Breached vs Uncompromised Data

Eveteg
Chapter8OrganizingInformationTechnologyServices.pdf

Chapter 8 Organizing Information Technology Services

Privacy is an individual's constitutional right to be left alone, to be free from unwarranted publicity, and to conduct his or her life without its being made public. In the health care environment, privacy is an individual's right to limit access to his or her health care information. In spite of this constitutional protection and other legislated protections discussed in this chapter, approximately 112 million Americans (a third of the United States population) were affected by breaches of protected health information (PHI) in 2015 (Koch, 2016). Three large insurance-related corporations accounted for nearly one hundred million records being exposed (Koch, 2016). In one well-publicized security breach at Banner Health, where hackers gained entrance through food and beverage computers, approximately 3.7 million individuals' information was accessed, much of it health information (Goedert, 2016).

Health information privacy and security are key topics for health care administrators. In today's ever-increasing electronic world, where the Internet of Things is on the horizon and nearly every health care organization employee and visitor has a smart mobile device that is connected to at least one network, new and more virulent threats are an everyday concern. In this chapter we will examine and define the concepts of privacy, confidentiality, and security as they apply to health information. Major legislative efforts, historic and current, to protect health care information are outlined, with a focus on the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification rules. Different types of threats, intentional and unintentional, to health information will be discussed. Basic requirements for a strong health care organization security program will be outlined, and the chapter will conclude with the cybersecurity challenges in today's environment of mobile and cloud-based devices, wearable fitness trackers, social media, and remote access to health information. Privacy, Confidentiality, and Security Defined As stated, privacy is an individual's right to be left alone and to limit access to his or her health care information. Confidentiality is related to privacy but specifically addresses the expectation that information shared with a health care provider during the course of treatment will be used only for its intended purpose and not disclosed otherwise. Confidentiality relies on trust. Security refers to the systems that are in place to protect health information and the systems within which it resides. Health care organizations must protect their health information and health information systems from a range of potential threats. Certainly, security systems must protect against unauthorized access and disclosure of patient information, but they must also be designed to protect the organization's IT assets—such as the networks,hardware, software, and applications that make up the organization's health care information systems—from harm.

Legal Protection of Health Information There are many sources for the legal and ethical requirements that health care professionals maintain the confidentiality of patient information and protect patient privacy. Ethical and professional standards, such as those published by the American Medical Association and other organizations, address professional conduct and the need to hold patient information in confidence. Accrediting bodies, such as the Joint Commission, state facility licensure rules, and

the government through Centers for Medicare and Medicaid, dictate that health care organizations follow standard practice and state and federal laws to ensure the confidentiality and security of patient information.

Today, legal protection specially addressing the unauthorized disclosure of an individual's health information generally comes from one of three sources (Koch, 2016):

Federal HIPAA Privacy, Security, and Breach Notification rules State privacy laws. These laws typically apply more stringent protections for information related to specific health conditions (HIV/AIDS, mental or reproductive health, for example). Federal Trade Commission (FTC) Act consumer protection, which protects against unfair or deceptive practices. The FTC issued the Health Breach Notification Rule in 2010 to require certain businesses not covered by HIPAA, including PHR vendors, PHR-related entities, or third-party providers for PHR vendors or PHR-related entities to notify individuals of a security breach. However, there are two other major federal laws governing patient privacy that, although they have been essentially superseded by HIPAA, remain important, particularly from a historical perspective.

The Privacy Act of 1974 (5 U.S.C. §552a; 45 C.F.R. Part 5b; OMB Circular No. A-108 [1975]) Confidentiality of Substance Abuse Patient Records (42 U.S.C. §290dd- 2, 42 C.F.R. Part 2) The Privacy Act of 1974 In 1966, the Freedom of Information Act (FOIA) was passed. This legislation provides the American public with the right to obtain informationfrom federal agencies. The act covers all records created by the federal government, with nine exceptions. The sixth exception is for personnel and medical information, “the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” There was, however, concern that this exception to the FOIA was not strong enough to protect federally created patient records and other health information. Consequently, Congress enacted the Privacy Act of 1974. This act was written specifically to protect patient confidentiality only in federally operated health care facilities, such as Veterans Administration hospitals, Indian Health Service facilities, and military health care organizations. Because the protection was limited to those facilities operated by the federal government, most general hospitals and other nongovernment health care organizations did not have to comply. Nevertheless, the Privacy Act of 1974 was an important piece of legislation, not only because it addressed the FOIA exception for patient information but also because it explicitly stated that patients had a right to access and amend their medical records. It also required facilities to maintain documentation of all disclosures. Neither of these things was standard practice at the time.

Confidentiality of Substance Abuse Patient Records During the 1970s, people became increasingly aware of the extra-sensitive nature of drug and alcohol treatment records. This led to the regulations currently found in 42 C.F.R. (Code of Federal Regulations) Part 2, Confidentiality of Substance Abuse Patient Records. These regulations have been amended twice, with the latest version published in 1999. They offer

specific guidance to federally assisted health care organizations that provide referral, diagnosis, and treatment services to patients with alcohol or drug problems. Not surprisingly, they set stringent release of information standards, designed to protect the confidentiality of patients seeking alcohol or drug treatment.

HIPAA HIPAA is the first comprehensive federal regulation to offer specific protection to private health information. Prior to the enactment of HIPAA there was no single federal regulation governing the privacy and security of patient-specific information, only the limited legislative protections previously discussed. These laws were not comprehensive and protected only specific groups of individuals.

