The accidental disclosure of electronic Protected Health Information stored on one of Idaho State University’s servers has led to the Department of Health and Human Services’ Office for Civil Rights has issuing a large fine.
The University discovered that a server holding data on one of its HIPAA-covered clinics accidentally had the firewall disabled leading to a 10-month data security violation.
The OCR review found three main areas of non-compliance: A HIPAA Risk Analysis had clearly not been carried out, as if that had been the case, the deactivated server would have been discovered. There was no risk management process active which also could have found the problem and thirdly, an Information System Activity Review had not been completed. The HIPAA Security Rule requires all three of these procedures be implemented at a healthcare organization in order to be HIPAA-compliant. It was clear that ISU had, albeit unknowingly, violated HIPAA regulations without the OCR having to complete a full compliance assessment.
OCR Director, Leon Rodriguez said: “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program”. Ensuring current systems have the required safeguards used to ensure data security is maintained does not mean that those measures will always remain in place.
Updates to policies, strategies and procedures should naturally follow rule amendments and the introduction of new legislation, but organizations should not wait for congress to introduce stricter measures before revising current data protection systems and internal policies. Data security needs to be monitored, tested and updated constantly to ensure that it still confirms to the same standards as when it was introduced, and in the case of Firewalls, to ensure they are still place.
Any healthcare organization that has taken steps to become HIPAA-compliant yet has not finished a further Security Risk Analysis or Information System Activity Review is in all likelihood now breachng HIPAA regulations. If audited it could be his with sanctions for non-compliance. Along with financial penalties, the OCR requires that organizations read the guidance released via its website, which clearly outline what is required in order to be HIPAA compliant. All HIPAA-covered bodies are obliged to read these guidelines.
HIPAA regulations often do not spell out the means by which a rule must be adhered to and some flexibility is allowed for organizations to apply the controls which are most suitable to work with the systems currently they have in place. There are some areas of data security that can be easily missed out, especially by smaller healthcare organizations and those recently included by HIPAA Rule amendments.
Included in these are :
- Install Firewalls and Check they are Working
- Firewalls are an obstacle between your internal computer systems and everyone else with internet access. They are vital to stop your data from being accessible freely on the internet and to stop hackers carrying out targeted attacks to steal PHI data. Firewalls can be 100% effective once they are switched on and the license is in date. When a firewall is turned off, it means hackers can gain access a computer and firewall rules can be altered to maintain access when it is reactivated.
- Implementing Very Restrictive Anti-Virus Policies
- Firewalls can protect a system from intrusion and many have anti-virus features, although additional controls should be employed to prevent accidental infection. These measure must be updated on a regular basis routinely, licenses checked and systems scanned persistently as an additional control safeguard to ensure that should an infection have gotten through controls, that it is quickly identified and amended. A firewall and antivirus software should be installed and watched by a qualified IT Professional.
- Security Monitoring on an Ongoing Basis
- Not all network violations raise alarms as the ISU security breach clearly remarked. Data security measures are only effective if they are active and firewalls can be switched off by mistake. It is therefore important to conduct regular data security checks and there are many advantages to employing an external data security company to continuously monitor data security and integrity; regularly update software, conduct the necessary reviews and provide documentation that these safeguards have been performed.
- Keep a Record of all HIPAA Compliance and Data Security Safeguards Employed
- Putting in place the required controls under HIPAA to protect ePHI and computer systems from infiltration is only part of compliance. Should an organization be audited, documentation must be shown as evidence of the measures undertaken. Details of security settings in place must be provided, maintenance records kept, software upgrades and patches trackedd and provided to the OCR during an audit.
Details of Information System Activity Reviews, HIPAA Risk Analyses and their result and risk management processes must be documented, dated and accessible to auditors. An organization must be able to prove that they are adhering with HIPAA compliance rule.
