Updated: May 5, 2022
There are so many threats looming in today's world, from the war in Ukraine to variations of COVID, and the rising cost of managing a medical practice. It is easy for Cybersecurity to become the last thing on the minds of doctors and management staff. Regardless, each year, security threats and concerns continue to rise. Practices and small to midsize hospitals can no longer ignore or delay Cybersecurity planning for another year.
Also, saying HIPAA has become somewhat synonymous with saying a profane word. The goal is not doom and gloom but to inform the necessity of having a Cybersecurity focus in 2022. It is time to tackle that to-do list item that has been catching dust waiting to be checked off. To ease the frustrations and move the needle forward, below is a comprehensive list of ten(10) HIPAA Cybersecurity best practices in 2022 (not in any particular order, all are important and carry the same necessary weight):
1. HIPAA Cybersecurity Training.
In many cases, your staff is your frontline defense to Cybersecurity threats. Common incidents are fake phone calls asking for information, leaving computers open while off to lunch, charging phones through the computer, picking up a random flash drive, sharing passwords, phishing emails, and so much more.
Cybersecurity training will help staff members understand the importance of protecting patient records from the things mentioned above. Becoming aware of cybersecurity incidents can prevent attacks if vigilant. Everyone (including the doctors, regardless of their IT knowledge) needs to complete cybersecurity training because cybercriminals, just like any other criminal or bad actor, are looking for different ways to play the same tricks. One of the larger threats in Cybersecurity is the belief that we will not be attacked or a Cybersecurity incident will not happen to us. Don't allow you or your staff to fall victim, be prepared and get trained.
2. Consistent updates performed on all devices and software.
This task can longer be left to IT Staff or outside IT contractors alone. Recent incidents have proven fatal when computers and devices are not updated. As with any other department or outside contractor, anyone can become distracted or negligent without accountability. Create an alert on your calendar to follow up with your IT staff or contractor to confirm all systems and software are up to date. Have them create an update report every once in a while. The IT staff may become frustrated with your persistence but will thank you later when the system thwarts a cybersecurity threat because it is updated. Also, keep an inventory list of devices that can no longer be updated but must remain in use due to the cost of replacing it, such as an older X-Ray machine. Lastly, in writing this section, there is an assumption that you have IT staff or outsourced IT contractors. If you do not, you may have many vulnerabilities in your network. Cousin Bob is no longer enough to protect your systems.
3. Proper settings on the firewall and up-to-date Anti-Virus Software.
If you are not familiar with a firewall, it is simply a device or software that monitors and keeps unauthorized traffic from your computer network. Like your house and a home alarm system, you may lock your doors and windows and control who comes in and out. The alarm system can alert you if there is an intruder in your house or if a window was left open. Once you get a notification from your alarm system, you typically check to see if there was an intruder. If it was an intruder, you alert the local authorities to investigate what happened. A firewall is the same. It monitors traffic on your network and controls the digital windows and doors to your system. It alerts if it senses unauthorized traffic and logs records for ypur IT staff to investigate. Also, like an alarm system, there are many components, such as motion sensors, door contacts, window contacts, and glass shattering sensors; a firewall has many components. One of the features is Intrusion Detection and Prevention Systems (IDPS). IDPS uses known information and characteristics to identify and prevent unauthorized traffic from accessing the network. It is important to have this feature enabled to prevent unauthorized attacks. In addition, most firewalls require that you configure your system to block specific traffic. Otherwise, you may leave items open or not updated, which can potentially let anyone on your network.
Another tool on your firewall or installed on the computer is Anti-Virus. Anti-Virus works by downloading known virus characteristics and scanning your computer to see if it finds anything similar. For newer Anti-Virus software, additional cloud features offer real-time scanning of potential threats. Nonetheless, you must have an up-to-date firewall installed. Firewall options are endless. It depends on the size of your practice and other factors to know which to choose. Most IT Staff or Contractors have a particular manufacturer they prefer because they have spent the time understanding configuration and best practices for the specific device and can offer proper support. Firewall companies are very competitive and typically provide the same or similar features. Ensure you have a firewall and Anti-Virus, and they are up to date with the last features and tools. Also, ensure all licenses are active.