The Health Insurance Portability and Accountability Act of 1996 consists of two main parts:

Title I addresses health care access, portability, and renewability, offering protection for individuals who change jobs or health insurance policies. (Although Title I is an important piece of legislation, it does not address health care information specifically and will therefore not be addressed in this chapter.) Title II includes a section titled, “Administrative Simplification.” The requirements establishing privacy and security regulations for protecting individually identifiable health information are found in Title II of HIPAA. The HIPAA Privacy Rule was required beginning April 2003 and the HIPAA Security Rule beginning April 2005. Both rules were subsequently amended and the Breach Notification Rule was added as a part of the HITECH Act in 2009.

The information protected under the HIPAA Privacy Rule is specifically defined as PHI, which is information that

Relates to a person's physical or mental health, the provision of health care, or the payment for health care Identifies the person who is the subject of the information Is created or received by a covered entity Is transmitted or maintained in any form (paper, electronic, or oral) Unlike the Privacy Rule, the Security Rule addressed only PHI transmitted or maintained in electronic form. Within the Security Rule this information is identified as ePHI.

The HIPAA rules also define covered entities (CEs), those organizations to which the rules apply:

Health plans, which pay or provide for the cost of medical care Health care clearinghouses, which process health information (for example, billing services) Health care providers who conduct certain financial and administrative transactions electronically (These transactions are defined broadly so that the reality of HIPAA is that it governs nearly all health care providers who receive any type of third-party reimbursement.)

If any CE shares information with others, it must establish contracts to protect the shared information. The HITECH Act amended HIPAA and added “Business Associates” as a category of CE. It further clarified that certain entities, such as health information exchange organizations, regional health information organizations, e-prescribing gateways, or a vendor that contracts with a CE to allow the CE to offer a personal health record as a part of its EHR, are business associates if they require access to PHI on a routine basis (Coppersmith, Gordon, Schermer, & Brokelman, PLC, 2012).

HIPAA Privacy Rule Although the HIPAA Privacy Rule is a comprehensive set of federal standards, it permits the enforcement of existing state laws that are more protective of individual privacy, and states are also free to pass more stringent laws. Therefore, health care organizations must still be familiar with their own state laws and regulations related to privacy and confidentiality.

The major components to the HIPAA Privacy Rule in its original form include the following:

Boundaries. PHI may be disclosed for health purposes only, with very limited exceptions. Security. PHI should not be distributed without patient authorization unless there is a clear basis for doing so, and the individuals who receive the information must safeguard it. Consumer control. Individuals are entitled to access and control their health records and are to be informed of the purposes for which information is being disclosed and used. Accountability. Entities that improperly handle PHI can be charged under criminal law and punished and are subject to civil recourse as well. Public responsibility. Individual interests must not override national priorities in public health, medical research, preventing health care fraud, and law enforcement in general. With HITECH, the Privacy Rule was expanded to include creation of new privacy requirements for HIPAA-covered entities and business associates. In addition, the rights of individuals to request and obtain their PHI are strengthened, as is the right of the individual to prevent a health care organization from disclosing PHI to a health plan, if the individual paid in full out of pocket for the related services. There were also some new provisionsfor accounting of disclosures made through an EHR for treatment, payment, and operations (Coppersmith et al., 2012).

The HIPAA Privacy Rule attempts to sort out the routine and nonroutine use of health information by distinguishing between patient consent to use PHI and patient authorization to release PHI. Health care providers and others must obtain a patient's written consent prior to disclosure of health information for routine uses of treatment, payment, and health care operations. This consent is fairly general in nature and is obtained prior to patient treatment. There are some exceptions to this in emergency situations, and the patient has a right to request restrictions on the disclosure. However, health care providers can deny treatment if they feel that limiting the disclosure would be detrimental. Health care providers and others must obtain the patient's specific written authorization for all nonroutine uses or disclosures of PHI, such as releasing health records to a school or a relative.

Exhibit 9.1 is a sample release of information form used by a hospital, showing the following elements that should be present on a valid release form:

Patient identification (name and date of birth) Name of the person or entity to whom the information is being released Description of the specific health information authorized for disclosure Statement of the reason for or purpose of the disclosure Date, event, or condition on which the authorization will expire, unless it is revoked earlier Statement that the authorization is subject to revocation by the patient or the patient's legal representative Patient's or legal representative's signature Signature date, which must be after the date of the encounter that produced the information to be released Health care organizations need clear policies and procedures for releasing PHI. A central point of control should exist through which all nonroutine requests for information pass, and all disclosures should be well documented.

In some instances, PHI can be released without the patient's authorization. For example, some state laws require disclosing certain health information. It is always good practice to obtain a patient authorization prior to releasing information when feasible, but in state-mandated cases it is not required. Some examples of situations in which information might need to be disclosed to authorized recipients without the patient's consent are the presence of a communicable disease, such as AIDS and sexually transmitted diseases, which must be reported to the state or county department of health; suspected child abuse or adult abuse that must be reported to designated authorities; situations in which there is a legal duty to warn another person of a clear and imminent danger from a patient; bona fide medical emergencies; and the existence of a valid court order.

The HIPAA Security Rule The HIPAA Security Rule is closely connected to the HIPAA Privacy Rule. The Security Rule governs only ePHI, which is defined as protected health information maintained or transmitted in electronic form. It is important to note that the Security Rule does not distinguish between electronic forms of information or between transmission mechanisms. ePHI may be stored in any type of electronic media, such as magnetic tapes and disks, optical disks, servers, and personal computers. Transmission may take place over the Internet or on local area networks (LANs), for example.

