2 minute read
HIPAA Oversights by Practices in IT
By JAne ehrhArdt
“HIPAA is the biggest regulated gray area out there,” says Aaron Woods, manager of security services at Dynamic Quest. “HIPAA states that to protect patient information, you must do what is feasible and what you can afford.” The generality in these guidelines has led healthcare entities to falsely believe that some IT security protocols are HIPAA compliant.
“Security is not the same as compliance,” says Ron Shoe, president of Oasis SIP. “If you mandate multifactor authentication (MFA) and everybody uses it to log in, that is still not HIPAA compliant. HIPAA auditors need to see written policies requiring MFA and attestations to using MFA from all employees, along with monitoring reports proving MFA was in place.”
Those policies and reports must be retained for six years. “Compliance lives in the past,” Shoe says. “Like with OSHA, HIPAA requires proof that the protections were in place when the problem started, which could have happened years before when a negligent employee clicked on something that allowed spyware in to sit undetected.
Many healthcare professionals com- plain that HIPAA is too burdensome, a stick with no carrot. But, in fact, following HIPAA standards can save a provider from big problems. For example, HIPAA practices recently saved a medical lab that faced a lawsuit when a woman working at the lab told her daughter that the daughter’s husband had been tested for STDs. The husband sued the lab. The lab won the case because the documentation required by HIPAA proved the mother-in-law had signed an understanding of non-disclosure, attended a training through their portal, and had attested to completing it, proving the lab wasn’t at fault.
Besides a lack of documenting their
IT protocols, practices also make the mistake of assuming anything in the cloud is HIPAA compliant. “The cloud is still vulnerable, just in different ways,” Woods says. “In 2018, two of Allscripts data centers fell victim to a SamSam ransomware. The attack affected 1,500 of their customers using their cloud-based EHR. So ask your hosting environment for their documents on how they’re protecting your data on their system, including your role if they get breached. Add that to your HIPAA handbook, so when you get audited, you’ve done your due diligence.”
Mobile devices present another HIPAA blind spot for healthcare entities.
“The mandate is for encryption, when it comes to protected health information (PHI) on phones, tablets, and computers used outside the network,” Shoe says. “If the data is accessed using both a secured, compliant portal and app to access it on the device, then it meets HIPAA standards. But the portal also needs to be reporting who is logging in.
“The rule needs to be that if a phone is going to access PHI, in any form, then it is subject to anything a computer is. The ideal is for staff to use devices devoted solely to business purposes, and only those corporate devices can access PHI. That allows IT to remotely shut them down or wipe them clean when lost or if a threat appears.”
Three months ago, someone stole the laptop from a remote worker in a large dermatology group. Not only was the machine not encrypted or protected by MFA, the practice could not state whether PHI had been stored on the laptop. “They had no policy in place about where data could be stored,” Woods says. “So they had to report to HIPAA that data may have been breached.”
Even in the office, PHI floats among devices unknowingly exposing data, such as scanning patient documents into a scanner and sending it to a computer.
“If you’re not cleaning that scanner out,
(CONTINUED ON PAGE 20)
