High-profile data breaches have lately affected consumer and financial entities from Target and Home Depot to JPMorgan Chase, but they havenāt occurred at quite the same level for healthcare organizationsāyet. Coalfire, an independent IT audit firm with offices throughout the United States, specializes in HIPAA compliance and data security for its healthcare clients. We spoke with Andrew Hicks, practice director for Coalfireās healthcare division, who says that when it comes to HIPAA compliance, a checklist mentality only takes facilities partway. He offered some advice on spotting security blind spots, the differences between a gap assessment and a risk analysis, and how small organizations can get started locking down their sensitive data.
24×7: How did you get involved with IT compliance?
Hicks: Iāve been doing this almost 15 years now. I kind of stumbled into IT security and compliance when I came out of college. I knew I wanted to do something in information technology; I just didnāt know what. Iāve done IT audit, and that rolled over into more of an IT security-focused role, and that got defined into healthcare. Coalfire is IT security compliance. Theyāre all very much interrelated.
24×7: What is Coalfireās emphasis?
Hicks: Coalfire has been around for about 13 years. We started with doing PCI complianceāthatās compliance for the processing of credit card numbers and how those numbers are secured. From there we merged into healthcare, which is the area where Iām the practice director. Iām responsible for making sure that our offices are all standardized regarding our methodology and that we all achieve a holistic, comprehensive assessment that ties back to what the industry requirements are at any given point. The biggest differentiator between us and other companies is that we donāt sell anything outside of services. We come in and do advisory and consulting, but weāll never sell a company anything over and above advice. We would never come in and say, āYou need to implement a data loss prevention solutionāand by the way, we can sell you that.āā
24×7: What exactly do the HIPAA compliance requirements stipulate?
Hicks: This goes back to 1996, when the original Health Insurance Portability and Accountability Act came out. There were two partsāthe Privacy Rule in 1996 and the Security Rule in 2003. We donāt do a whole lot of Privacy Rule assessments. Weāre more on the security side, which tends to be more electronic and technology-based. Since then, weāve seen HITECH (the Health Information Technology for Economic and Clinical Health Act). That was in 2009. It broadened the scope of how we do our assessments. The Omnibus Rule came out in 2013. Itās those three major regulations that we are trying to conform our regulations to. So when a company says, āWe want to be HIPAA-compliant,ā that means the Security Rule, Privacy Rule, HITECH, Omnibusāall of those different things.
24×7: For the security rule, what is required of organizations from a compliance standpoint?
Hicks: At a high level, there are required administrative safeguards. Those would be policies and procedures, business process controls. There are physical safeguards, making sure that only authorized people have access into facilities that contain patient informationāso things like keycards and badges. There are technical safeguards. Those are things like integrity controls, audit controls, logging and monitoring, encryption.
On top of that, there are organizational requirements around making sure that you have business associate agreements in place with your downstream vendors, if you have those relationships. A business associate agreement is a contract with the vendor that says, āAs the business associate, I agree that I am HIPAA-compliant and I meet all the requirements.ā
In todayās environment, we try to have our covered entities customize those agreements so they include right-to-audit clauses, so they can go in periodically and make sure the downstream vendor is actually satisfying their obligation to be compliant. Some facilities think that if they hire a third party through their data center, that gets them off the hook for compliance and theyāre more or less outsourcing risk. In some ways that is true, but youāve got to do your due diligence on your own side to make sure they really are protecting it.
The last one is documentation requirementsāpolicies and procedures for how long you retain your policies and how you make your policies available.
24×7: Does purchasing an EMR automatically make a hospital HIPAA-compliant?
Hicks: Epic, Cerner, McKessonāall these companies that develop these EMR/EHR technologiesāare adapting to what IT security means and implementing the right controls into their software. Weāre seeing that, and thatās good.
But because a hospital goes out and buys one of these EMR applications, that doesnāt mean that they are automatically compliant by any stretch of the imagination. Sure, they can leverage what controls are in place in the technology, but part of what theyāre on the hook for is understanding where all their electronic protected health information is throughout the entire company.
So itās not just the EMR system, because those systems could have integrations to other systems, other databases, and applications. They may push data out of the corporate network. You have to understand the business process and how they interact with data. Itās way more holistic than just a piece of software.
24×7: Do you have any sense of how many companies understand that?
Hicks: Most of those companies tend to be on the business associate side. These are smaller companies that have been pulled into HIPAA just because of the kind of data they have, like billing companies or cloud service providers. Theyāre not set up to be HIPAA-compliant; theyāre just getting dragged into it by their covered entities. They donāt know what the regulations are.