The standards in the final rule are defined in general terms, focusing on what should be done rather than on how it should be done. According to the Centers for Medicare and Medicaid Services (CMS, 2004), the final rule specifies “a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information (ePHI). The standards are delineated into either required or addressable implementation specifications.” A required specification must be implemented by a

CE for that organization to be in compliance. However, the CE is in compliance with an addressable specification if it does any one of the following:

Implements the specification as stated Implements an alternative security measure to accomplish the purposes of the standard or specification Chooses not to implement anything, provided it can demonstrate that the standard or specification is not reasonable and appropriate and that the purpose of the standard can still be met; because the Security Rule is designed to be technology neutral, this flexibility was granted for organizations that employ nonstandard technologies or have legitimate reasons not to need the stated specification (AHIMA, 2003) The standards contained in the HIPAA Security Rule are divided into sections, or categories, the specifics of which we outline here. You will notice overlap among the sections. For example, contingency plans are covered under both administrative and physical safeguards, and access controls are addressed in several standards and specifications.

The HIPAA Security Rule The HIPAA Security Administrative Safeguards section of the Final Rule contains nine standards:

1. Security management functions. This standard requires the CE to implement policies and procedures to prevent, detect, contain, and correct security violations. There are four implementation specifications for this standard: Risk analysis (required). The CE must conduct an accurate and thorough assessment of the potential risks to and vulnerabilities of the confidentiality, integrity, and availability of ePHI. Risk management (required). The CE must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. Sanction policy (required). The CE must apply appropriate sanctions against workforce members who fail to comply with the CE's security policies and procedures. Information system activity review (required). The CE must implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Assigned security responsibility. This standard does not have any implementation specifications. It requires the CE to identify the individual responsible for overseeing development of the organization's security policies and procedures. Workforce security. This standard requires the CE to implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining access. There are three implementation specifications for this standard: Authorization and/or supervision (addressable). The CE must have a process for ensuring that the workforce working with ePHI has adequate authorization and supervision. Workforce clearance procedure (addressable). There must be a process to determine what access is appropriate for each workforce member.

Termination procedures (addressable). There must be a process for terminating access to ePHI when a workforce member is no longer employed or his or her responsibilities change. Information access management. This standard requires the CE to implement policies and procedures for authorizing access to ePHI. There are three implementation specifications within this standard. The first (not shown here) applies to health care clearinghouses, and the other two apply to health care organizations: Access authorization (addressable). The CE must have a process for granting access to ePHI through a workstation, transaction, program, or other process. Access establishment and modification (addressable). The CE must have a process (based on the access authorization) to establish, document, review, and modify a user's right to access a workstation, transaction, program, or process. Security awareness and training. This standard requires the CE to implement awareness and training programs for all members of its workforce. This training should include periodic security reminders and address protection from malicious software, log-in monitoring, and password management. (These items to be addressed in training are all listed as addressable implementation specifications.) Security incident reporting. This standard requires the CE to implement policies and procedures to address security incidents. Contingency plan. This standard has five implementation specifications: Data backup plan (required) Disaster recovery plan (required) Emergency mode operation plan (required) Testing and revision procedures (addressable); the CE should periodically test and modify all contingency plans Applications and data criticality analysis (addressable); the CE should assess the relative criticality of specific applications and data in support of its contingency plan Evaluation. This standard requires the CE to periodically perform technical and nontechnical evaluations in response to changes that may affect the security of ePHI. Business associate contracts and other arrangements. This standard outlines the conditions under which a CE must have a formal agreement with business associates in order to exchange ePHI. The HIPAA Security Physical Safeguards section contains four standards:

Facility access controls. This standard requires the CE to implement policies and procedures to limit physical access to its electronic information systems and the facilities in which they are housed to authorized users. There are four implementation specifications with this standard: Contingency operations (addressable). The CE should have a process for allowing facility access to support the restoration of lost data under the disaster recovery plan and emergency mode operation plan. Facility security plan (addressable). The CE must have a process to safeguard the facility and its equipment from unauthorized access, tampering, and theft. Access control and validation (addressable). The CE should have a process to control and validate access to facilities based on users' roles or functions.

Maintenance records (addressable). The CE should have a process to document repairs and modifications to the physical components of a facility as they relate to security. 2. Workstation use. This standard requires the CE to implement policies and procedures that specify the proper functions to be performed and the manner in which those functions are to be performed on a specific workstation or class of workstation that can be used to access ePHI and that also specify the physical attributes of the surroundings of such workstations. Workstation security. This standard requires the CE to implement physical safeguards for all workstations that are used to access ePHI and to restrict access to authorized users. Device and media controls. This standard requires the CE to implement policies and procedures for the movement of hardware and electronic media that contain ePHI into and out of a facility and within a facility. There are four implementation specifications with this standard: Disposal (required). The CE must have a process for the final disposition of ePHI and of the hardware and electronic media on which it is stored. Media reuse (required). The CE must have a process for removal of ePHI from electronic media before the media can be reused. Accountability (addressable). The CE must maintain a record of movements of hardware and electronic media and any person responsible for these items. Data backup and storage (addressable). The CE must create a retrievable, exact copy of ePHI, when needed, before movement of equipment. The HIPAA Security Technical Safeguards section has five standards:

Access control. This standard requires the CE to implement technical policies and procedures for electronic information systems that maintain ePHI in order to allow access only to those persons or software programs that have been granted access rights as specified in the administrative safeguards. There are four implementation specifications within this standard: Unique user identification (required). The CE must assign a unique name or number for identifying and tracking each user's identity. Emergency access procedure (required). The CE must establish procedures for obtaining necessary ePHI in an emergency. Automatic log-off (addressable). The CE must implement electronic processes that terminate an electronic session after a predetermined time of inactivity. Encryption and decryption (addressable). The CE should implement a mechanism to encrypt and decrypt ePHI as needed.

