Photo of Andrew HicksHigh-profile data breaches have lately affected consumer and financial entities from Target and Home Depot to JPMorgan Chase, but they havenā€™t occurred at quite the same level for healthcare organizationsā€”yet. Coalfire, an independent IT audit firm with offices throughout the United States, specializes in HIPAA compliance and data security for its healthcare clients. We spoke with Andrew Hicks, practice director for Coalfireā€™s healthcare division, who says that when it comes to HIPAA compliance, a checklist mentality only takes facilities partway. He offered some advice on spotting security blind spots, the differences between a gap assessment and a risk analysis, and how small organizations can get started locking down their sensitive data.

24×7: How did you get involved with IT compliance?

Hicks: Iā€™ve been doing this almost 15 years now. I kind of stumbled into IT security and compliance when I came out of college. I knew I wanted to do something in information technology; I just didnā€™t know what. Iā€™ve done IT audit, and that rolled over into more of an IT security-focused role, and that got defined into healthcare. Coalfire is IT security compliance. Theyā€™re all very much interrelated.

24×7: What is Coalfireā€™s emphasis?

Hicks: Coalfire has been around for about 13 years. We started with doing PCI complianceā€”thatā€™s compliance for the processing of credit card numbers and how those numbers are secured. From there we merged into healthcare, which is the area where Iā€™m the practice director. Iā€™m responsible for making sure that our offices are all standardized regarding our methodology and that we all achieve a holistic, comprehensive assessment that ties back to what the industry requirements are at any given point. The biggest differentiator between us and other companies is that we donā€™t sell anything outside of services. We come in and do advisory and consulting, but weā€™ll never sell a company anything over and above advice. We would never come in and say, ā€œYou need to implement a data loss prevention solutionā€”and by the way, we can sell you that.ā€™ā€

24×7: What exactly do the HIPAA compliance requirements stipulate?

Hicks: This goes back to 1996, when the original Health Insurance Portability and Accountability Act came out. There were two partsā€”the Privacy Rule in 1996 and the Security Rule in 2003. We donā€™t do a whole lot of Privacy Rule assessments. Weā€™re more on the security side, which tends to be more electronic and technology-based. Since then, weā€™ve seen HITECH (the Health Information Technology for Economic and Clinical Health Act). That was in 2009. It broadened the scope of how we do our assessments. The Omnibus Rule came out in 2013. Itā€™s those three major regulations that we are trying to conform our regulations to. So when a company says, ā€œWe want to be HIPAA-compliant,ā€ that means the Security Rule, Privacy Rule, HITECH, Omnibusā€”all of those different things.

24×7: For the security rule, what is required of organizations from a compliance standpoint?

Hicks: At a high level, there are required administrative safeguards. Those would be policies and procedures, business process controls. There are physical safeguards, making sure that only authorized people have access into facilities that contain patient informationā€”so things like keycards and badges. There are technical safeguards. Those are things like integrity controls, audit controls, logging and monitoring, encryption.

On top of that, there are organizational requirements around making sure that you have business associate agreements in place with your downstream vendors, if you have those relationships. A business associate agreement is a contract with the vendor that says, ā€œAs the business associate, I agree that I am HIPAA-compliant and I meet all the requirements.ā€

In todayā€™s environment, we try to have our covered entities customize those agreements so they include right-to-audit clauses, so they can go in periodically and make sure the downstream vendor is actually satisfying their obligation to be compliant. Some facilities think that if they hire a third party through their data center, that gets them off the hook for compliance and theyā€™re more or less outsourcing risk. In some ways that is true, but youā€™ve got to do your due diligence on your own side to make sure they really are protecting it.

The last one is documentation requirementsā€”policies and procedures for how long you retain your policies and how you make your policies available.

24×7: Does purchasing an EMR automatically make a hospital HIPAA-compliant?

Hicks: Epic, Cerner, McKessonā€”all these companies that develop these EMR/EHR technologiesā€”are adapting to what IT security means and implementing the right controls into their software. Weā€™re seeing that, and thatā€™s good.

But because a hospital goes out and buys one of these EMR applications, that doesnā€™t mean that they are automatically compliant by any stretch of the imagination. Sure, they can leverage what controls are in place in the technology, but part of what theyā€™re on the hook for is understanding where all their electronic protected health information is throughout the entire company.

So itā€™s not just the EMR system, because those systems could have integrations to other systems, other databases, and applications. They may push data out of the corporate network. You have to understand the business process and how they interact with data. Itā€™s way more holistic than just a piece of software.

24×7: Do you have any sense of how many companies understand that?

Hicks: Most of those companies tend to be on the business associate side. These are smaller companies that have been pulled into HIPAA just because of the kind of data they have, like billing companies or cloud service providers. Theyā€™re not set up to be HIPAA-compliant; theyā€™re just getting dragged into it by their covered entities. They donā€™t know what the regulations are.