24×7: Any there any other common misperceptions?
Hicks: That HIPAA is once and done. A lot of companies think that once theyāve written their policies or done a HIPAA gap assessment, theyāre done. Same with the compliance assessment. We constantly tell our customers, āDo assessments on an annual basis. That way youāre covered, you know the vulnerabilities to your environment.ā OCR (the Office for Civil Rights) doesnāt actually require an annual assessment, but just knowing the speed of the industry, an annual assessment is certainly a worthwhile activity.
The other time for an assessment is with any big changes to the environment. Companies that go through the merger and acquisition process, for example, should do one at that point. Youāre integrating systems and integrating people, and there could be major vulnerabilities that slip through the cracks that wouldnāt go noticed until you do your annual assessment later in the year.
When we do our assessments, weāre primarily focused on the IT group, but we also include control owners from HR, legal, and the various business functions that utilize ePHI. IT will say, āWe have these five IT applications and these 10 databases.ā But when we actually go on-site and start talking with the business, the business knows a lot of information IT doesnāt know. They may say, āJust so you know, we get direct feeds from our production SQL database that we pull over into our Access database.ā So now IT has no visibility into that. IT doesnāt know everything about the flows of data. Itās really important to keep others integrated into that process as well.
24×7: What about security blind spots?
Hicks: Besides the repeatability of constantly measuring the compliance program, and besides the overall footprintāthe environmental characterization of dataāthereās a lot of confusion between what a risk assessment is versus a gap assessment or a compliance assessment. A risk analysis is the number one requirement, and we constantly see companies that do it wrong, donāt do it, or have no idea what theyāre doing. There could be vulnerabilities that theyāre flat out missing because they have a poor process for risk analysis, or in the case of an OCR audit, OCR would come in and say, āYou fail.ā
24×7: So what are the differences?
Hicks: When weāre talking compliance, thereās a gap assessment. For each HIPAA requirement, I want to know exactly what controls you have in place to counteract those requirements. One may be encryption of data at rest. How are you encrypting that data? If youāre not encrypting data, that becomes a gap and we need to talk about that. A gap assessment is more aligned with the design of a control. The second phase is a compliance assessment, which is understanding the operating effectiveness of a control. Youāre telling me a control is in place, but now youāre actually proving to me that there are no anomalies, that the control is functioning as intended.
The risk assessment or analysis is designed to understand risks and vulnerabilities. What are the motivating factors that could exploit my data? Threats could be hurricanes or hackers. Vulnerabilities could be the source that those threat agents utilize to breach data. Vulnerabilities could be unlocked doors or poor user access processes. Along the way, you evaluate the likelihood of that scenario taking place, and if that scenario did take place, what is the impact to your data or your organization?
The next thing you consider is the control thatās in place to mitigate that threat source from using that vulnerability to breach data. Once you consider all that, then the outcome is the residual risk. Now that Iāve considered the threat, the vulnerability, and the control, thereās probably a low likelihood of that scenario happening.
Thereās no requirement for how you become HIPAA compliant. Rather, you must be able to prove that youāve performed a risk analysis and how you are satisfying the HIPAA requirements. To satisfy the OCR and to remove any guesswork, these activities are best handled by a third-party assessor.
24×7: What are the advantages and disadvantages for healthcare organizations of hiring a third party such as Coalfire to complete their risk assessment?
Hicks: If youāre doing it internally, the advantages are that itās cheaper. You have better control over your schedule. You have the internal knowledge of your systems, so you wouldnāt have to explain yourself to a third party. There are some tools out there that can help companies go through it. Theyāre generally aligned with small and medium-size businesses.
Externally, there are a ton of advantagesāthe biggest being that you have an independent opinion that comes from a person that knows the healthcare industry and knows IT security. Theyāve been doing this for anywhere from 2 to 15 years. Itās going to be a better outcome. Itās going to conform to a certain time frame. There wonāt be time creep unless the scope changes. Itās a comprehensive assessment. If thereās ever a breach and OCR investigated, having a third party look at your overall compliance is going to have a lot more weight than doing it internally.
The problem we see with doing it internally is that companies miss things because they donāt have that subject matter expert. If you look at a doctorās office, for example, itās generally going to be subbed out to the office manager or somebody who is going to be reading questions and trying to figure out an appropriate answer. Some things may not get addressed as they should be. HIPAA compliance is not a checklist-based activity. Compliance activities should be handled by someone with IT security and healthcare experience.
24×7: Do you ever run into political resistance when you identify certain security holes?