Audit controls. This standard requires the CE to implement hardware, software, and procedures that record and examine activity in the information systems that contain ePHI. Integrity. This standard requires the CE to implement policies and procedures to protect ePHI from improper alteration or destruction. Person or entity authentication. This standard requires the CE to implement procedures to verify that a person or entity seeking access to ePHI is in fact the person or entity claimed. Transmission security. This standard requires the CE to implement technical measures to guard against unauthorized access to ePHIbeing transmitted across a network. There are two implementation specifications with this standard:

Integrity controls (addressable). The CE must implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection. Encryption (addressable). The CE should encrypt ePHI whenever it is deemed appropriate. The Policies, Procedures, and Documentation section has two standards:

Policies and procedures. This standard requires the CE to establish and implement policies and procedures to comply with the standards, implementation specifications, and other requirements. Documentation. This standard requires the CE to maintain the policies and procedures implemented to comply with the Security Rule in written form. There are three implementation specifications: Time limit (required). The CE must retain the documentation for six years from the date of its creation or the date when it was last in effect, whichever is later. Availability (required). The CE must make the documentation available to those persons responsible for implementing the policies and procedures. Updates (required). The CE must review the documentation periodically and update it as needed. HIPAA Breach Notification Rule The HIPAA Breach Notification Rule requires CEs and their business associates to provide notification following a breach of unsecured protected health information. “‘Unsecured’ PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance” (US Department of Health and Human Services, n.d.c). To meet the requirement of “secured” PHI, it must have been encrypted using a valid encryption process, or the media on which the PHI is stored have been destroyed. Paper or other hard copy media, such as film, must be shredded or otherwise destroyed so that it cannot be read or reconstructed. Electronic media must be “sanitized” according to accepted standards so that PHI cannot be retrieved (US Department of Health and Human Services, n.d.c).

The notification requirements include, depending on the circumstances, notification to these sources:

Individuals affected The Health and Human Services Secretary (via the Office for Civil Rights [OCR]) Major media outlets All individuals affected by breaches of unsecured PHI must be notified within a reasonable length of time—less than sixty days—after the breach is discovered. If the CE does not have sufficient information to contact ten or more individuals directly, the notification must be made on the home page of its website for at least ninety days or by a major media outlet. A CE that experiences a breach involving five hundred or more individuals must, in addition to sending individual notices, provide notice to a major media outlet serving the area. This notification must also be made within sixty days. All breaches must also be reported to the secretary of HHS; the breaches involving more than five hundred individuals must be reported within sixty days; all

others may be reported on an annual basis (US Department of Health and Human Services, n.d.b).

HIPAA Enforcement and Violation Penalties The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA Privacy and Security rules. In addition, HITECH gave state attorneys general the authority to bring civil actions on behalf of the residents of their states for HIPAA violations. From April 2003 until May 2016, OCR has received over 134,000 HIPAA complaints and has initiated 879 compliance reviews. The resolution of the complaints and reviews is as follows (US Department of Health and Human Services, 2016):

Settled thirty-five cases resulting in $36,639,200 in penalties Resolved 24,241 cases by requiring a change in privacy practices and corrective actions by, or providing technical assistance to, CEs or business associates Identified 11,018 cases as no violation and 79,865 cases as non-eligible HIPAA criminal and civil penalties for noncompliance are applied using a tiered schedule that ranges from $100 for a single violation, when the individual did not know he or she was not in compliance, to $1,500,000 for multiple violations because of willful neglect. It is important to note that civil penalties cannot be levied in situations when the violation is corrected within a specified period of time.

The structure for HIPAA violations reflect four categories of violations and associated penalties. Table 9.1 outlines the categories and penalties.

Table 9.1 HIPAA violation categories

Source: What are the penalties for HIPAA violations? (2015).

Violation Category Category Fine* Category 1: A violation that the CE was unaware of, and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA rules Minimum fine of $100 per violation up to $50,000 Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA rules) Minimum fine of $1,000 per violation up to $50,000 Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA rules, in cases in which an attempt has been made to correct the violation Minimum fine of $10,000 per violation up to $50,000 Category 4: A violation of HIPAA rules constituting willful neglect, and no attempt has been made to correct the violation Minimum fine of $50,000 per violation *The fines are issued per violation category, per year that the violation was allowed to persist. The maximum fine per violation category, per year, is $1,500,000.

In addition to these civil penalties, a HIPAA violation may result in criminal charges. The criminal penalties are divided into the following three tiers (What are the penalties for HIPAA violations, 2015):

Tier 1: Reasonable cause or no knowledge of violation—Up to one year in jail Tier 2: Obtaining PHI under false pretenses—Up to five years in jail Tier 3: Obtaining PHI for personal gain or with malicious intent—Up to ten years in jail As stated, most HIPAA violations are resolved with corrective action. In 2015 six financial penalties were issued. However, a serious violation can cost a health care organization a significant about of money. One such case resulting in a substantial financial settlement is outlined in the Perspective. The top ten largest fines levied for HIPAA violations as of August 2016 are listed in Table 9.2.

Table 9.2 Top ten largest fines levied for HIPAA violations as of August 2016

Source: Bazzoli (2016).

