Out of Sight Shouldn’t Mean Out of Mind – Expanded HIPAA Compliance Officer Duties
With COVID-19, data breaches and ransomware attacks have skyrocketed. The FBI reported that there were more cyber incidents reported in the first half of 2020 compared with all of 2019.
Even before COVID, the risks associated with a remote workforce increased the potential for breaches. It wasn’t as big a problem in the past because it used to be that relatively few people worked from home, many just occasionally. But with COVID-19, Health Insurance Portability and Accountability Act (HIPAA) Covered Entities and Business Associates are now reporting that many more staff members are working remotely, and there is no end in sight. Even after the pandemic is contained, many businesses plan to continue with a work-from-home model. If you are a Covered Entity, your increased risks may come from the Business Associates that provide you with services.
Here is a dire warning. The National Institute of Standards and Technology (NIST) warns that you should “assume that malicious parties WILL gain control of telework client devices and attempt to recover sensitive data from them or leverage the devices to gain access to the enterprise network”.
You shouldn’t assume there isn’t any Protected Health Information (PHI) or Personally Identifiable Information (PII) on local computers just because everyone is supposed to store data on a server. No matter what your policies say, users often leave protected data in their Downloads folder, on their computer desktop, and in their Recycle Bin. Your IT department may have set up email to store a cached copy on your local devices.
Data gets missed in your Security Risk Analysis when you assume users are following your rules. It bit a non-profit organization that paid a million-dollar HIPAA penalty in July 2020 after it lost an unencrypted laptop that contained a cached email file with protected information for 20,000 patients.
HIPAA requires that every Covered Entity (CE) and Business Associate (BA) site assign a trained and qualified HIPAA Compliance Officer to develop, oversee and manage privacy and security policies and procedures.
Your out-of-sight workers may be using systems lacking the security they enjoy while at the office. Home networks aren’t protected by business-class firewalls. The physical workspace may not be secure from family members and visitors with prying eyes. What if their kids use their business computer to surf unsafe websites? What if they wrote their login and password on a Post-it Note and stuck it on their monitor? That’s a bigger deal at home with family and friends coming and going.
Home workers have more distractions and are more easily subject to email scams. At home, you can’t just go down the hall or pop into someone’s office to validate that a request for a financial transaction or transfer of sensitive data really did come from a senior executive.
Everyone knows that HIPAA requires a Security Risk Analysis. But the requirement is for an accurate and thorough security risk analysis, which, of the 180 HIPAA requirements, is the failure cited in more than 50% of HIPAA financial penalties. Organizations think that HIPAA requires the risk analysis to be updated annually. Actually, HIPAA also says that the risk analysis must be updated whenever there are significant changes to the computing environment. No one was thinking of that when we evacuated our offices to work from home, but the immunity that may have come from the urgent emergency relocation has gone away. Does your risk analysis reflect your current working environment?
It is important to remember that most data breaches are caused by human error. Those working from home may find added security cumbersome and be more likely to bypass security measures to save time and to mitigate technical frustration.
Support needs to come from the top. The compliance officer will be tasked with explaining in detail how and why the added security is important. But the executive team needs to provide support. Their jobs may be on the line as a breach could have a devastating effect on the practice or business. Explaining how workers and patients could be personally affected may help in terms of overall compliance.
Hackers have recognized that security gaps exist with a remote workforce and are expanding their targets as this high-speed shift to virtual work becomes the norm. Healthcare data is a prime target and many CE and BA sites have reported an increase in cybersecurity scares since shifting to remote work.
COVID-19 and the recent civil unrest have brought about breaches of HIPAA’s Minimum Necessary Access requirement that says workers may only access medical records for a legitimate business reason. Nurses have been fired for improperly accessing patient records when trying to build a case that their employers are providing effective protection against COVID.
For these reasons, the compliance officer has become an even more important role to protect the security of sensitive data. Following the recommended steps in this article and staying abreast of industry regulations and requirements will be critical in providing a safe technical infrastructure to support the remote healthcare workforce.
The compliance officer should add measures to ensure the protection of patient information and health data because remote-access technologies are exposed to more external threats. With that important assumption in mind, these are 8 important areas your organization should focus on to establish and confirm remote-work security policies and procedures:
- Use a virtual private network (VPN) secure connection to your office firewall for remote worker access of sensitive files and shared applications.
- Prohibit the use of personally owned computers for work related tasks. If your workers must use them, have each one checked to ensure that security is properly implemented.
- Encrypt all remote work devices.
- Refresh employee training around HIPAA and Cybersecurity best practices. Make sure your workforce members are trained and tested to avoid phishing email scams.
- Make it easy for users to access tech support and make sure your support techs understand and enforce your established policies and procedures.
- HIPAA requires Information System Activity Reviews. This means that you should review the logs of your communication and co-work platforms to ensure that only authorized users have access.
- Implement multifactor authentication. The extra moment of inconvenience required to enter a code is nothing compared to the grief you will suffer if hackers get into your system.
- Create a simple process to quickly report any remote staff concerns regarding data security issues.
4MedPlus offers a comprehensive online self-paced training program for HIPAA compliance officers and bundles designed to address ongoing staff training needs around the subjects of HIPAA, Cybersecurity, Ransomware Prevention and more. CLICK COURSE/BUNDLE LINK BELOW FOR MORE DETAIL