ADVERTISEMENT
Cyber Security & HIPAA: Taking Security Measures Beyond General Compliance in the Wound Clinic
Editor’s Note: This article was reprinted with permission.
Threats to the security of electronic protected health information (ePHI) evolve constantly, in ways that could not have been envisioned in 1996, when HIPAA was enacted. Cyber security has since become a term that’s front and center in our daily lives, personally as well as professionally.
This article will discuss what cyber security means to today’s healthcare clinician and provide an introduction to security procedures that those in the wound clinic should be aware of — beyond simply complying with general HIPAA regulations.
Addressing Cyber “Attacks”
The goal of cyber security is to prevent, detect, or remediate an electronic security breach as quickly as possible. What follows is a discussion on various types of cyber attacks, as well as cyber defensive strategies for data “at rest” and data “in transit.” Healthcare providers should be familiar with the list of terms here in an effort to strengthen one’s cyber security status.
Malware. Malicious software damages or disrupts a computer system, potentially stealing information. It’s commonly installed through email attachments, downloads of infected files, or infected websites. Downloading ActiveX technology can also introduce malware. Systems should be set to require confirmation that malware is absent in files and programs, before these files or programs are downloaded. Additionally, downloaded files should be isolated from the organization’s network until it’s been assured that malware is not present in these files.1 Protections include virus software (updated regularly) and scanning of attachments before downloading. Software security patches should be downloaded regularly; one option is to have a scheduled “update day.”2 The workforce should be trained to recognize suspicious emails and to avoid downloading files. Alternatively, “white listing” applications, which limit specific domains or programs that your system can accept, can be used. Policies and procedures should call for backup of files regularly.2
Phishing, Spear Phishing, and Whaling. Phishing is when a cyber intruder seeks to access your personal information or passwords by posing as a business or organization with “legitimate reason to request information,” usually via an email or text that appears genuine. Spear phishing is an attack that targets a specific individual or business, while whaling is an attack aimed at a senior official in an organization. The workforce should be trained to never provide passwords to anyone via email, respond to requests for personal information, or open emails that contain spelling or grammatical errors, or are from an unexpected source.
Hacking and Keyboard Logging. While hacking is not the most common cause of loss of PHI, it does result in the largest amount of loss of PHI. Hackers first gain access to a network, typically through a phishing email, whereby some or all of the found data is exported.3 Keyboard logging involves software that tracks actions on a keyboard, typically with intent to collect private data. Keyloggers get installed when a file is opened from an email, text message, instant messaging, or social networks, or by visiting an infected website.4 Networks need to be well protected; prevention efforts may include a two-step authentication, a virtual keyboard, or a password generator.5
Spam. Spam is advertising distributed typically via email that may link to phishing websites or malware installs.6 The workforce should be trained not to click on spam or download any attachments from spam mail. For some practices, an investment in spam filters may be a viable option.
Cookies. Cookies represent a mechanism that allows a server to store its information about online activity on the user’s computer, potentially tracking the habits of users over time and across different websites, putting personal information at risk. The workforce should be sure websites that ask for personal information are encrypted and the URL begins with “https.”7,8
Denial-of-Service Attacks. Denial of service attacks are automated scripts that launch massive numbers of emails or calls to a website to such an extent that the victim is rendered useless. Prevention and solutions to denial of service attacks are more complicated than can be discussed here. The National Institute of Standards and Technology (NIST) offers a Guide to Intrusion Detection and Prevention Systems.9
Crypto Wall. Crypto wall is software, typically introduced via a phishing attack, that encrypts a hard drive. Once encrypted, the victim is strong-armed to pay a ransom to receive the encryption key, so the victim can decrypt the hard drive and access the data. Additionally, in many cases, the cryptowall software simultaneously injects other malware to the system. A common situation is to inject keystroke-logging malware that renders security systems ineffective.
Workforce members should be trained to not open emails that are suspicious, and covered entities (CEs) should have good backups for all devices connected to the network.
Guarding Against Lost or Stolen Data
In addition to the protections already mentioned, additional recommendations for data security, for data at rest, or for data in transit include:
Encryption. Encryption is defined as the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.10 It transfers to plain text (ie, a document) into cipher text, whereby a “key” is needed to transfer the cipher text back into data (ie, decryption).11 NIST outlines processes available for encryption for data at rest and encryption for data in motion.12 Encryption is not required under the regulation. However, if, after a risk assessment, a CE determines it’s a reasonable and appropriate safeguard, it should be implemented. If not, CEs should document which measures have been implemented instead.13 Encryption software may be purchased, but encryption is available through smartphones, notebooks, laptops, and other computers. Risk assessment can help determine the level of encryption protection a practice needs. Because portable devices are one of the largest amounts of data breaches, encryption is highly recommended. It’s suggested that an organization encrypt patient data on its server and avoid keeping patient data on stationary personal computers.14
Encryption of Mobile Devices. In a Ponemon Institute study,15 88% of organizations allow their workforces to use their own mobile devices, yet 49% of providers surveyed had not implemented security measures for the devices. Most organizations in the Ponemon study of 2013 indicated they did not mandate encryption, antivirus, or antimalware software on the devices. Given mobile devices are the most common source of breach, they should be encrypted.