Organization Individuals Affected Fine Awarded ($ million) Data Awarded Advocate Health Care: Lacked appropriate safeguards, including an unencrypted laptop was left in a vehicle overnight 4 million 5.55 August 2016 New York Presbyterian Hospital and Columbia University: PHI accessible on Google and other search engines 6,800 4.8 May 2014 Cignet Health: Did not allow patients access to medical records and refused to cooperate with OCR 41 4.3 February 2011 Feinstein Institute for Medical Research: Lacked appropriate safeguards leading to theft Unknown 3.9 March 2016 Triple-S Management Corp (Blue Cross/Blue Shield licensee in Puerto Rico): Did not deactivate user IDs and passwords, allowing previous employees to access PHI 398,000 3.5 November 2015 University of Mississippi Medical Center: Did not manage risks appropriately, although aware of risks and vulnerabilities 10,000 2.75 July 2016 Oregon Health & Science University: Lacked safeguards with regards to stolen laptop and used cloud storage without a business associate agreement in place 7,000 2.7 July 2016 CVS Pharmacy: Improperly disposed of PHI such as prescription labels Unknown 2.25 January 2009 New York Presbyterian Hospital: Allowed filming of two patients for a TV series creating the potential for PHI to be compromise. (Note: Hospital continues to maintain it was not a violation.) Unknown 2.2 April 2016 Concentra Health Services: Failed to remediate an identified lack of encryption after an unencrypted laptop was stolen 870 1.73 April 2014

Perspective $750,000 HIPAA Settlement Underscores the Need for Organization-Wide Risk Analysis

The University of Washington Medicine (UWM) has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations. UWM is an affiliated covered entity, which includes designated health care components and other entities under the control of the University of Washington, including University of Washington Medical Center, the primary teaching hospital of the University of Washington School of Medicine. Affiliated covered entities must have in place appropriate policies and processes to assure HIPAA compliance with respect to each of the entities that are part of the affiliated group. The settlement includes a monetary payment of $750,000, a corrective action plan, and annual reports on the organization's compliance efforts.

The US Department of Health and Human Services Office for Civil Rights (OCR) initiated its investigation of the UWM following receipt of a breach report on November 27, 2013, which indicated that the electronic protected health information (e-PHI) of approximately 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organization's IT system, affecting the data of two different groups of patients: (1) approximately 76,000 patients involving a combination of patient names, medical record numbers, dates of service, and/or charges or bill balances; and (2) approximately 15,000 patients involving names, medical record numbers, other demographics such as address and phone number, dates of birth, charges or bill balances, Social Security numbers, insurance identification or Medicare numbers.

OCR's investigation indicated UWM's security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with the Security Rule. However, UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.

Source: HHS.gov (2015). Used with permission. Threats to Health Care Information What are the threats to health care information systems? In general, threats to health care information systems fall into one of these three categories:

Human tampering threats Natural and environmental threats, such as floods and fire Environmental factors and technology malfunctions, such as a drive that fails and has no backup or a power outage Threats to health care information systems from human beings can be intentional or unintentional. They can be internal, caused by employees, or external, caused by individuals outside the organization.

Intentional threats include knowingly disclosing patient information without authorization, theft, intentional alteration of data, and intentional destruction of data. The culprit could be a computer hacker, a disgruntled employee, or a prankster. Cybercrime directed at health information

systems has increased significantly in recent years. In the 2014–2015 two-year period, more than 90 percent of health care organizations reported a health information security breach, and of these reports, nearly half were because of criminal activity (Koch, 2016). Intentional destruction or disruption of health care information is generally caused by some form of malware, a general term for software that is written to “infect” and subsequently harm a host computer system. The best-known form of malware is the computer virus, but there are others, including the particularly virulent ransomware, attacks from which are on the rise in health care.

The following list includes common forms of malware with a brief description of each (Comodo, 2014): Viruses are generally spread when software is shared among computers. It is a “contagious” piece of software code that infects the host system and spreads itself. Trojans (or Trojan Horses) are a type of virus specifically designed to look like a safe program. They can be programmed to steal personal information or to take over the resources of the host computer making it unavailable for its intended use. Spyware tracks Internet activities assisting the hacker in gathering information without consent. Spyware is generally hidden and can be difficult to detect. Worms are software code that replicates itself and destroys files that are on the host computer, including the operating system. Ransomware is an advanced form of malware that hackers use to cripple the organization's computer systems through malicious code, generally launched via an e-mail that is opened unwittingly by an employee, a method known as phishing. The malicious code then encrypts and locks folders and operating systems. The hacker demands money, generally in the form of bitcoins, a type of digital currency, to provide the decryption key to unlock the organization's systems (Conn, 2016). Some of the causes of unintentional health information breaches are lack of training in proper use of the health information system or human error. Users may unintentionally share patient information without proper authorization. Other examples include users sharing passwords or downloading information from nonsecure Internet sites, creating the potential for a breach in security. Some of the more common forms of internal breaches of security across all industries are the installation or use of unauthorized software, use of the organization's computing resources for illegal or illicit communications or activities (porn surfing, e-mail harassment, and so forth), and the use of the organization's computing resources for personal profit. Losing or improperly disposing of electronic devices, including computers and portable electronic devices, also constitute serious forms of unintentional health information exposure. In 2015, the OCR portal, which lists breach incidents potentially affecting five hundred or more individuals, reported more than seventy-five thousand individuals' data were breached either because of loss or improper disposal of a device containing PHI (OCR, n.d.).

