4 minute read
Regulatory Compliance: Compliance With HIPAA Rules Supports Cybersecurity
CDA Practice Support
Malicious cyber actors are much in the news and the public consciousness these days because their actions are having a broader impact on everyday life. For example, the ransomware attack on Colonial Pipeline earlier this year disrupted the fuel supply and created widespread panic-buying of gas. [1] Although the federal government is growing its cybersecurity response, [2] individuals and smaller organizations must take steps to ensure the security of their own systems. For health care organizations, the HIPAA Security Rule provides minimum standards for safeguarding electronic information systems.
Advertisement
Malicious cyber actors may seem like the “scary strangers” of horror stories, but they can also be an unaware insider in an organization who, either purposely or by accident, figuratively leaves the door open for a thief to slip through. This is the employee who clicks on a phishing email or uses an easy-toguess password. The HHS Office for Civil Rights (OCR) noted that an analysis of health care data breaches determined 61% were perpetrated by outside entities and 39% by insiders. [3]
Two HIPAA Security Rule standards govern what a covered entity should do to ensure access to patient information is appropriate. These standards include access control and information access management.
Access control is a technical standard with four implementation specifications:
■ Unique user identification.
■ Emergency access procedure.
■ Automatic logoff.
■ Encryption/decryption.
The first two items are required and the second two items are “addressable.” An addressable specification must be implemented unless the covered entity has a good reason not to and will instead implement an alternative that is similarly effective.
Having unique user credentials for access to a network and to individual applications is a fundamental security practice. Sharing usernames and passwords may seem easier and convenient for system users, but it makes it difficult to identify a responsible party to an impermissible action or identify who may have been the target of a phishing attack. For an extra layer of security, consider implementing two-factor authentication. Emergency access procedures are necessary for situations in which normal procedures for obtaining electronic patient health information are limited or simply not available. Dental practices that had these procedures were prepared when COVID-19 work restrictions were instituted last year. Staff could securely access patient information from locations outside a dental practice and continue to bill and follow up with patients.
Automatic logoff and encryption/ decryption reduce the risk of unauthorized access and potential destruction or alteration of information. IT systems have progressed since the HIPAA Security Rule became effective in April 2005, thus the technical capability to implement these two addressable safeguards is a low barrier today. However, some covered entities retain legacy systems for operational reasons and may need to implement alternatives that are similarly effective.
Information access management is an administrative standard that requires a covered entity to implement policies and procedures that are consistent with the HIPAA rules on access to electronic protected health information (ePHI) for required, authorized and permitted uses and disclosures. For example, a dental practice with cloud-based electronic health records (EHRs) should have a written policy and procedures that authorize and describe how contracted IT support may access the practice’s information systems remotely to only perform necessary and requested tasks to ensure the continued operation of the EHR. The procedures would identify how access is established, documented, reviewed and modified.
To develop effective information access management policies and procedures, a covered entity must know what ePHI it possesses, how it is used and disclosed and by whom in the workforce it is used and disclosed. The covered entity also needs to consider how their HIPAA business associates access and use ePHI. The policies provide the parameters for which an individual in their specific job may be granted access to specified data or applications. For example, a dental assistant typically does not need access to a patient’s financial information unless the assistant’s assigned job responsibilities include some aspect of billing. The policies should be clear that individual workforce members may only have access to the information necessary to do their job. Procedures may include how requests to access information systems with ePHI are made, who is responsible for granting the request and the criteria for granting access.
The HIPAA Security Rule is flexible, scalable and technology-neutral. Covered entities may consider a variety of methods to prevent unauthorized access to ePHI. OCR notes that access controls need not be limited to computer systems: [4]
Firewalls, network segmentation and network access control (NAC) solutions can also be effective means of limiting access to electronic information systems containing ePHI. Properly implemented, network-based solutions can limit the ability of a hacker to gain access to an organization’s network or impede the ability of a hacker already in the network from accessing other information systems — especially systems containing sensitive data.
REFERENCES
1. 10 of the biggest ransomware attacks of 2021 — so far. searchsecurity.techtarget.com/feature/The-biggestransomware-attacks-this-year. Accessed Aug. 1, 2021. Pipeline attack yields urgent lessons about U.S. cybersecurity. New York Times May 14, 2021. www.nytimes.com/2021/05/14/us/ politics/pipeline-hack.html. Accessed Aug. 1, 2021.
2. Healthcare IT News. Biden calls for improved critical infrastructure cybersecurity. July 19, 2021. www. healthcareitnews.com/news/biden-calls-improved-criticalinfrastructure-cybersecurity.
3. HHS Office for Civil Rights. Summer 2021 Cybersecurity Newsletter. Controlling access to ePHI: For whose eyes only? www.hhs.gov/hipaa/for-professionals/security/guidance/ cybersecurity-newsletter-summer-2021/index.html.
4. Ibid.
Regulatory Compliance appears monthly and features resources about laws that impact dental practices.Visit cda.org/ practicesupport for more than 600 practice support resources, including practice management, employment practices, dental benefit plans and regulatory compliance.
