HIPAA Part 2: Diving Deep into the Security Rule

In our first HIPAA article, we offered a little history on the Health Insurance Portability and Accountability Act and a general overview of how the Privacy and Security Rules evolved from it. In this post, we’re going deep into the murky depths of the Security Rule from a business standpoint.

HIPAA’s Security Rule may seem daunting at first, especially if you’re not an IT expert, but you don’t need a degree in computer science to understand the standards it establishes. At its core, the HIPAA Security Rule is about knowing what data you have, assessing the people and technology handling it, and finding where problems could arise. Survey, assess, plan, implement, and—most importantly—repeat. This is an easy way to think about and manage the requirements laid out in the Security Rule.

What Is the Security Rule?

The Security Rule sets the standards that entities creating, using, or transmitting electronic protected health information (ePHI) must implement in order to “ensure the confidentiality, integrity, and availability of ePHI . . . protect against any reasonably anticipated threats and hazards . . . [and] protect against reasonably anticipated uses or disclosures of such information not permitted by the Privacy Rule” (NIST). If you can imagine it happening to you, then you have to protect against it.

Confidentiality, Integrity, and Availability

The Security Rule uses this phrase throughout. It’s a key tenet of its purpose, but what exactly does it mean to ePHI?

  • Confidentiality: Don’t allow anyone without proper permission to access ePHI, as described in the Privacy Rule, to see it.
  • Integrity: Ensure that the ePHI created, maintained, or transmitted isn’t altered in any way.
  • Availability: Ensure those with permission are able to access ePHI when they need it.

A quick way to think of these are “Don’t Show. Don’t Change. Can Use.” Keep these goals in mind when implementing the standards set forth in the Security Rule.

Understanding the Security Standards

The Security Rule consists of 18 security standards divided into three sections: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Some of those security standards contain implementation specifications (36 in total), which provide more detailed instructions on what needs to happen to fulfill the security standard. The Security Rule designates these implementation specifications as either required or addressable.

Important! Do not confuse addressable with optional. All implementation specifications must be handled, but those marked as addressable may not be suitable for all businesses managing ePHI. Each business must assess its own situation to determine whether an addressable implementation specification is reasonable and appropriate. Once assessed, the business has to ask themselves:

  • Is the specification reasonable and appropriate? Implement.
  • Is the specification not reasonable or appropriate? Implement an alternate solution that would be.
  • Are there no reasonable and appropriate ways to implement the specification? Do not implement.

All assessments and justifications for not implementing a specification as stated in the security standard must be fully documented.

Reasonable and Appropriate

This is another phrase that appears throughout the Security Rule. Since the Security Rule affects a wide variety of businesses, it was designed with flexibility of approach in mind. Many of its standards and implementation specifications explain what needs to be done but not how to do it. How is left up to the individual business to determine based on its use of ePHI and its environment.

The security standards general rule §164.306(b)(2) explains that when “deciding which security measures to use, a covered entity must take into account the following factors:

  1. The size, complexity, and capabilities of the covered entity.
  2. The covered entity’s technical infrastructure, hardware, and software security capabilities.
  3. The costs of security measures.
  4. The probability and criticality of potential risks to electronic protected health information.”

Flexibility, scalability, and technology neutrality are key features of the Security Rule that allow businesses of any size or function to use the same standards and adjust accordingly to the evolution of technology. It’s important to note that cost alone is not enough of a justification to not implement a security standard. All factors need to be considered together when dealing with addressable specifications.

Security Standards

Before diving into the nitty-gritty of each security standard and the implementation specifications, evaluate what your business already has in place. Some of the requirements may be satisfied by the current security infrastructure. Read all the security standards once to get a feel for what you need to be assessing, then take the time to determine what measures, policies, and hardware already protect your ePHI. Knowing where you stand can save you time and stress while working toward HIPAA compliance.

Below we’ll address each section in a high-level overview and mention some of the important standards you should be aware of. This won’t be a step-by-step breakdown of all the standards and implementation specifications. For that, the Department of Health and Human Services (HHS) produced the HIPAA Security Series papers, which are extremely helpful, as is National Institute of Standards and Technology’s (NIST) An Introductory Resource Guide for Implementing the HIPAA Security Rule.

Administrative Safeguards

Administrative Safeguards make up more than half of all the standards in the Security Rule; however, this is also where many of your current systems might already be established to satisfy the requirements with little to no alterations.

