HIPAA Enforcer Losing Patience on Encryption

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/hipaa-enforcer-losing-patience-on-encryption-p-1929

If there's one thing federal regulators want to drill into the heads of
covered entities and business associates about data breach prevention, it's
this: Stop procrastinating, and conduct a risk analysis and encrypt most of
your computing devices right away.

Officials at the Department of Health and Human Services' Office for Civil
Rights, which enforces HIPAA, repeatedly emphasized that message at last
week's HIPAA security conference that OCR co-sonsored with the National
Institute of Standards and Technology.

Anything that can "walk" away - including laptop computers, storage
devices, desktop PCs as well as servers that aren't nailed to the floor -
should be encrypted, even though encryption isn't explicitly mandated by
the HIPAA Security Rule, which defines it as an "addressable" issue, OCR
officials said.

"Addressable doesn't mean optional," even for the smallest of healthcare
providers and business associates, Deven McGraw, OCR deputy director of
information privacy, told the audience. "We expect you to address
encrypting data at rest and in transmission - and if you don't, you must
implement an alternative option in its place," as well as document the
reasoning, she reminded attendees.

Aside from encryption, there really aren't any other great options to
secure electronic protected health information on devices that can be lost
or stolen, emphasized Iliana Peters, senior adviser for compliance and
enforcement at OCR. "If it can walk away, it will get lost or stolen at
some point," she said. Lost and stolen unencrypted computing devices have
been involved in 57 percent of the 1,310 major breaches reported to OCR
from September 2009 to Aug. 28, 2015, she said.

OCR officials are clearly annoyed that breaches involving unencrypted
devices keep happening, year after year. In fact, the latest enforcement
action taken by the office last week was a $750,000 settlement with a small
cancer care practice that - drum roll please - had an unencrypted laptop
and storage device stolen from an employee's car in 2012 (see New HIPAA
Compliance Audit Details Revealed).

The bigger problem with breaches involving lost and stolen encrypted
devices is that they are often a tip off for OCR that an organization has
other more serious HIPAA compliance issues - particularly the failure to
conduct a risk analysis that's followed up by actually mitigating
identified risks, McGraw said.

"The linchpin is risk assessment," she said. During the Cancer Care Corp.
breach investigation, OCR found that the practice hadn't conducted a risk
assessment prior to the 2012 theft incident. That's a common issue not only
uncovered in OCR breach investigations, but also in the findings of OCR's
random HIPAA audit pilot program in 2011 and 2012.

The agency will resuming its HIPAA compliance audits in 2016, and
documentation of a risk analysis - and risk mitigation - are among the
measures they'll be scrutinizing at covered entities, and at business
associates, which will also be part of the scrutiny this time around (see:
Exclusive: OCR's McGraw on Timing of HIPAA Audits).

Hacker Attacks

Although breaches involving unencrypted devices are a persistent problem,
hacker attacks affecting many millions of individuals have been grabbing
headlines in recent months.

OCR is continuing its investigations of the recent mega-breaches, including
those experienced by Anthem Inc., Premera Blue Cross and UCLA Health, noted
OCR Director Jocelyn Samuels

"All of us need to be vigilant in protecting information," Samuels said,
stressing the need to ensure strong controls are in place. Key steps, she
said, include: monitoring whether authorized users are adhering to an
organization's rules and policies about data access; monitoring what's
happening with large packets of information moving across firewalls;
updating virus protection and patching out-of-date software.

Other Concerns

As for other kinds of breaches, OCR officials admitted that incidents
involving unsecured email and text communications are likely being
underreported.

However, while communication among covered entities - as well as
communication with BAs - involving patient ePHI should to be secured
through encryption or another means, patients can insist on having
unsecured communication with their healthcare providers. "Patients may
request unencrypted communication," McGraw noted, as long as they're made
aware of the risks.

Other important issues that covered entities and business associates need
to consider, Peters said, include:

- Retraining staff about phishing emails in light of recent hacker attacks;
- Having a back-up plan in case your organization becomes a victim of a
ransomware attack or suffers another disaster;
- Thoroughly assessing and managing risks if your organization permits BYOD;
- Re-evaluating which users in your organization actually need elevated
data access privileges. "The more people who have elevated privileges, the
more risk," Peters noted.

While OCR officials say it's a only a matter of time before your
organization will discover that it's had some sort of breach, it's clear
that when the HIPAA enforcers investigate the incident, they'll want you to
explain the security measures you had in place to minimize risks.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!