Additional Cyber Defensive Strategies. In their book Successfully Choosing Your EMR: 15 Crucial Decisions, Arthur and Betty Gasch16 give excellent cyber defensive advice. In addition to the techniques listed already, the Gasches advise the following:
Configure Computers Properly. Users should enable standard file-sharing, disable guest user accounts on the system, and disable user-level registry access. Additionally, users should lock down Windows installer (except to administrators), activate system-file protection, deploy a bidirectional firewall, and configure browsers for high security.
Limit Internet Access. It’s recommended Internet access be discontinued after office hours. Additionally, CEs should forbid Internet surfing, games, and downloaded screen savers.
Incorporate Surveillance. Users should monitor access logs. In larger organizations, consider penetration testing.
Cyber Insurance. Cyber insurance can offset costs of a breach and provide tools in the event of a breach notification. Policies should be read carefully. Business associates (BAs) are typically not included, yet CEs are responsible for data breaches caused by BAs. Additionally, there may be exclusions if CEs were not following HIPAA regulations.
Password Protection. Passwords should be at least eight characters in length and should contain a capital letter, a lowercase letter, a number, and a special character (eg, %; $; *; ?; !). For those with difficulty remembering, use a phrase or song to create a unique password (eg - “$s2donuts”,“Back2Square1!”, “Dontworry,Bhappy!”)8
Additional protection may include password encryption and vault storage.
Two-Factor Authentication. Two-factor authentication requires a second layer of logging in. Typically, when the first-level login occurs (user name and password), a temporary, second authentication key is delivered to the user (ie, text message will be sent to the user’s cell phone). This authentication key has a short life (must be used within 20 minutes) for it to remain valid. Typically, these systems can be configured so that the second factor is required every “X” days or when a log-on is attempted from a new device.
Training of Workforce on Cyber Security. One of the biggest risks to electronic security is a lack of training for the workforce on computer/Internet policies and procedures. CEs will want to train workforce on cyber security by sending or posting regular reminders and updates.
Social Media. Social media is an excellent tool for education, advertising, and consultation with other professionals. However, it can also be a source of damaging privacy violations. There are many sources of social media to consider (eg, Facebook, Twitter, LinkedIn, Tumblr, Google Plus, Instagram, Pinterest).15 Insurion gives the following advice for using social media:17
- Assume all social media activity is public.
- Don’t post about clients, positively or negatively.
- Be professional; inappropriate personal pictures can damage one’s image as well as that of the profession.
- Keep professional and personal social media accounts separate.
- Don’t add clients to social media accounts.
- Don’t use location “check-ins” when in the field visiting patients.
- Practices should have clear social media policies, with clear and consistent training provided.
Text Messaging. Many providers use text messaging to confirm or change appointments, or for quick check-ins with clients, among other uses. Texting has definite clinical advantages, but can bring security concerns. Texts may remain in a phone for years, with a risk of phones being lost, stolen, or donated with ePHI on the device.18 HIPAA security considerations are encryption of both the data at rest and data in transit, recipient authentication, and auditing controls (eg, ability to record and examine system activity to determine if a security violation occurred).18 Each practice must do risk analysis when considering texting by weighing patient-care considerations against security concerns. Some opt for secure text messaging applications; others opt to use text for appointment reminders only. Policies and procedures should address this issue for the workforce.
Emailing. HIPAA Security does not specifically forbid use of email for sending ePHI. Transmission security is an addressable requirement, so it’s incumbent upon the practitioner to decide if unencrypted emails adequately protect ePHI. A solution must be selected, a decision made, and the decision documented.19 Some practitioners decide to not communicate any ePHI via email, while others set limits on what may be communicated via email (eg, only appointment confirmations). Some give patients the opportunity to agree or object to the practice in their informed consent while educating about the potential for breach of ePHI. Emails sent within the workforce on an internal server are considered secure (though there is a risk of an internal message being sent to the wrong person). For both texting and emails, policies and procedures should detail the CE’s specific rules on the issue. Access control, integrity, and transmission security should all be considered.
