July 22, 2021
While there might not be such a thing as a real-life fairy godmother, technology has granted us the power to access a whole world of information with just a click of a mouse. Anything from research, shopping, to chatting with friends is now so simple it almost seems like magic, but this “instant-access” ability is a double-edged sword when it comes to the privacy and security risks that follow in its reign.
Now if there’s one industry that truly feels the weight of technologies twofold, it’s healthcare. While sharing, receiving, and storing electronic protected health information (ePHI) is now easier than it ever was before, the heightened number of healthcare data breaches and cyber attacks seen over recent years have identified the ‘Achilles’ heel’ of technology’s power of accessibility. This ongoing battle between ease of access and security risks has been the topic of several Office for Civil Rights (OCR) alerts shared over the past year, and most recently, the main focus of their Summer 2021 Cybersecurity Newsletter.
The newsletter titled “Controlling Access to ePHI: For Whose Eyes Only?” highlights a recent report that found that “61% of analyzed data breaches in the healthcare sector were perpetrated by external threat actors.” So while most healthcare organizations know not to go and give the keys of the castle away to just anyone, technology has made access a possibility for really anyone who has a decent internet connection. But the even more striking statistic featured in the newsletter? It’s not just hackers that you have to worry about, the security incident report also uncovered that 39% of those data breaches were actually committed by insiders.
Though most fairy-tales feature an evil villain, these insider breaches aren’t always the result of a malicious act. In addition to the multi-million dollar hacking schemes that we see all too often, are stories of staff impermissibly accessing ePHI or leaving sensitive data unattended. So if you’re wondering how you can best protect your practice, the answer is to have the proper authorization policies, procedures, and controls in place.
When it comes to those necessary policies and controls, the HIPAA Security Rule identifies certain standards and specifications that healthcare organizations are required to implement. The two standards, Information Access Management and Access Control, are administrative and technical safeguards that work in tandem to protect and secure ePHI – but what exactly do they entail?
Information Access Management
This standard essentially defines how access to ePHI is authorized and requires HIPAA-covered entities and business associates to implement policies and procedures regarding information access. So, what do some of these specific policies include?
- The Access Authorization implementation specification (try saying that one three times fast) outlines how covered entities and business associates authorize access to ePHI within their organization. This includes policies on the criteria and person responsible for granting ePHI access as well as the parameters that reflect what type of information access is necessary for a specific workforce role. For example, someone who handles the billing or accounting for your practice probably wouldn’t need access to medical images held on a separate system service.
- Other policies on Access Establishment and Modification cover how to establish, document, review, and modify a user’s access to IT systems or processes. This is something that has become increasingly prevalent during the COVID-19 pandemic as many organizations have turned to remote operations and patient care. Policies and procedures should cover scenarios such as the transition to remote work in order to ensure that each staff member is only provided access to what’s appropriate for their specific role, no matter where they’re working from.
Access Control
In addition to the administrative requirement for access management, Access Control is a technical safeguard that actually limits the availability of that ePHI based on the organizations’ Information Access Management policy. The OCR’s newsletter describes the necessary controls to coincide with the “flexible, scalable, and technology-neutral nature of the Security Rule” and provides a wide range of control mechanisms for organizations to consider and implement where they see fit. They also provide four implementation specifications which include:
- Unique User Identification is a key security requirement for systems containing ePHI. This implementation specification is necessary in identifying and tracking who is doing what within the system, so that in the event that there is impermissible access – the person responsible will be much easier to determine.
- Emergency Access Procedure is another requirement for situations where normal procedures for accessing ePHI might be made unavailable such as if power or internet connectivity is lost. These appropriate procedures should be established prior to an event and should be included within your organization’s Disaster Recovery Plan.
- Automatic Logoff is an implementation specification that’s important in any instances where a staff member leaves a workstation unattended or if an emergency situation makes manual logoff capabilities unavailable. Having an additional safeguard in place to essentially “time a session out” after inactivity helps to reduce the chance of unauthorized access.
- And last but certainly not least, Encryption. This is an essential technical safeguard vital to ensuring that ePHI is made unusable and unreadable in the case that a hacker or other unauthorized individual gains access and should be implemented to any electronically housed data in transit and at rest.
So as complementary requirements of the HIPAA Security Rule, your organization is expected to have these standards in place to best prevent both outsider and insider threats. And while it would be nice if you could just have a knight in shining armor there to guard your practice from cyber threats and impermissible ePHI access – implementing the safeguards provided above, and ensuring all staff members are trained on proper access, is the next best thing.