Threats from natural causes, such as fire or flood, are less common than human threats, but they must also be addressed in any comprehensive health care information security program. Loss of information because of environmental factors and technical malfunctions must be secured against by using appropriate safeguards. The Health Care Organization's Security Program

The realization of any of the threats discussed in the previous section can cause significant damage to the organization. Resorting to manual operations if the computers are down for days, for example, can lead to organizational chaos. Theft or loss of organizational data can lead to litigation by the individuals harmed by the disclosure of the data and HIPAA violations. Malware can corrupt databases, corruption from which there may be no recovery. The function of the health care organization's security program is to identify potential threats and implement processes to remove these threats or mitigate their ability to cause damage. The primary challenge of developing an effective security program in a health care organization is balancing the need for security with the cost of security. An organization does not know how to calculate the likelihood that a hacker will cause serious damage or a backhoe will cut through network cables under the street. The organization may not fully understand the consequences of being without its network for four hours or four days. Hence, it may not be sure how much to spend to remove or reduce the risk.

Another challenge is maintaining a satisfactory balance between health care information system security and health care data and information availability. As we saw in Chapter Two, the major purpose of maintaining health information and health records is to facilitate high-quality care for patients. On the one hand, if an organization's security measures are so stringent that they prevent appropriate access to the health information needed to care for patients, this important purpose is undermined. On the other hand, if the organization allows unrestricted access to all patient-identifiable information to all its employees, the patients' rights to privacy and confidentiality would certainly be violated and the organization's IT assets would be at considerable risk.

The ONC (2015) publication Guide to Privacy and Security of Electronic Health Information for health care providers includes a chapter describing a seven-step approach for implementing a security management process. The guidance is directed at physician practices or other small health care organizations, and it does not include specific technical solutions. Specific solutions for security protection will be driven by the organization's overall plan and will be managed by the organizations IT team. Larger organizations must also develop comprehensive security programs and will follow the same basic steps, but it will likely have more internal resources for security than smaller practices.

Each step in the ONC security management process for health care providers is listed in the following section.

Step 1: Lead Your Culture, Select Your Team, and Learn This step includes six actions:

Designate a security officer, who will be responsible for developing and implementing the security practices to meet HIPAA requirements and ensure the security of PHI. Discuss HIPAA security requirements with your EHR developer to ensure that your system can be implemented to meet the security requirements of HIPAA and Meaningful Use.

Consider using a qualified professional to assist with your security risk analysis. The security risk analysis is the opportunity to discover as much as possible about risks and vulnerabilities to health information within the organization. Use tools to preview your security risk analysis. Examples of available tools are listed within Step 3. Refresh your knowledge base of the HIPAA rules. Promote a culture of protecting patient privacy and securing patient information. Make sure to communicate that all members of the organization are responsible for protecting patient information. Step 2: Document Your Process, Findings, and Actions Documenting the processes for risk analysis and implementation of safeguards is very important, not to mention a requirement of HIPAA. The following are some examples cited by the ONC of records to retain:

Policies and procedures Completed security checklists (ESET, n.d.) Training materials presented to staff members and volunteers and any associated certificates of completion Updated business associate (BA) agreements Security risk analysis report EHR audit logs that show utilization of security features and efforts to monitor users' actions Risk management action plan or other documentation that shows appropriate safeguards are in place throughout your organization, implementation timetables, and implementation notes Security incident and breach information Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis) Risk analysis assesses potential threats and vulnerabilities to the “confidentiality, integrity and availability” (ONC, 2015, p. 41) of PHI. Several excellent government-sponsored guides and toolsets available for conducting a comprehensive risk analysis are listed in Table 9.3 with a corresponding web address. Table 9.3 Resources for conducting a comprehensive risk analysis

OCR's Guidance on Risk Analysis Requirements under the HIPAA Rule http://www.hhs.gov/hipaa/for-professionals/security/guidance/final-guidance-risk-analysis/index. html OCR Security Rule Frequently Asked Questions (FAQs) http://www.hhs.gov/hipaa/for-professionals/faq ONC SRA (Security Risk Assessment) Tool for small practices https://www.healthit.gov/providers-professionals/security-risk-assessment National Institute of Standards and Technology (NIST) HIPAA Security Rule Toolkit https://scap.nist.gov/hipaa/ The three basic actions recommended for the organization's first comprehensive security risk analysis are as follows:

Identify where ePHI exists.

Identify potential threats and vulnerabilities to ePHI. Identify risks and their associated levels. Step 4: Develop an Action Plan As discussed, the HIPAA Security Plan provides flexibility in how to achieve compliance, which allows an organization to take into account its specific needs. The action plan should include five components. Once in place, the plan should be reviewed regularly by the security team, led by the security officer.

Administrative safeguards Physical safeguards Technical safeguards Organizational standards Policies and procedures Table 9.4 lists common examples of vulnerabilities and mitigation strategies that could be employed.

Table 7.4 Common examples of vulnerabilities and mitigation strategies

Security Component Examples of Vulnerabilities Examples of Security Mitigation Strategies Administrative safeguards No security officer is designated. Workforce is not trained or is unaware of privacy and security issues. Security officer is designated and publicized. Workforce training begins at hire and is conducted on a regular and frequent basis. Security risk analysis is performed periodically and when a change occurs in the practice or the technology. Physical safeguards Facility has insufficient locks and other barriers to patient data access. Computer equipment is easily accessible by the public. Portable devices are not tracked or not locked up when not in use. Building alarm systems are installed. Offices are locked. Screens are shielded from secondary viewers. Technical safeguards Poor controls enable inappropriate access to EHR. Audit logs are not used enough to monitor users and other HER activities. No measures are in place to keep electronic patient data from improper changes. No contingency plan exists. Electronic exchanges of patient information are not encrypted or otherwise secured. Secure user IDs, passwords, and appropriate role-based access are used. Routine audits of access and changes to EHR are conducted. Anti-hacking and anti-malware software is installed. Contingency plans and data backup plans are in place. Data are encrypted. Organizational standards No breach notification and associated policies exist. BA agreements have not been updated in several years. Regular reviews of agreements are conducted and updates made accordingly.