Hicks: [Laughing] Yeah, we do. The ideal scenario is that we donāt get hired by the IT department of an organization. While we can certainly add value to the IT organization, the results of our assessments are best received by someone outside of IT. Typically, this is legal, compliance, or risk managmentāsomeone thatās going to appreciate our independent assessment results and take action. If weāre telling IT what theyāre doing wrong, theyāre not going to want to hear that, especially if they have to push the report upstream. They think heads are going to roll, so they try to soften or eliminate a lot of the findings.
We have no reason to put things that are erroneous or misleading in a report. Especially if there are test results where we have proof or evidence, we would not change our opinion to satisfy the political environment there.
24×7: How do you suggest organizations deal with personal electronic devices coming into the healthcare setting?
Hicks: Youāve got to make a decision upfront: Do you embrace the technology, or do you prohibit it? If you welcome mobile devices into your environment, obviously you have a lot of work to do in how you safeguard data that could potentially flow to those. They could be personally owned or company-provided devices, but if theyāre able to connect to your company networkāwhich means you can get email to your devices, you can save a message to a personal USB deviceāall that has to be considered, and there are huge, huge risks there. Itās not that they canāt be secured, but you just have to acknowledge that you have a lot of work to do.
24×7: Is security easier if companies issue their own devices?
Hicks: If the company is providing a device, they own it, so they can mandate whatās required to be on itāyou can require a PIN, the ability to remote wipe, you can turn the tracking feature on, you can encrypt the data. You have control over it. When an employee leaves, you can deactivate it or remote wipe it. We havenāt seen a lot of breaches related to personal devices yet, but itās only a matter of time. If I bring my personal laptop in, and Iām connected to the network and pulling PHI down to it and I lose my laptop, the company has zero visibility into that.
24×7: Where should small organizations that are overwhelmed by these requirements start?
Hicks: They should start looking at the OCRās website. They have some good YouTube videos, template business associate agreements (BAAs), a risk analysis tool. Thatās a good starting point. Thereās also the National Institute of Standards and Technology (NIST). NIST 800-66 is a guide for implementing the HIPAA Security Rule. Thereās also a series called the HIPAA Security Series that the Department of Health and Human Services put out about 12 years ago that walks through all the requirements. It will tell you what each requirement is designed to do and how you should assess compliance. Itās a lot of reading.
The problem is that both the Privacy and Security Rules were written to be extremely vague. Youāre not going to see requirements like āminimum password length of eight characters; expiration of 90 days.ā Thereās nothing that says you need to consider cloud environment, devices, offshoring of data. If youāre just going line by line through the requirements, youāre not going to think about mobile devices, copy machines that have hard drives in them, or cloud providers. If you look at it as a checklist, you will never be compliant. Thereās way more you need to understand.
24×7: How much time should be set aside for this process?
Hicks: It depends. If weāre talking a physicianās practice, to come away with something meaningful, about 80 hours. A hospital could be hundreds of hours.
24×7: How is security in the healthcare sector different from the other areas Coalfire is involved in?
Hicks: Thereās this conflict of being able to provide patient care in a timely manner without hindering security. We fight that fight a lotāwhat is the right amount of control over data that doesnāt prohibit a doctor from performing patient care? The common thing we hear is that doctors donāt want passwords on any system. They want to be able to administer patient care without having to enter an eight-character complex password. We commonly hear, āWe donāt want to encrypt the data because that might make the data unrecoverable.ā Because of the nature of the business, theyāre more willing to accept risk.
I think healthcare in general has always been looser about security. It seems like theyāre more tolerant of vulnerabilities and noncompliance. Patient care is a hospitalās core competency. Theyāve been slower to migrate over to getting that right balance of patient care and security.
24×7: Are there any upcoming regulation changes we should be aware of?
Hicks: Weāre seeing a transition to a new director for the OCR. Leon Rodriguez moved over to a new role, Susan McAndrew retired, and now Jocelyn Samuels is the new director. Itās going to be really interesting to see what she does now. We all know the HIPAA requirements are so broad and vague and outdated, really. Weāre hoping to see something come out that trumps what we have today, a much more authoritative requirement. Weāre seeing continued penalties and enforcement for noncompliance, but unless you tell someone what you want and youāre very specific about it, youāre not going to get the results you want.
I preach this all the time: Donāt strive for compliance, strive for security. Adopt a framework, and build that into your data security program. By doing that, you will automatically get very close to satisfying the compliance requirement. 24×7
Jenny Lower is associate editor of 24×7 magazine. Contact her at [email protected].