4. Policies and Procedures.
It is time to dust off the binder on the shelf or find the document downloaded in 1998 and create policies and procedures that align with the current operations of the practice. While HIPAA requires you to document your Policies and Procedures, it can be beneficial for your organization as a tool for accountability and strategy. If there are no written policies, violations may happen, or the staff may not know what to do in an emergency. Having documented Policies and Procedures instructs everyone in the organization how to handle, store, and send Patient Health Information (PHI) to other organizations, and so on. Without this understanding, staff members may create a policy or act on their own accord, jeopardizing the practice. Something as simple as replying to a social media message with patient details can get the practice fined.
In 2019, The Office of Civil Rights (OCR) fined Elite Dental Associates $10,000 for responding to a review with the patient's name, treatment plan details, and information about their insurance. OCR identified that "Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule." OCR substantially reduced the settlement amount because of the size of the practice and their financial circumstances. That violation could have easily cost them $1.5 million. The moral of the story is to have up-to-date policies and procedures, train the staff, and hold them accountable to them, including the doctors.
5. Business Associate Agreements.
Suppose you plan to share Protected Health Information (PHI) with another organization on your behalf to complete a task. The HIPAA Privacy Rule may require a Business Associate Agreement (BAA). The task can involve billing, IT services, or the Electronic Medical Record (EMR) system. A HIPAA Business Associate Contract, or Business Associate Agreement, is a written arrangement that specifies each party's responsibilities when handling and protecting PHI. A proper BAA can save an organization from the liability of a breach. In the past, OCR has held a practice liable for the loss of data instead of the Business Associate (BA) contracted because the practice failed to execute a HIPAA BAA. A HIPAA Business Associate Agreement cannot just be any agreement or a typical contract. It must list specific measures that protect PHI. The BAA must state both the permitted and restricted uses of disclosure of PHI. BAs and subcontractors must also adhere to appropriate safeguards to prevent inappropriate PHI use or disclosure.
Examples of common business associates include:
Medical billing services
IT service providers
Cloud storage providers
Physical storage providers
And many more
Review existing relationships with vendors, and verify that you have an executed BAA or its included in the service agreement. If the BAA is in the service agreement, download or print it to store for your records. It is best to keep the agreement in one place, such as in the cloud or office folder. It is helpful to know where to look and who to contact in the event of a breach.
6. Password managers for you and your staff and multifactor authentication.
There are too many websites and systems that require passwords today. Not only must you have a password to access your local computer and practice management system, but also all of the different websites for insurance, email, and other systems. To combat this issue, most have decided to write their passwords down or store them on the phone in a notepad app. These reasons have led HamTECH Solutions to believe that password managers are the best solution for storing and keeping passwords safe. Believe it or not, it has taken some time to recommend Password Managers. It is our belief that password managers can be a single point of failure or breach because the passwords are in one location, but the pros out weigh the cons. Password managers are typically encrypted and more secure than previously mentioned methods. Password managers allow you to generate long and more secure passwords because you no longer have to commit them to memory. It is also a better alternative than saving passwords in Microsoft Edge, Firefox, Chrome or Safari. When asked, "should this password be saved", the answer should always be No. Practice Administrators can purchase Password Manager Team plans for staff members.
In addition to password managers, it is also good to enable multifactor authentication on critical applications. It may be called "Two-Step Verification" or "Multifactor Authentication," but they all typically work the same. Multifactor Authentication (MFA) is an authentication method requiring users to provide two or more verification factors to access a resource such as an application, online account, or a VPN. An authentication factor is how you confirm your identity when trying to sign in to an application. For example, a password is one kind of factor, a thing you know. The three most common factors are:
Something you have - Like a secure USB key or smartphone.
Something you know - Like a PIN or password.
