Sunday, November 2, 2008

ePHI at high risk

On October 27, the Office of the Inspector General (OIG) released their report on HIPAA Security and Electronic Protected Health Information (ePHI) compliance. The findings include:
  • Security audits in 7 hospitals nationwide show numerous, significant vulnerabilities in the administrative, technical and physical safeguard provisions of the HIPAA Security Rule.
  • These vulnerabilities place the confidentiality and integrity of ePHI at high risk.
  • As a result, CMS has executed a contract to conduct compliance reviews.
So the HIPAA security auditors are coming and the chances are that most healthcare organizations are not ready. What will these audits cover?

CMS's office of e-Health Standards and Services has published the Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews. The audits will review policies, procedures and other evidence related to:
  • Prevention, detection, containment, and correction of security violations
  • Employee background checks and confidentiality agreements
  • Establishing user access for new and existing employees
  • List of authentication methods used to identify users authorized to access EPHI
  • List of individuals and contractors with access to EPHI to include copies pertinent business associate agreements
  • List of software used to manage and control access to the Internet
  • Detecting, reporting, and responding to security incidents (if not in the security plan)
  • Physical security
  • Encryption and decryption of EPHI
  • Mechanisms to ensure integrity of data during transmission - including portable media transmission (i.e. laptops, cell phones, blackberries, thumb drives)
  • Monitoring systems use - authorized and unauthorized
  • Use of wireless networks
  • Granting, approving, and monitoring systems access (for example, by level, role, and job function)
  • Sanctions for workforce members in violation of policies and procedures governing EPHI access or use
  • Termination of systems access
  • Session termination policies and procedures for inactive computer systems
  • Policies and procedures for emergency access to electronic information systems
  • Password management policies and procedures
  • Secure workstation use (documentation of specific guidelines for each class of workstation (i.e., on site, laptop, and home system usage)
  • Disposal of media and devices containing EPHI
The auditors will also be looking for documents related to:
  • Entity-wide Security Plan
  • Risk Analysis (most recent)
  • Risk Management Plan (addressing risks identified in the Risk Analysis)
  • Security violation monitoring reports
  • Vulnerability scanning plans and Results from most recent vulnerability scan
  • Network penetration testing policy and procedure and results from most recent network penetration test
  • List of all user accounts with access to systems which store, transmit, or access EPHI (for active and terminated employees)
  • Configuration standards to include patch management for systems which store, transmit, or access EPHI (including workstations)
  • Encryption or equivalent measures implemented on systems that store, transmit, or access EPHI
  • Organization chart to include staff members responsible for general HIPAA compliance to include the protection of EPHI
  • Examples of training courses or communications delivered to staff members to ensure awareness and understanding of EPHI policies and procedures (security awareness training)
  • Policies and procedures governing the use of virus protection software
  • Data backup procedures
  • Disaster recovery plan
  • Disaster recovery test plans and results
  • Analysis of information systems, applications, and data groups according to their criticality and sensitivity
  • Inventory of all information systems to include network diagrams listing hardware and software used to store, transmit or maintain EPHI
  • List of all Primary Domain Controllers (PDC) and servers
  • Inventory log recording the owner and movement media and devices that contain EPHI

1 comment:

Pat King said...

We should expect to see a lot of emphasis on security of ePHI next year. In addition to the OIG report on HHS's compliance efforts, OIG included 7 items in their 2009 work plan related to Medicare and Medicaid information systems and data security. In addition to review of CMS's enforcement of the HIPAA Security Rule, OIG plans to "review security controls implemented by Medicare and Medicaid contractors as well as hospitals to prevent the loss of protected health information stored on portable devices and media, such as laptops, jump drives, backup tapes, and equipment considered for disposal."

HIPAA covered entities should also review their Security Rule compliance in light of new guidance issued by the National Institute of Standards & Technology Computer Security
Division. This month, the NIST issued a revision to their Introductory Resource Guide for Implementing the HIPAA Security Rule (NIST Special Publication 800-66, Revision 1) and a final guide to cell phone and PDA security (NIST Special Publication 800-124).

Finally, there continues to be anxiety on the part of the public about sharing of ePHI, when privacy and security protections may not be adequate. In order to move legislation encouraging/mandating more electronic records and transfer, additional privacy/security requirements may have to be added.