OCR Officials Frustrated by Breaches Involving Lost, Stolen Devices
Originally posted by Marianne Kolbasuk McGee (HealthInfoSec) • September 8, 2015
If there’s one thing federal regulators want to drill into the heads of covered entities and business associates about data breach prevention, it’s this: Stop procrastinating, and conduct a risk analysis and encrypt most of your computing devices right away.
Officials at the Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, repeatedly emphasized that message at last week’s HIPAA security conference that OCR co-sonsored with the National Institute of Standards and Technology.
“All of us need to be vigilant in protecting information.”
Anything that can “walk” away – including laptop computers, storage devices, desktop PCs as well as servers that aren’t nailed to the floor – should be encrypted, even though encryption isn’t explicitly mandated by the HIPAA Security Rule, which defines it as an “addressable” issue, OCR officials said.
“Addressable doesn’t mean optional,” even for the smallest of healthcare providers and business associates, Deven McGraw, OCR deputy director of information privacy, told the audience. “We expect you to address encrypting data at rest and in transmission – and if you don’t, you must implement an alternative option in its place,” as well as document the reasoning, she reminded attendees.
Aside from encryption, there really aren’t any other great options to secure electronic protected health information on devices that can be lost or stolen, emphasized Iliana Peters, senior adviser for compliance and enforcement at OCR. “If it can walk away, it will get lost or stolen at some point,” she said. Lost and stolen unencrypted computing devices have been involved in 57 percent of the 1,310 major breaches reported to OCR from September 2009 to Aug. 28, 2015, she said.
OCR officials are clearly annoyed that breaches involving unencrypted devices keep happening, year after year. In fact, the latest enforcement action taken by the office last week was a $750,000 settlement with a small cancer care practice that – drum roll please – had an unencrypted laptop and storage device stolen from an employee’s car in 2012 (see New HIPAA Compliance Audit Details Revealed).
The bigger problem with breaches involving lost and stolen unencrypted devices is that they are often a tip off for OCR that an organization has other more serious HIPAA compliance issues – particularly the failure to conduct a risk analysis that’s followed up by actually mitigating identified risks, McGraw said.
“The linchpin is risk assessment,” she said. During the Cancer Care Corp. breach investigation, OCR found that the practice hadn’t conducted a risk assessment prior to the 2012 theft incident. That’s a common issue not only uncovered in OCR breach investigations, but also in the findings of OCR’s random HIPAA audit pilot program in 2011 and 2012.
The agency will resuming its HIPAA compliance audits in 2016, and documentation of a risk analysis – and risk mitigation – are among the measures they’ll be scrutinizing at covered entities, and at business associates, which will also be part of the scrutiny this time around (see: Exclusive: OCR’s McGraw on Timing of HIPAA Audits).
Although breaches involving unencrypted devices are a persistent problem, hacker attacks affecting many millions of individuals have been grabbing headlines in recent months.
OCR is continuing its investigations of the recent mega-breaches, including those experienced by Anthem Inc., Premera Blue Cross and UCLA Health, noted OCR Director Jocelyn Samuels
“All of us need to be vigilant in protecting information,” Samuels said, stressing the need to ensure strong controls are in place. Key steps, she said, include: monitoring whether authorized users are adhering to an organization’s rules and policies about data access; monitoring what’s happening with large packets of information moving across firewalls; updating virus protection and patching out-of-date software.
As for other kinds of breaches, OCR officials admitted that incidents involving unsecured email and text communications are likely being underreported.
However, while communication among covered entities – as well as communication with BAs – involving patient ePHI should to be secured through encryption or another means, patients can insist on having unsecured communication with their healthcare providers. “Patients may request unencrypted communication,” McGraw noted, as long as they’re made aware of the risks.
Other important issues that covered entities and business associates need to consider, Peters said, include:
- Retraining staff about phishing emails in light of recent hacker attacks;
- Having a back-up plan in case your organization becomes a victim of a ransomware attack or suffers another disaster;
- Thoroughly assessing and managing risks if your organization permits BYOD;
- Re-evaluating which users in your organization actually need elevated data access privileges. “The more people who have elevated privileges, the more risk,” Peters noted.
While OCR officials say it’s a only a matter of time before your organization will discover that it’s had some sort of breach, it’s clear that when the HIPAA enforcers investigate the incident, they’ll want you to explain the security measures you had in place to minimize risks.