Something you are - Like facial recognition or a fingerprint.
If somebody tries to sign in with your username and password, they will get prompted for a second factor. Unless they have access to your smartphone, the hacker cannot enter the number. And typically, the number changes every 30 seconds, so even if they knew the number you used to sign in yesterday, they're still locked out.
Password managers and multifactor authentication will assist in securing your network and applications.
7. Cloud backups.
Practices should backup sensitive data, like PHI (Protected Health Information), with a HIPAA-compliant cloud provider. If you don't back up your data, you can lose it at any time. A cloud backup is a copy of your data transferred to an offsite server via the Internet. Some backup servers allow access to the data like you are in the office in the event of a disaster or to retrieve the lost or stolen file. Typically, a HIPAA compliant cloud backup vendor will install software on your computer or send you a device to store in your IT closet. You then select the files and folders you want to backup. This process can take a long time the first time, depending on the size of the files and folders you decide to backup. The device or software will run behind the scenes and continuously save and store your updated data regularly. Encryption is an essential part of a HIPAA-compliant cloud backup. Files should be encrypted on the offsite server so you won't lose the data and thwart attacks. HIPAA compliant cloud backup vendors provide encryption as a standard feature.
It is necessary to monitor and ensure backups are up to date. You do not want to wait until an incident occurs only to find out that the backups are no longer working. Also, it is essential to look at offsite cloud vendors in the event of a fire or local disaster. If your systems experience any damages, you can recover the information. It is also best practice to test and run scenarios where you mimic the data recovery steps to ensure everyone is on the same page and that the backups are accurate.
Data backups are also one the best solutions to thwart a ransomware attack. Ransomware is malicious software that an employee accidentally downloads by clicking on a malicious link. The link will allow the attacker to encrypt the data, forcing you to be locked out and request a ransom to get access to your data again. You can ensure the protection of your data by implementing backups. In case your system is hacked, you can restore your data.
Confirm your data is backed-up and implement a backup policy and procedure.
8. Confirm and ensure remote access is secure and devices are encrypted.
Your Doctor comes to you and says they need a laptop that can be used out of town at a conference and can access the EMR from wherever they are. What do you do? Or a better scenario, your Doctor has purchased a laptop and wants you to contact IT to give him remote access. The doctor already has access to the network from their home desktop with a secure connection set up several years ago. In each of the scenarios, it is important to note that security is ever-changing and what was done last year for security may be outdated or vulnerable today. Here is a list of items that can assist in the previously mentioned case or similar cases to ensure best practice.
When securing the network, one must first understand the different access methods. There are three general methods: Direct Access to Application, Desktop Sharing Applications, and Virtual Private Network (VPN). Direct access to an application would be accessing your EMR application like eClinicalWorks, NextGen, Epics, or others directly from the browser or application that is separate from your office network. As long as one has Internet access, the remote user can access the application from a laptop or other mobile device. Desktop sharing applications on the other-hand, allow you to access your office computer as if you were there in person or a remote server with network resources. The application is installed on the office computer or server and allows you to connect from your local computer using either a browser or an application. Examples of remote desktop sharing applications would include Remote Desktop Protocol (RDP), TeamViewer, Splashtop, Showmypc, Logmein, Citrix, VMWare, etc. A Virtual Private Network (VPN) uses an application to connect your computer directly to the network as if your remote computer was connected to the network in the office. There are multiple methods to get this done. The VPN device can be installed in the IT closet or just software on a server. Not to be confused with VPN software that encrypts your Internet sessions like NordVPN and others. The VPN we are discussing connects your computer to your private office system.
Once the remote connection method is determined, a remote or work from home policy should outline how individuals can access the network with a list of practical dos and don'ts. You or the IT staff must also ensure that the software or device employs encryption. The vendor should be able to verify the encryption methods. All remote access connections must be encrypted. Also, refer to the password section mentioned above regarding multifactor authentication and the business associate agreement section to confirm the vendor has signed one.