Summary
HIPAA does not specify use of any particular technology, as the U.S. Department of Health & Human Services wanted to make electronic data safeguards as flexible as possible. This makes sense given fast-evolving cyber threats. No doubt the dance between cyber threats and cyber defenses will continue. In this article, we examined prevention and cure of cyber threats, the risks and benefits of social media, and explored the use of texting and emailing for rapid communication with patients and other providers. All efforts to contain a breach must be integrated into one’s larger security program.
Lorna L. Hecker is executive vice president and director of education and training at Carosh Compliance Solutions, a HIPAA compliance consultancy based in Crown Point, IN. She also runs the company’s professional practice in behavioral health and holds CHPS certification (certified in healthcare privacy and security) through the American Health Information Management Association. A frequent speaker on HIPAA topics unique to behavioral health practices she is a professor of behavioral sciences at Purdue University Northwest, where she is on the faculty of the marriage and family therapy master’s program. She is the director for the Purdue University Northwest Couple and Family Therapy Center and teaches graduate courses in professional and ethical issues, couples therapy, trauma, theories of family therapy, trauma, and play in family therapy. The author and/or editor of multiple books on various mental health topics, including ethics and professional issues, she has published articles and made national and international presentations in the field of mental health.
References
1. Jenkins MK. The “dirty dozen” healthcare IT issues. J Am Assoc for Orthopaedic Surg. Accessed online: www.aaos.org/AAOSNow/2013/Nov/managing/managing9/?ssopc=1
2. HHS Cybersecurity Program. Information systems security awareness training. 2015. Accessed online: https://docplayer.net/1262280-The-department-of-health-and-humanservices-information-systems-security-awareness-training-fiscal-year-2015.html
3. Malenkovich S. How Attackers Actually Steal Data. Kaspersky Lab Daily. 2013. Accessed online: https://blog.kaspersky.com/how-attackers-actually-stealdata/933
4. Siciliano R. What is a Keylogger? Consumer, Family Safety, Identity Protection, Mobile Security Consumer Log. McAfee. Accessed online: https://blogs.mcafee.com/consumer/what-is-a-keylogger
5. Grebennikov N. Keyloggers: How They Work and How to Detect Them. 2007. Accessed online: https://securelist.com/analysis/publications/36138/keyloggers-how-they-work-and-how-to-detect-them-part-1
6. Cybersecurity Program. Information Systems Security Awareness Training. HHS. 2015. Accessed online: https://docplayer.net/1262280-The-department-of-health-and-humanservices-information-systems-security-awareness-training-fiscal-year-2015.html
7. Summaries of the Office of the Chief Information Officer (OCIO) Policies, Standards, and Charters. HHS. 2015. Accessed online: www.hhs.gov/ocio/policy/ociosummaries.html
8. HHS Cybersecurity Program. Information Systems Security Awareness Training. 2015. Accessed online: https://docplayer.net/1262280-The-department-of-health-and-humanservices-information-systems-security-awareness-training-fiscal-year-2015.html
9. NIST. Guide to Intrusion Detection and Prevention System (IDPS), Special Publication 800-94. 2007. Accessed online: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-94.pdf
10. Health information Privacy: Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. HHS (n.d.). Accessed online: www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
11. Burdon M, Reid J, Low, R. Encryption Safe Harbors and Data Breach Notification laws. Computer Law Security Review. 2010;26(5):520–34.
12. NIST. Guide to Storage Encryption Technologies for End User Devices, publication 800-111. 2007. Accessed online: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf
13. Health Information Privacy: Is the Use of Encryption Mandatory in the Security Rule? HHS (n.d.). Accessed online: www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2001.html
14. Hyden M. HIPAA and encryption technology: don’t let the fear of hackers blind you to likelier threats. MGMA Connex. 2013;13(9):45–6.
15. Ponemon Institute. Cost of data Breach: Global Analysis. 2013. Accessed online: www.ponemon.org/blog/2013-cost-of-data-breach-global-analysis
16. Gasch A, Gasch, B. (2010). Protecting Your Patient Data. Successfully choosing your EMR: 15 Crucial Decisions. Hoboken, NJ: Wiley-Blackwell.
17. Technology for professionals: Protecting Data to Minimize Malpractice and Other Liability Claims. Insurion. (n.d.). Accessed online: https://alliedhealth.insureon.com/Portals/15/images/hipaa-ebook/ebook_technology_mental_health_professionals.pdf
18. Collier N. Keep text messaging secure. For the Record. 2015;27(3):25.
19. Health Information Privacy: Does the Security Rule Allow for Sending Electronic PHI (e-PHI) in an Email or Over the Internet? If so, What Protections Must be Applied? HHS. (n.d.). Accessed online: https://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2006.html