Healthcare Information Security in 2013: Audits, Final Omnibus Rule Legislation, and More Breaches

By Tim West ·

This year will be a major milestone for information security in the healthcare industry. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) Audit Pilot Program concluded in 2012, and the full program is tentatively expected to be unveiled around October 1, 2013 (the start of the 2014 fiscal year for OCR). At that time, organizations will be selected for audits against the new HIPAA and HITECH Act standards. This audit program provides a new accountability mechanism that has resulted in heightened activity from industry and regulators. There is a lack of officially published material regarding the program’s details including the scope, sample size and funding for its continuation into 2013. However, OCR director Leon Rodriquez has affirmed that the audits will continue to be financed via the OCR’s fining authority.

Heavy fines continue to drive the narrative and are one of the primary reasons security officers and information technology leaders with whom we speak are taking note. OCR has levied more than $1 million in fines across multiple high-profile organizations and made quite a splash with its aggressive posture to date. Yet, the OCR is not just imposing large fines for large enterprises. There was a recent fine levied for a breach covering less than 500 impacted individuals. This was a first for OCR and a surprise to many small and mid-size organizations who believed they would be hidden from the limelight in comparison with larger enterprises.

In order to prepare for an OCR audit, a comprehensive proactive stance must be adopted to address the regulation. Here are six key points that are essential for being prepared:

1. Lack of risk assessments have been the number one consistently touted gap by OCR for organizations in addressing the regulations. Whether performed internally or by a third party, ensure you have a documented and transparent methodology to take into consideration the relevant risks to your organization. The assessment should be aligned with HIPAA/HITECH controls but go beyond those mandatory minimum controls by delving into relevant risk factors to your organization. This key difference between risk assessments and compliance gap assessments cannot be stressed enough. OCR and HIPAA intend that you understand the risks to your organization in meeting the goals of the Security Rule’s § 164.306 to “securing the confidentiality, integrity and availability of electronic protected health information (ePHI)” which is the foundation of the law. You can find more info from OCR on the topic here.

2. Much like the PCI DSS, HIPAA requires an understanding of where sensitive data (ePHI) is located on your network and how it is used. For the healthcare industry, that means understanding the connections of multiple business units, business associates (BAs), and the systems that host, store, process or display ePHI. This can be a daunting task, especially because of the complex and disjointed care model in healthcare between plans, providers and business associates. Consider a data-mapping exercise to create functional architectural diagrams detailing all of the places ePHI is received, processed and transmitted on your network. Additional benefits of this exercise include the opportunity to reduce the scope of compliance assessments as the increased understanding of data flows can inform additional controls or network segmentation design.

3. Understanding where and how your data is used, a review of authentication mechanisms, access controls, and safeguards on the systems that house the data is required to ensure all appropriate controls are applied. Check out the Security Rule audit protocol  posted on OCR’s site for specific controls to apply to those critical systems.

4. With the previous steps as a solid foundation, ensure your policies and procedures include the necessary Security, Privacy and HITECH Breach notification requirements. This includes the required documentation for any addressable controls that were not fully implemented. Most of these obligations are standard fare regarding access controls, implementation of need-to-know, and least privilege in regards to accessing ePHI. However, § 164.522 - § 164.528 require covered entities to enable multiple rights of an individual to access, amend, account for disclosure, and then authorize individuals in regards to their PHI. While some of these actions are atypical requests from customers, process and technology compliance can be harder than it may sound. Smaller covered entities may be fortunate that they use a single system that can facilitate these needs or can manually gather this data. However, larger institutions containing multiple, legacy or vendor systems should test if their ePHI data stores and processes can, in fact, meet these requirements.

5. Dust off your incident response plan. The recently published Final Omnibus Rule did much to change the definition of what constitutes a breach. The previous litmus test of identifying whether “a significant risk of financial, reputational or other harm to the individual” occurred has shifted dramatically. Now, it requires “… breach notification in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” Additionally, a formal risk assessment must occur to validate and document this decision. Therefore, the amount and intent of HHS is clearly to drive a much greater level of reporting. Organizations will need to mature beyond high-level policies supporting breach notification to the operational plans other industries have adopted in regularly testing and refining their forensic evaluation and notification plans.

6. With those steps under control, realize that the Final Omnibus Rule has made a significant scope and applicability ruling regarding Business Associates (BAs). While these changes exceed the scope of this document, understanding that subcontractors to BAs are now fully liable under the auspices of HIPAA. Also, the definition of BA has expanded which is important to understand in your sourcing efforts.

While this content is healthcare-centric, information security basics still apply. Compliance is not intended to dictate adequate security. Instead, it should be considered as the minimum standard to show diligence and set the floor on how we treat this very sensitive data. The healthcare industry’s continuous focus on HIPAA/HITECH compliance should not distract from the ultimate goal – aligning the business with effective security objectives to protect data in a manner that enables businesses to prosper and serve their clients.

Tim West

Practice Manager

Tim West is practice manager of Optiv's enterprise risk and compliance team. Tim’s role is to provide world-class security, compliance and IT risk management consulting services to Optiv's clients.