The standards and implementations categorized under Administrative Safeguards involve the process of planning, selecting, and managing a business’s protection of ePHI. This includes, but is not limited to, emergency preparedness plans, policies and procedures, contracts, and employee management and training.

This category is all about knowing what you have, planning for the future, and making sure everyone in the company knows how to enforce the confidentiality, integrity, and availability of ePHI. It’s not enough to simply implement these systems, though. Everything must be documented, accessible to all who need it, tested and reviewed periodically.

Important Standards to Note

Security Management Process §164.308(a)(1): This is the very first standard, and for good reason. Its implementation specifications require a risk analysis and continuous risk management. The information gathered in these steps will help with many of the other standards. The risk analysis can highlight areas of deficiency in your security that might otherwise appear only when a malicious actor finds and exploits it.

There is no single correct way to perform a risk analysis because all businesses have differing needs. If you are looking for where to start, there are many useful guides outlining the risk assessment process. The HHS’s HIPAA Series includes Basics of Risk Analysis and Risk Management, and Appendix E in NIST’s Introduction provides risk assessment guidelines. For a more comprehensive look at risk assessments, NIST also produced a Guide for Conducting Risk Assessments.

hippa risk analysis

Workforce Security §164.308(a)(3) & Security Awareness and Training §164.308(a)(5): These two standards have seven addressable implementation specifications between them. These deal with verifying that employees have the correct access to ePHI according to the duties they perform, and that they are informed on how to protect themselves and ePHI from cybersecurity threats. It also deals with how management handles adding new employees and removing employee access as job duties change or if the employee leaves the company. Both management and employees are responsible in protecting ePHI, but they must be given the knowledge, tools, and policies to do so.

Contingency Plan §164.308(a)(7): This standard includes the creation or revision of several different emergency preparedness plans, including a Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operation Plan. Besides preparing both management and employees in what to do, who needs to do it, and where resources are in the event of an emergency, this standard also helps assess what hardware or software is critical to the confidentiality, integrity, and availability of ePHI. This allows better prioritization and distribution of limited resources. Such precise knowledge is especially important in facilities that provide direct patient care.

Physical Safeguards

Physical Safeguards deal with the facility, hardware, and other physical mechanisms necessary to protect ePHI, as well as the policies and procedures that regulate them. These can range from locks on doors or security guards in times of disaster to employees logging off before leaving a workstation. If a person could walk into your office and access ePHI, the Physical Safeguards handle how to appropriately plan your security measures according to your needs.

Important Standards to Note

Device and Media Controls §164.310(d)(1): Given the portability of data in the daily functions of modern business, it’s vital that any movable media containing ePHI be strictly logged, tracked, and disposed of when no longer needed. Even one lost USB drive containing ePHI is a breach of the Security Rule. This standard relates to all types of removable media, including laptops, flash drives, CD/DVDs, hard drives, and portable backups. It also deals with the re-use of these materials within the office, which first requires the proper removal and destruction of all ePHI.

Technical Safeguards

Technical Safeguards deal with the technology used to create, access, transmit, and protect ePHI, as well as the policies and procedures that govern it. The Security Rule remains intentionally vague on the specific technology used to fulfill these standards to allow for advances in technology and the changes in security needs against new cyber security threats. This flexibility is also what allows a variety of businesses to handle ePHI and still comply with HIPAA’s Security Rule.

Technical Safeguards address aspects such as user access, hardware and software use, transmitting ePHI digitally, and encryption for various purposes. The Risk Analysis and Risk Management specifications from Administration Safeguards are especially useful in determining the technological needs and policies to enforce.

Important Standards to Note

Integrity §164.312(c)(1): This standard refers directly back to the key phrase confidentiality, integrity, and availability discussed earlier. It’s not enough to protect ePHI from being accessed or transmitted improperly; ePHI must also be protected from improper tampering or destruction of data. Wrong or incomplete information can have drastic effects on patient lives and care, so the ability to authenticate the validity of ePHI is a vital part of its security.

Monitor and Update

A vital part of the Security Rule is not only assessments and creating policies but implementing them so all employees are aware of and following the rules. Systems should be in place to verify that employees receive the necessary training in ePHI security procedures and understand the consequences of not following the policy. Reassessment of policies and re-training of employees should occur periodically so outdated procedures can be re-written for the current threat environment. Cyber threats are ever evolving, so too should ePHI cyber protections.

