High-profile data breaches have lately affected consumer and financial entities from Target and Home Depot to JPMorgan Chase, but they haven’t occurred at quite the same level for healthcare organizations—yet. Coalfire, an independent IT audit firm with offices throughout the United States, specializes in HIPAA compliance and data security for its healthcare clients. We spoke with Andrew Hicks, practice director for Coalfire’s healthcare division, who says that when it comes to HIPAA compliance, a checklist mentality only takes facilities partway. He offered some advice on spotting security blind spots, the differences between a gap assessment and a risk analysis, and how small organizations can get started locking down their sensitive data.
24×7: How did you get involved with IT compliance?
Hicks: I’ve been doing this almost 15 years now. I kind of stumbled into IT security and compliance when I came out of college. I knew I wanted to do something in information technology; I just didn’t know what. I’ve done IT audit, and that rolled over into more of an IT security-focused role, and that got defined into healthcare. Coalfire is IT security compliance. They’re all very much interrelated.
24×7: What is Coalfire’s emphasis?
Hicks: Coalfire has been around for about 13 years. We started with doing PCI compliance—that’s compliance for the processing of credit card numbers and how those numbers are secured. From there we merged into healthcare, which is the area where I’m the practice director. I’m responsible for making sure that our offices are all standardized regarding our methodology and that we all achieve a holistic, comprehensive assessment that ties back to what the industry requirements are at any given point. The biggest differentiator between us and other companies is that we don’t sell anything outside of services. We come in and do advisory and consulting, but we’ll never sell a company anything over and above advice. We would never come in and say, “You need to implement a data loss prevention solution—and by the way, we can sell you that.’”
24×7: What exactly do the HIPAA compliance requirements stipulate?
Hicks: This goes back to 1996, when the original Health Insurance Portability and Accountability Act came out. There were two parts—the Privacy Rule in 1996 and the Security Rule in 2003. We don’t do a whole lot of Privacy Rule assessments. We’re more on the security side, which tends to be more electronic and technology-based. Since then, we’ve seen HITECH (the Health Information Technology for Economic and Clinical Health Act). That was in 2009. It broadened the scope of how we do our assessments. The Omnibus Rule came out in 2013. It’s those three major regulations that we are trying to conform our regulations to. So when a company says, “We want to be HIPAA-compliant,” that means the Security Rule, Privacy Rule, HITECH, Omnibus—all of those different things.
24×7: For the security rule, what is required of organizations from a compliance standpoint?
Hicks: At a high level, there are required administrative safeguards. Those would be policies and procedures, business process controls. There are physical safeguards, making sure that only authorized people have access into facilities that contain patient information—so things like keycards and badges. There are technical safeguards. Those are things like integrity controls, audit controls, logging and monitoring, encryption.
On top of that, there are organizational requirements around making sure that you have business associate agreements in place with your downstream vendors, if you have those relationships. A business associate agreement is a contract with the vendor that says, “As the business associate, I agree that I am HIPAA-compliant and I meet all the requirements.”
In today’s environment, we try to have our covered entities customize those agreements so they include right-to-audit clauses, so they can go in periodically and make sure the downstream vendor is actually satisfying their obligation to be compliant. Some facilities think that if they hire a third party through their data center, that gets them off the hook for compliance and they’re more or less outsourcing risk. In some ways that is true, but you’ve got to do your due diligence on your own side to make sure they really are protecting it.
The last one is documentation requirements—policies and procedures for how long you retain your policies and how you make your policies available.
24×7: Does purchasing an EMR automatically make a hospital HIPAA-compliant?
Hicks: Epic, Cerner, McKesson—all these companies that develop these EMR/EHR technologies—are adapting to what IT security means and implementing the right controls into their software. We’re seeing that, and that’s good.
But because a hospital goes out and buys one of these EMR applications, that doesn’t mean that they are automatically compliant by any stretch of the imagination. Sure, they can leverage what controls are in place in the technology, but part of what they’re on the hook for is understanding where all their electronic protected health information is throughout the entire company.
So it’s not just the EMR system, because those systems could have integrations to other systems, other databases, and applications. They may push data out of the corporate network. You have to understand the business process and how they interact with data. It’s way more holistic than just a piece of software.
24×7: Do you have any sense of how many companies understand that?
Hicks: Most of those companies tend to be on the business associate side. These are smaller companies that have been pulled into HIPAA just because of the kind of data they have, like billing companies or cloud service providers. They’re not set up to be HIPAA-compliant; they’re just getting dragged into it by their covered entities. They don’t know what the regulations are.