Policies and procedures Generic written policies and procedures to ensure HIPAA security compliance were purchased but not followed. The manager performs ad hoc security measures. Written policies and procedures are implemented and staff members are trained. Security team conducts monthly review of user activities. Routine updates are made to document security measures. Step 5: Manage and Mitigate Risks The security plan will reduce risk only if it is followed by all employees in the organization. This step has four actions associated with it.

Implement your plan. Prevent breaches by educating and training your workforce. Communicate with patients. Update your BA contracts. Step 6: Attest for Meaningful Use Security Related Objective Organizations can attest to the EHR Incentive Program security-related objective after the security risk analysis and correction of any identified deficiencies.

Step 7: Monitor, Audit, and Update Security on an Ongoing Basis The security officer, IT administrator, and EHR developer should work together to ensure that the organization's monitoring and auditing functions are active and configured appropriately. Auditing and monitoring are necessary to determine the adequacy and effectiveness of the security plan and infrastructure, as well as the “who, what, when, where and how” (ONC, 2015, p. 54) patients' ePHI is accessed.

Beyond HIPAA: Cybersecurity for Today's Wired Environment Clearly, HIPAA is an important legislative act aimed at protecting health data and information. However, in today's increasingly wired environment, health care organizations face threats that were not present when HIPAA was enacted. In June 2016, 41 percent of all data breaches were because of cybercrime—hacking. In July of the same year a single hacker was responsible for 30 percent of the health care data breached (Sullivan, 2016). Experts argue that health care organizations are easy targets for cybercriminals because they are inadequately prepared. The average health care provider spends less than 6 percent of its total IT budget on security, compared to the government, which spends 16 percent, and the banking industry, which spends between 12 and 15 percent. By one estimate the increase in cybercrime against health care organizations is because of, at least in part, PHI's value on the black market, estimating that PHI is fifty times more valuable than financial information (Koch, 2016; Siwicki, 2016).

The reality of today's environment is that there are more entry points into health care information networks and computers than ever before. Mobile devices, cloud use, the use of smart consumer products, health care devices with Internet connectivity, along with more employees connecting to health care networks from remote locations create an increased need for cybersecurity in health care organizations. One recent survey found that among medical students and physicians 93.7 percent owned smartphones and 82.9 percent had used them in a

clinical setting. Perhaps the most surprising aspect of the survey was that none of respondents believed using the devices increased risk of breaching patient information (Buchholz, Perry, Weiss, & Cooley, 2016).

So-called mHealth technologies, which include entities that support personal health records and cloud-based or mobile applications that collect patient information directly from patients or allow uploading of health-related data from wearable devices, are also on the rise, as is the use of health-related social media sites. These technologies were not addressed in HIPAA and, therefore, do not meet the criteria as a CE (DeSalvo & Samuels, 2016).

To provide assistance to health care organizations to combat cyber attacks and improve cybersecurity, the ONC (n.d.) published the Top 10 Tips for Cybersecurity in Health Care. The first tip reminds health care organizations to establish a security culture, the same initial tip in their guidance for developing a security plan, clearly emphasizing the importance of this aspect of any security program. The other tips in the publication contain some more specific ways to mitigate the threat from cyber attacks. These tips are listedwith specific checkpoints to ensure security (ONC, n.d.). The full version of the top-ten document is available at HealthIT.gov.

Protect Mobile Devices Ensure your mobile devices are equipped with strong authentication and access controls. Ensure laptops have password protection. Enable password protection on handheld devices (if available). Take extra physical control precautions over the device if password protection is not provided. Protect wireless transmissions from intrusion. Do not transmit unencrypted PHI across public networks (e.g., Internet, Wi-Fi). When it is absolutely necessary to commit PHI to a mobile device or remove a device from a secure area, encrypt the data. Do not use mobile devices that cannot support encryption. Develop and enforce policies specifying the circumstances under which devices may be removed from the facility. Take extra care to prevent unauthorized viewing of the PHI displayed on a mobile device. Maintain Good Computer Habits Uninstall any software application that is not essential to running the practice (e.g., games, instant message clients, photo-sharing tools). Do not simply accept defaults or “standard” configurations when installing software. Find out whether the EHR developer maintains an open connection to the installed software (a “back door”) in order to provide updates and support. Disable remote file sharing and remote printing within the operating system (e.g., Windows Operating System). Automate software updates to occur weekly (e.g., use Microsoft Windows Automatic Update). Monitor for critical and urgent patches and updates that require immediate attention and act on them as soon as possible. Disable user accounts for former employees quickly and appropriately.