24×7: Any there any other common misperceptions?

Hicks: That HIPAA is once and done. A lot of companies think that once theyā€™ve written their policies or done a HIPAA gap assessment, theyā€™re done. Same with the compliance assessment. We constantly tell our customers, ā€œDo assessments on an annual basis. That way youā€™re covered, you know the vulnerabilities to your environment.ā€ OCR (the Office for Civil Rights) doesnā€™t actually require an annual assessment, but just knowing the speed of the industry, an annual assessment is certainly a worthwhile activity.

The other time for an assessment is with any big changes to the environment. Companies that go through the merger and acquisition process, for example, should do one at that point. Youā€™re integrating systems and integrating people, and there could be major vulnerabilities that slip through the cracks that wouldnā€™t go noticed until you do your annual assessment later in the year.

When we do our assessments, weā€™re primarily focused on the IT group, but we also include control owners from HR, legal, and the various business functions that utilize ePHI. IT will say, ā€œWe have these five IT applications and these 10 databases.ā€ But when we actually go on-site and start talking with the business, the business knows a lot of information IT doesnā€™t know. They may say, ā€œJust so you know, we get direct feeds from our production SQL database that we pull over into our Access database.ā€ So now IT has no visibility into that. IT doesnā€™t know everything about the flows of data. Itā€™s really important to keep others integrated into that process as well.

24×7: What about security blind spots?

Hicks: Besides the repeatability of constantly measuring the compliance program, and besides the overall footprintā€”the environmental characterization of dataā€”thereā€™s a lot of confusion between what a risk assessment is versus a gap assessment or a compliance assessment. A risk analysis is the number one requirement, and we constantly see companies that do it wrong, donā€™t do it, or have no idea what theyā€™re doing. There could be vulnerabilities that theyā€™re flat out missing because they have a poor process for risk analysis, or in the case of an OCR audit, OCR would come in and say, ā€œYou fail.ā€

24×7: So what are the differences?

Hicks: When weā€™re talking compliance, thereā€™s a gap assessment. For each HIPAA requirement, I want to know exactly what controls you have in place to counteract those requirements. One may be encryption of data at rest. How are you encrypting that data? If youā€™re not encrypting data, that becomes a gap and we need to talk about that. A gap assessment is more aligned with the design of a control. The second phase is a compliance assessment, which is understanding the operating effectiveness of a control. Youā€™re telling me a control is in place, but now youā€™re actually proving to me that there are no anomalies, that the control is functioning as intended.

The risk assessment or analysis is designed to understand risks and vulnerabilities. What are the motivating factors that could exploit my data? Threats could be hurricanes or hackers. Vulnerabilities could be the source that those threat agents utilize to breach data. Vulnerabilities could be unlocked doors or poor user access processes. Along the way, you evaluate the likelihood of that scenario taking place, and if that scenario did take place, what is the impact to your data or your organization?

The next thing you consider is the control thatā€™s in place to mitigate that threat source from using that vulnerability to breach data. Once you consider all that, then the outcome is the residual risk. Now that Iā€™ve considered the threat, the vulnerability, and the control, thereā€™s probably a low likelihood of that scenario happening.

Thereā€™s no requirement for how you become HIPAA compliant. Rather, you must be able to prove that youā€™ve performed a risk analysis and how you are satisfying the HIPAA requirements. To satisfy the OCR and to remove any guesswork, these activities are best handled by a third-party assessor.

24×7: What are the advantages and disadvantages for healthcare organizations of hiring a third party such as Coalfire to complete their risk assessment?

Hicks: If youā€™re doing it internally, the advantages are that itā€™s cheaper. You have better control over your schedule. You have the internal knowledge of your systems, so you wouldnā€™t have to explain yourself to a third party. There are some tools out there that can help companies go through it. Theyā€™re generally aligned with small and medium-size businesses.

Externally, there are a ton of advantagesā€”the biggest being that you have an independent opinion that comes from a person that knows the healthcare industry and knows IT security. Theyā€™ve been doing this for anywhere from 2 to 15 years. Itā€™s going to be a better outcome. Itā€™s going to conform to a certain time frame. There wonā€™t be time creep unless the scope changes. Itā€™s a comprehensive assessment. If thereā€™s ever a breach and OCR investigated, having a third party look at your overall compliance is going to have a lot more weight than doing it internally.

The problem we see with doing it internally is that companies miss things because they donā€™t have that subject matter expert. If you look at a doctorā€™s office, for example, itā€™s generally going to be subbed out to the office manager or somebody who is going to be reading questions and trying to figure out an appropriate answer. Some things may not get addressed as they should be. HIPAA compliance is not a checklist-based activity. Compliance activities should be handled by someone with IT security and healthcare experience.

24×7: Do you ever run into political resistance when you identify certain security holes?