9. Ownership of your data.
A common misconception among employers is that they automatically own all intellectual property created by their employees during their employment. This is not always true. Some employers may pay for this misconception in lawsuits, loss or corrupt data, and loss of revenue or fines. An example of this would be employees using their personal email. In some cases, employees may conduct administrative task or billing through their personal email, especially if the staff member is an assistant of some sort. One can assume that the company owns the data because the information was transmitted using company equipment and involved company-related matters. Unfortunately, the practice has no control over an employees' personal email box.
It is necessary to have a written agreement with the employee, which explicitly assigns all intellectual property created during employment with the company. The agreement is typically called an "assignment of inventions" or "ownership of discoveries" agreement. Absent of an agreement, the employee may have ownership rights in the intellectual property they created while working for the company, even if they were hired to invent a particular product or process.
To avoid any possible issues, employers should require the employee to sign the contract before starting employment. As different state laws and acts apply, please reach out to your attorney to discuss your rights as an employer. The best practice is to give the employee a company laptop and company email to avoid many of these misconceptions.
10. Perform a HIPAA Security Risk Assessment.
All Cybersecurity plans must include performing a HIPAA Security Risk Assessment (HSRA). Completing an HSRA will create a full picture of the vulnerabilities and threats associated with the practice. There are many parts to a risk assessment. The Health and Human Services (HHS) department does not specify how to perform an HSRA or require a third-party entity to handle it. The reason for this is flexibility. A one-person practice may not have the necessary resources to have a third party perform their assessment and may be capable of doing it themselves because of the size of their network. For a small to midsize hospital, performing an HRSA via a third party may be advantageous to act as checks and balances for internal IT teams. To quote HHS, "An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment."
While there is no specific methodology for assessments, guidelines state what must be included in an HSRA. Below is a list of what to include in an HSRA:
Identify all PHI, regardless of the source and how it's created, stored, received, maintained, and transmitted. In other words, identify if staff members have stored patient records outside of the EMR, such as downloading labs or using procedure equipment such as X-Ray systems that store data on a separate device. The practice must review the vulnerabilities and threats of all patient records regardless of where they are stored.
Document where PHI is stored, received, maintained, or transferred to another organization.
Identify and document potential threats and vulnerabilities. This process evaluates the dangers of how PHI is handled and stored. For instance, if your practice or hospital is in an area that is prone to floods or tornadoes, you would notate that threat. This process will inform where to store patient records to avoid the dangers of a flood. The practice should list all vulnerabilities and threats relevant.
Assess implemented security measures. Look at the existing security policies and procedures, hardware, software, and training performed. Is there something missing that is best practice? Previously we mentioned Firewalls. Is your firewall up-to-date? Please take into account all security activity performed by IT. Are there any gaps? Does the Doctor have a home computer with PHI on it? Does it have anti-virus? Review any and everything as it relates to security.
Determine the likelihood of a threat happening and the potential impact if it happens. What happens if there is a flood at your office? Is there a high likelihood of a flood because you live below sea level? If a flood happens, how much would that affect the practice? Notate low, medium, or high for each threat listed in the previous step. Based on this result, it lets you know what items to prioritize.
Determine the risk associated with the likelihood of a threat or vulnerability happening. If the practice is in a flood zone and the likelihood of flooding is high, the risk is high. This must be documented.
Document all results. HHS does not specify how to document the results, but the format should clearly state the results of the items mentioned previously.
After completing the steps above, the resulting report will inform the Security Management Process. A plan should be created that states how and when the security items will be addressed. Analyzing and remediating is a part of the Security Management Process. The frequency of the assessment is also not listed but states that it must be continuous. HamTECH Solutions recommends yearly. Performing the HSRA will account for changes in the practice, such as hiring a new staff member, installing new computers, or other changes.
Whooo! If you have read this entire article, you are amazing! If you read only some and skipped to this part, you are still amazing, but go back and read it. If all of this sounds overwhelming and you need help, schedule a consult today!