24×7: Any there any other common misperceptions?
Hicks: That HIPAA is once and done. A lot of companies think that once they’ve written their policies or done a HIPAA gap assessment, they’re done. Same with the compliance assessment. We constantly tell our customers, “Do assessments on an annual basis. That way you’re covered, you know the vulnerabilities to your environment.” OCR (the Office for Civil Rights) doesn’t actually require an annual assessment, but just knowing the speed of the industry, an annual assessment is certainly a worthwhile activity.
The other time for an assessment is with any big changes to the environment. Companies that go through the merger and acquisition process, for example, should do one at that point. You’re integrating systems and integrating people, and there could be major vulnerabilities that slip through the cracks that wouldn’t go noticed until you do your annual assessment later in the year.
When we do our assessments, we’re primarily focused on the IT group, but we also include control owners from HR, legal, and the various business functions that utilize ePHI. IT will say, “We have these five IT applications and these 10 databases.” But when we actually go on-site and start talking with the business, the business knows a lot of information IT doesn’t know. They may say, “Just so you know, we get direct feeds from our production SQL database that we pull over into our Access database.” So now IT has no visibility into that. IT doesn’t know everything about the flows of data. It’s really important to keep others integrated into that process as well.
24×7: What about security blind spots?
Hicks: Besides the repeatability of constantly measuring the compliance program, and besides the overall footprint—the environmental characterization of data—there’s a lot of confusion between what a risk assessment is versus a gap assessment or a compliance assessment. A risk analysis is the number one requirement, and we constantly see companies that do it wrong, don’t do it, or have no idea what they’re doing. There could be vulnerabilities that they’re flat out missing because they have a poor process for risk analysis, or in the case of an OCR audit, OCR would come in and say, “You fail.”
24×7: So what are the differences?
Hicks: When we’re talking compliance, there’s a gap assessment. For each HIPAA requirement, I want to know exactly what controls you have in place to counteract those requirements. One may be encryption of data at rest. How are you encrypting that data? If you’re not encrypting data, that becomes a gap and we need to talk about that. A gap assessment is more aligned with the design of a control. The second phase is a compliance assessment, which is understanding the operating effectiveness of a control. You’re telling me a control is in place, but now you’re actually proving to me that there are no anomalies, that the control is functioning as intended.
The risk assessment or analysis is designed to understand risks and vulnerabilities. What are the motivating factors that could exploit my data? Threats could be hurricanes or hackers. Vulnerabilities could be the source that those threat agents utilize to breach data. Vulnerabilities could be unlocked doors or poor user access processes. Along the way, you evaluate the likelihood of that scenario taking place, and if that scenario did take place, what is the impact to your data or your organization?
The next thing you consider is the control that’s in place to mitigate that threat source from using that vulnerability to breach data. Once you consider all that, then the outcome is the residual risk. Now that I’ve considered the threat, the vulnerability, and the control, there’s probably a low likelihood of that scenario happening.
There’s no requirement for how you become HIPAA compliant. Rather, you must be able to prove that you’ve performed a risk analysis and how you are satisfying the HIPAA requirements. To satisfy the OCR and to remove any guesswork, these activities are best handled by a third-party assessor.
24×7: What are the advantages and disadvantages for healthcare organizations of hiring a third party such as Coalfire to complete their risk assessment?
Hicks: If you’re doing it internally, the advantages are that it’s cheaper. You have better control over your schedule. You have the internal knowledge of your systems, so you wouldn’t have to explain yourself to a third party. There are some tools out there that can help companies go through it. They’re generally aligned with small and medium-size businesses.
Externally, there are a ton of advantages—the biggest being that you have an independent opinion that comes from a person that knows the healthcare industry and knows IT security. They’ve been doing this for anywhere from 2 to 15 years. It’s going to be a better outcome. It’s going to conform to a certain time frame. There won’t be time creep unless the scope changes. It’s a comprehensive assessment. If there’s ever a breach and OCR investigated, having a third party look at your overall compliance is going to have a lot more weight than doing it internally.
The problem we see with doing it internally is that companies miss things because they don’t have that subject matter expert. If you look at a doctor’s office, for example, it’s generally going to be subbed out to the office manager or somebody who is going to be reading questions and trying to figure out an appropriate answer. Some things may not get addressed as they should be. HIPAA compliance is not a checklist-based activity. Compliance activities should be handled by someone with IT security and healthcare experience.
24×7: Do you ever run into political resistance when you identify certain security holes?