Hicks: [Laughing] Yeah, we do. The ideal scenario is that we donā€™t get hired by the IT department of an organization. While we can certainly add value to the IT organization, the results of our assessments are best received by someone outside of IT. Typically, this is legal, compliance, or risk managmentā€”someone thatā€™s going to appreciate our independent assessment results and take action. If weā€™re telling IT what theyā€™re doing wrong, theyā€™re not going to want to hear that, especially if they have to push the report upstream. They think heads are going to roll, so they try to soften or eliminate a lot of the findings.

We have no reason to put things that are erroneous or misleading in a report. Especially if there are test results where we have proof or evidence, we would not change our opinion to satisfy the political environment there.

24×7: How do you suggest organizations deal with personal electronic devices coming into the healthcare setting?

Hicks: Youā€™ve got to make a decision upfront: Do you embrace the technology, or do you prohibit it? If you welcome mobile devices into your environment, obviously you have a lot of work to do in how you safeguard data that could potentially flow to those. They could be personally owned or company-provided devices, but if theyā€™re able to connect to your company networkā€”which means you can get email to your devices, you can save a message to a personal USB deviceā€”all that has to be considered, and there are huge, huge risks there. Itā€™s not that they canā€™t be secured, but you just have to acknowledge that you have a lot of work to do.

24×7: Is security easier if companies issue their own devices?

Hicks: If the company is providing a device, they own it, so they can mandate whatā€™s required to be on itā€”you can require a PIN, the ability to remote wipe, you can turn the tracking feature on, you can encrypt the data. You have control over it. When an employee leaves, you can deactivate it or remote wipe it. We havenā€™t seen a lot of breaches related to personal devices yet, but itā€™s only a matter of time. If I bring my personal laptop in, and Iā€™m connected to the network and pulling PHI down to it and I lose my laptop, the company has zero visibility into that.

24×7: Where should small organizations that are overwhelmed by these requirements start?

Hicks: They should start looking at the OCRā€™s website. They have some good YouTube videos, template business associate agreements (BAAs), a risk analysis tool. Thatā€™s a good starting point. Thereā€™s also the National Institute of Standards and Technology (NIST). NIST 800-66 is a guide for implementing the HIPAA Security Rule. Thereā€™s also a series called the HIPAA Security Series that the Department of Health and Human Services put out about 12 years ago that walks through all the requirements. It will tell you what each requirement is designed to do and how you should assess compliance. Itā€™s a lot of reading.

The problem is that both the Privacy and Security Rules were written to be extremely vague. Youā€™re not going to see requirements like ā€œminimum password length of eight characters; expiration of 90 days.ā€ Thereā€™s nothing that says you need to consider cloud environment, devices, offshoring of data. If youā€™re just going line by line through the requirements, youā€™re not going to think about mobile devices, copy machines that have hard drives in them, or cloud providers. If you look at it as a checklist, you will never be compliant. Thereā€™s way more you need to understand.

24×7: How much time should be set aside for this process?

Hicks: It depends. If weā€™re talking a physicianā€™s practice, to come away with something meaningful, about 80 hours. A hospital could be hundreds of hours.

24×7: How is security in the healthcare sector different from the other areas Coalfire is involved in?

Hicks: Thereā€™s this conflict of being able to provide patient care in a timely manner without hindering security. We fight that fight a lotā€”what is the right amount of control over data that doesnā€™t prohibit a doctor from performing patient care? The common thing we hear is that doctors donā€™t want passwords on any system. They want to be able to administer patient care without having to enter an eight-character complex password. We commonly hear, ā€œWe donā€™t want to encrypt the data because that might make the data unrecoverable.ā€ Because of the nature of the business, theyā€™re more willing to accept risk.

I think healthcare in general has always been looser about security. It seems like theyā€™re more tolerant of vulnerabilities and noncompliance. Patient care is a hospitalā€™s core competency. Theyā€™ve been slower to migrate over to getting that right balance of patient care and security.

24×7: Are there any upcoming regulation changes we should be aware of?

Hicks: Weā€™re seeing a transition to a new director for the OCR. Leon Rodriguez moved over to a new role, Susan McAndrew retired, and now Jocelyn Samuels is the new director. Itā€™s going to be really interesting to see what she does now. We all know the HIPAA requirements are so broad and vague and outdated, really. Weā€™re hoping to see something come out that trumps what we have today, a much more authoritative requirement. Weā€™re seeing continued penalties and enforcement for noncompliance, but unless you tell someone what you want and youā€™re very specific about it, youā€™re not going to get the results you want.

I preach this all the time: Donā€™t strive for compliance, strive for security. Adopt a framework, and build that into your data security program. By doing that, you will automatically get very close to satisfying the compliance requirement. 24×7

Jenny Lower is associate editor of 24×7 magazine. Contact her at [email protected].