If an employee is to be involuntarily terminated, close access to the account before the notice of termination is served. Prior to disposal, sanitize computers and any other devices that have had data stored on them. Archive old data files for storage if needed or clean them off the system if not needed, subject to applicable data retention requirements. Fully uninstall software that is no longer needed (including trial software and old versions of current software). Work with your IT team or other resources to perform malware, vulnerability, configuration, and other security audits on a regular basis. Use a Firewall Unless your electronic health record (EHR) and other systems are totally disconnected from the Internet, you must install a firewall to protect against intrusions and threats from outside sources. Larger health care organizations that use a local area network (LAN) should consider a hardware firewall. Install and Maintain Antivirus Software Use an antivirus product that provides continuously updated protection against viruses, malware, and other code that can attack your computers through web downloads, CDs, e-mail, and flash drives. Keep antivirus software up-to-date. Most antivirus software automatically generates reminders about these updates, and many are configurable to allow for automated updating. Plan for the Unexpected Create data backups regularly and reliably. Begin backing up data from day one of a new system. Ensure the data are being captured correctly. Ensure the data can be quickly and accurately restored. Use an automated backup system, if possible. Consider storing the backup far away from the main system. Protect backup media with the same type of access controls described in the next section. Test backup media regularly for their ability to restore data properly, especially as the backups age. Have a sound recovery plan. Know the following: What data was backed up (e.g., databases, pdfs, tiffs, docs) When the backups were done (time frame and frequency) Where the backups are stored What types of equipment are needed to restore them Keep the recovery plan securely at a remote location where someone has responsibility for producing it in the event of an emergency. Control Access to PHI Configure your EHR system to grant PHI access only to people with a “need to know.” This access control system might be part of an operating system (e.g., Windows), built into a particular application (e.g., an e-prescribing module), or both. Manually set file access permissions using an access control list.

This can only be done by someone with authorized rights to the system. Prior to setting these permissions, identify which files should be accessible to which staff members. Configure role-based access control as needed. In role-based access, a staff member's role within the organization (e.g., physician, nurse, billing specialist, etc.) determines what information may be accessed. Assign staff members to the correct roles and then set the access permissions for each role correctly on a need-to-know basis. The following case on access control provides additional examples of access control. Case Study Access Control Mary Smith is the director of the health information management department in a hospital. Under a user-based access control scheme, Mary would be allowed read-only access to the hospital's laboratory information system because of her personal identity—that is, because she is Mary Smith and uses the proper log-in and password(s) to get into the system. Under a role-based control scheme, Mary would be allowed read-only access to the hospital's lab system because she is part of the health information management department and all department employees have been granted read-only privileges for this system. If the hospital were to adopt a context-based control scheme, Mary might be allowed access to the lab system only from her own workstation or another workstation in the health information services department, provided she used her proper log-in and password. If she attempted to log in from the emergency department or another administrative office, she might be denied access. The context control could also involve time of day. Because Mary is a daytime employee, she might be denied access if she attempted to log in at night. Use Strong Passwords Choose a password that is not easily guessed. Following are some examples of strong password characteristics: At least eight characters in length (the longer the better) A combination of uppercase and lowercase letters, one number, and at least one special character, such as a punctuation mark Strong passwords should not include personal information: Birth date Names of self, family members, or pets Social Security number Anything that is on your social networking sites or could otherwise be discovered easily by others Use multifactor authentication for more security. Multifactor authentication combines multiple authentication methods, such as a password plus a fingerprint scan; this results in stronger security protections. If you e-prescribe controlled substances, you must use multifactor authentication for your accounts. Configure your systems so that passwords must be changed on a regular basis. To discourage staff members from writing down their passwords, develop a password reset process to provide quick assistance in case of forgotten passwords. Limit Network Access

Prohibit staff members from installing software without prior approval. When a wireless router is used, set it up to operate only in encrypted mode. Prohibit casual network access by visitors. Check to make sure file sharing, instant messaging, and other peer-to-peer applications have not been installed without explicit review and approval. Control Physical Access Limit the chances that devices (e.g., laptops, handhelds, desktops, servers, thumb drives, CDs, backup tapes) may be tampered with, lost, or stolen. Document and enforce policies limiting physical access to devices and information: Keep machines in locked rooms. Manage keys to facilities. Restrict removal of devices from a secure area.

National Institute of Standards and Technology (NIST) Cybersecurity Framework Recognizing the severity of the rise in cybercrime, President Obama issued an executive order in February 2013 to “enhance the security and resilience of the Nation's critical infrastructure” (Executive Order 13636). As a result the National Institute of Standards and Technology (NIST) was directed to develop, with help of stakeholder organizations, a voluntary cybersecurity framework to reduce cyber-attack risks. The resulting NIST cybersecurity framework consists of three components (NIST, n.d.):

The Framework Core consists of “five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover.” The functions provide “the highest level, strategic view of an organization's management of cybersecurity risk” (NIST, n.d., p. 4). The functions are divided into categories and subcategories as shown in Exhibit 9.2. The Framework Implementation Tiers characterize an organization's actual cybersecurity practices compared to the framework, using a range of tiers from partial (Tier 1) to adaptive (Tier 4). The Framework Profile documents outcomes obtained by reviewing all of the categories and subcategories and comparing them to the organization's business needs. Profiles can be identified as “current,” documenting where the organization is now, or as “target,” where the organization would like to be in the future. Since its initial publication in 2014, the HHS, OCR, and the ONC have cited the framework as an important tool for health care organizations to consider when developing a comprehensive security program. In 2016, OCR published a crosswalk that maps the HIPAA Security Rule to the NIST framework, which can be found at HHS.gov/hipaa (US Department of Health and Human Services, n.d.a).

Summary In this chapter we gained insight into why health information privacy and security are key topics for health care administrators. In today's ever-increasing electronic world with new and more virulent threats, the security of health information is an ongoing concern. In this chapter we examined and defined the concepts of privacy, confidentiality, and security and explored major legislative efforts, historical and current, to protect health care information, with a focus on the

HIPAA Privacy, Security, and Breach Notification rules. Different types of threats, human, natural and environmental, intentional and unintentional, were identified, with a focus on the increase in cybercrime. Basic requirements for a strong health care organization security program were outlined and the chapter ended with a discussion of the cybersecurity challenges within the current health care environment.