Hicks: [Laughing] Yeah, we do. The ideal scenario is that we don’t get hired by the IT department of an organization. While we can certainly add value to the IT organization, the results of our assessments are best received by someone outside of IT. Typically, this is legal, compliance, or risk managment—someone that’s going to appreciate our independent assessment results and take action. If we’re telling IT what they’re doing wrong, they’re not going to want to hear that, especially if they have to push the report upstream. They think heads are going to roll, so they try to soften or eliminate a lot of the findings.
We have no reason to put things that are erroneous or misleading in a report. Especially if there are test results where we have proof or evidence, we would not change our opinion to satisfy the political environment there.
24×7: How do you suggest organizations deal with personal electronic devices coming into the healthcare setting?
Hicks: You’ve got to make a decision upfront: Do you embrace the technology, or do you prohibit it? If you welcome mobile devices into your environment, obviously you have a lot of work to do in how you safeguard data that could potentially flow to those. They could be personally owned or company-provided devices, but if they’re able to connect to your company network—which means you can get email to your devices, you can save a message to a personal USB device—all that has to be considered, and there are huge, huge risks there. It’s not that they can’t be secured, but you just have to acknowledge that you have a lot of work to do.
24×7: Is security easier if companies issue their own devices?
Hicks: If the company is providing a device, they own it, so they can mandate what’s required to be on it—you can require a PIN, the ability to remote wipe, you can turn the tracking feature on, you can encrypt the data. You have control over it. When an employee leaves, you can deactivate it or remote wipe it. We haven’t seen a lot of breaches related to personal devices yet, but it’s only a matter of time. If I bring my personal laptop in, and I’m connected to the network and pulling PHI down to it and I lose my laptop, the company has zero visibility into that.
24×7: Where should small organizations that are overwhelmed by these requirements start?
Hicks: They should start looking at the OCR’s website. They have some good YouTube videos, template business associate agreements (BAAs), a risk analysis tool. That’s a good starting point. There’s also the National Institute of Standards and Technology (NIST). NIST 800-66 is a guide for implementing the HIPAA Security Rule. There’s also a series called the HIPAA Security Series that the Department of Health and Human Services put out about 12 years ago that walks through all the requirements. It will tell you what each requirement is designed to do and how you should assess compliance. It’s a lot of reading.
The problem is that both the Privacy and Security Rules were written to be extremely vague. You’re not going to see requirements like “minimum password length of eight characters; expiration of 90 days.” There’s nothing that says you need to consider cloud environment, devices, offshoring of data. If you’re just going line by line through the requirements, you’re not going to think about mobile devices, copy machines that have hard drives in them, or cloud providers. If you look at it as a checklist, you will never be compliant. There’s way more you need to understand.
24×7: How much time should be set aside for this process?
Hicks: It depends. If we’re talking a physician’s practice, to come away with something meaningful, about 80 hours. A hospital could be hundreds of hours.
24×7: How is security in the healthcare sector different from the other areas Coalfire is involved in?
Hicks: There’s this conflict of being able to provide patient care in a timely manner without hindering security. We fight that fight a lot—what is the right amount of control over data that doesn’t prohibit a doctor from performing patient care? The common thing we hear is that doctors don’t want passwords on any system. They want to be able to administer patient care without having to enter an eight-character complex password. We commonly hear, “We don’t want to encrypt the data because that might make the data unrecoverable.” Because of the nature of the business, they’re more willing to accept risk.
I think healthcare in general has always been looser about security. It seems like they’re more tolerant of vulnerabilities and noncompliance. Patient care is a hospital’s core competency. They’ve been slower to migrate over to getting that right balance of patient care and security.
24×7: Are there any upcoming regulation changes we should be aware of?
Hicks: We’re seeing a transition to a new director for the OCR. Leon Rodriguez moved over to a new role, Susan McAndrew retired, and now Jocelyn Samuels is the new director. It’s going to be really interesting to see what she does now. We all know the HIPAA requirements are so broad and vague and outdated, really. We’re hoping to see something come out that trumps what we have today, a much more authoritative requirement. We’re seeing continued penalties and enforcement for noncompliance, but unless you tell someone what you want and you’re very specific about it, you’re not going to get the results you want.
I preach this all the time: Don’t strive for compliance, strive for security. Adopt a framework, and build that into your data security program. By doing that, you will automatically get very close to satisfying the compliance requirement. 24×7
Jenny Lower is associate editor of 24×7 magazine. Contact her at [email protected].