While the Security Rule may feel a bit daunting, many of its requirements are best practices for any business. Knowing exactly what data you handle, how it’s processed, and who needs access to it provides you with an informed view of your business’s operations. Having a written and tested Disaster Recovery Policy, Contingency Policy, and Continuity of Operations Plan will save you time, money, and stress should an emergency occur.

If you have any HIPAA related questions or need help implementing the Security Rule’s technical standards, contact Anderson Technologies at 314.394.3001 or info@andersontech.com.

The Andersons

Happy Thanksgiving 2018

Thank you for another productive year.  We are grateful for our work family, wonderful clients, and business associates.  Your trust and support over the years has encouraged us to always strive for excellence.

In 2016, our family spent Thanksgiving in Plymouth, Massachusetts and was reminded of the difficulties our ancestors experienced in pursuit of religious freedom.  We are so appreciative of their example and feel blessed to live in our great country of opportunity.

Have a wonderful Thanksgiving!

With much gratitude,

Mark, Amy and the Anderson Technologies Team

Infected? A New Phishing Attempt for 2018

Even managed service providers receive scam emails and phone calls.

These serve as a reminder that education on phishing, scareware, and ransomware is an ongoing process, one that even IT experts need to stay sharp on.

But let’s assume you aren’t an IT expert. How can you best determine the validity of these messages and if they have malicious intent?

As with any learning process, practice is important. You may want to start with our phishing quiz. Know where you stand with gut instinct and some important clues.

Pink phishing lure

Can you spot the phish? Take our quiz today by clicking on the image above!

Whether the attempt is made by email or phone, there is always something just a bit off about a phishing attempt. The phisher may have some accurate personal information—like your name, or the fact that you have Yahoo! email or an AT&T phone account—and see if you’ll take the bait.

It is easy to panic at the threat of suspension or an overdue bill and put aside any unease because of the urgent matter apparently at hand. This is exactly what phishers and scammers hope will happen.

The goal of these calls or emails is to collect even more information about you, fleshing out a profile for future scams, which the phisher can sell to other scammers, or—the jackpot—to collect banking or credit card information and cash in.

Because these phishes do have some truth mixed in, many do fall victim.

False Blackmail

It might sound like an episode of Black Mirror—in fact, the tactics used in this blackmail email are eerily similar to those dramatized in a recent episode of the Netflix series depicting fictional futures—but scammers are now using direct emails as a method to extort information or Bitcoin from unsuspecting users.

About a month ago, Mark Anderson, Principal of Anderson Technologies, received a blackmail email scam. “As you could probably have guessed, your account was hacked, because I sent message you from it,” the scammer began in broken English. They first boasted by showing an unencrypted old password—probably acquired from Yahoo’s 2013 data breach.

The email continued to outline the threat. “Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we’ve created.” This virus, they suggested, gave them access to “messages, social media accounts, and messengers.” This apparently wasn’t enough intimidation for most scam victims, because the email then amped up the threat.

Users all over the internet report similar threats; the scammer creates a scenario that, if true, would serve as ample motivation to give in to their demands. The scammer says that video of the user was recorded while visiting “adult websites,” and that, unless 700 dollars is transferred to the scammer’s Bitcoin wallet within 48 hours, this footage would be released and they would “show this video to your friends, relatives, and your intimate one…”

So, with a relatively low payout amount, and a previously accurate (but very old) password, how did Anderson know this threat was a scam? He knew what they’d accused him of was false, not to mention he didn’t have a webcam as they’d suggested. But other clues included:

  • While the email appeared to be sent from Anderson’s old account, this can be accomplished through spoofing.
  • The password they listed was not the current (or even recent) password for that account.
  • Broken English isn’t always a giveaway but combined with the generic threat, it seemed like a form letter.
  • Googling some of the email text brings up threads of other users exposing the scam. We’ve censored some of the less savory aspects of the original email, but the full text and break down can be read online.

If you receive this email or a similar threat, your first step should be to research the threat online or reach out to an IT expert. Never pay a blackmail, ransom, or other request for money. Instead, update your passwords, run anti-virus and anti-malware scans on affected devices, and consider implementing multi-factor authentication on your accounts in order to bolster your security profile.

Are you looking for an IT expert to help guard your small business from scams like this? Contact Anderson Technologies by phone (314.394.3001) or email (info@andersontech.com) today.