical
Each safeguard has a number of security standards that must be met by medical practices and their Business Associates. The HIPAA Security Rule requires a covered entity to comply with the safeguards and standards. Together with reasonable and appropriate Administrative and Physical Safeguards, successful implementation of the Technical Safeguards standards will help ensure that a covered entity will protect the confidentiality, integrity, and availability of ePHI.
The following Security Matrix is found in many HHS publications.
|
ADMINISTRATIVE SAFEGUARDS |
|||
|
Standards |
Sections |
Implementation Specifications (R)= Required, (A)=Addressable |
|
|
Security Management Process |
§ 164.308(a)(1) |
Risk Analysis |
(R) |
|
Risk Management |
(R) |
||
|
Sanction Policy |
(R) |
||
|
Information System Activity Review |
(R) |
||
|
|
|||
|
Assigned Security Responsibility |
§ 164.308(a)(2) |
|
|
|
Workforce Security |
§ 164.308(a)(3) |
Authorization and/or Supervision |
(A) |
|
Workforce Clearance Procedure |
(A) |
||
|
Termination Procedures |
(A) |
||
|
Information Access Management |
§ 164.308(a)(4) |
Isolating Health Care Clearinghouse Functions |
(R) |
|
Access Authorization |
(A) |
||
|
Access Establishment and Modification |
(A) |
||
|
Security Awareness and Training |
§ 164.308(a)(5) |
Security Reminders |
(A) |
|
|
Protection from Malicious Software |
(A) |
|
|
|
|||
|
Log-in Monitoring |
(A) |
||
|
Password Management |
(A) |
||
|
Security Incident Procedures |
§ 164.308(a)(6) |
Response and Reporting |
(R) |
|
Contingency Plan |
§ 164.308(a)(7) |
Data Backup Plan |
(R) |
|
Disaster Recovery Plan |
(R) |
||
|
Emergency Mode Operation Plan |
(R) |
||
|
|
|||
|
Testing and Revision Procedures |
(A) |
||
|
Applications and Data Criticality Analysis |
(A) |
||
|
Evaluation |
§ 164.308(a)(8) |
|
|
|
Business Associate Contracts and Other Arrangements |
§ 164.308(b)(1) |
Written Contract or Other Arrangement |
(R) |
|
PHYSICAL SAFEGUARDS |
|||
|
Standards |
Sections |
Implementation Specifications (R)= Required, (A)=Addressable |
|
|
Facility Access Controls |
§ 164.310(a)(1) |
Contingency Operations |
(A) |
|
|
Facility Security Plan |
(A) |
|
|
Access Control and Validation Procedures |
(A) |
||
|
|
|||
|
Maintenance Records |
(A) |
||
|
Workstation Use |
§ 164.310(b) |
|
|
|
Workstation Security |
§ 164.310(c) |
|
|
|
Device and Media Controls |
§ 164.310(d)(1) |
Disposal |
(R) |
|
Media Re-use |
(R) |
||
|
Accountability |
(A) |
||
|
Data Backup and Storage |
(A) |
||
|
TECHNICAL SAFEGUARDS |
|||
|
Standards |
Sections |
Implementation Specifications (R)= Required, (A)=Addressable |
|
|
Access Control |
§ 164.312(a)(1) |
Unique User Identification |
(R) |
|
|
|
Emergency Access Procedure |
(R) |
|
|
|||
|
Automatic Logoff |
(A) |
||
|
Encryption and Decryption |
(A) |
||
|
Audit Controls |
§ 164.312(b) |
|
|
|
Integrity |
§ 164.312(c)(1) |
Mechanism to Authenticate Electronic Protected Health Information |
(A) |
|
Person or Entity Authentication |
§ 164.312(d) |
|
|
|
Transmission Security |
§ 164.312(e)(1) |
Integrity Controls |
(A) |
|
Encryption |
(A) |
||
|
ORGANIZATIONAL REQUIREMENTS |
|||
|
Standards |
Sections |
Implementation Specifications (R)= Required, (A)=Addressable |
|
|
Business associate contracts or other arrangements |
§ 164.314(a)(1) |
Business Associate Contracts |
(R) |
|
Other Arrangements |
(R) |
||
|
Requirements for Group Health Plans |
§ 164.314(b)(1) |
Implementation Specifications |
(R) |
|
POLICIES AND PROCEDURES AND DOCUMENTATION REQUIREMENTS |
|||
|
Standards |
Sections |
Implementation Specifications (R)= Required, (A)=Addressable |
|
|
Policies and Procedures |
§ 164.316(a) |
|
|
|
Documentation |
§ 164.316(b)(1) |
Time Limit |
(R) |
|
Availability |
(R) |
||
|
Updates |
(R) |
||
TMLT formed the Product Development and Consulting Services department to respond to changes in the health care industry and physician practice needs.
TMLT has invested tremendous resources in our claims and risk management services to provide expert advice to our insured physicians. One of the primary objectives of our department is to expand the access to this expertise on a fee-based consulting basis – with current policyholders and prospective clients – including developing new products to meet evolving medical professional liability market needs.
TMLT is ready to help physician practices meet with their To Do List as needed.
|
To Do List |
Solution |
|---|---|
|
POLICIES AND PROCEDURES - REVIEW AND UPDATE HIPAA and Texas Medical Privacy and Security require you to have updated policies and procedures |
TMLT Privacy and Security Toolkit
|
|
NOTICE OF PRIVACY PRACTICES (NPP) - REVIEW AND UPDATE Recent changes to HIPAA (Omnibus Rule) and Texas Medical Privacy and Security require you to revise your Notice of Privacy Practices |
Notice of Privacy Practices
|
|
BUSINESS ASSOCIATE (BA) & BUSINESS ASSOCIATE AGREEMENT (BAA) - IDENTIFY ALL BAs & REVIEW AND REVISE BAAs BAs are now held to the same requirements under HIPAA as Covered Entities (CE) |
Business Associates and Business Associate Agreements
|
|
SECURITY RISK ANALYSIS
|
|
|
TRAINING Physician and Staff HIPAA Training |
TMLT Privacy and Security Toolkit
|
|
KNOW YOUR STATE LAW
|
TMLT Privacy and Security Toolkit
|
For additional information on TMLT’s Toolkit, Risk Analysis or consulting services; call Stephanie Downing at 1-800-580-8658.
