HIPAA Challenges: Lessons Learned From a Recent Data Breach
By Lesley Berkeyheiser
For The Record
Vol. 35 No. 1 P. 26
How to Leverage These Lessons to Avoid or Minimize Insider Threats
It seems today’s news is filled with stories about cybersecurity attacks. Our collective focus is on the use of technology to harden systems and be ready to respond when it happens to us. Luckily, our authorities provide current and practical information to aid the health care industry first to prevent, but also to manage, such negative events. Two sites with great information are the Office for Civil Rights (OCR) and the Health and Human Services (HHS) 405(d) initiative. A quick search on the OCR website shows the ongoing breach reports—many of them in the provider-specific realm.1 Both OCR and HHS provide practical newsletters and materials worth reviewing to ensure your organization pays attention to current methods to prepare for a negative event.2,3
Even though cybersecurity attacks get frequent media attention these days, we continue to see that the workforce member “insider threat” persists as a probable issue plaguing the health care industry. The provider realm remains especially touched. A recent example of this is a case that will be referenced throughout this article—that of a medical assistant working in a provider’s office who stole data via her cell phone while at work and used it to open credit cards she then used to purchase goods costing more than $30,000.4
While it’s true that organizations acting as employers must set policies and teach, train, and monitor workers, they can never be fully responsible for the individual actions of an employee. However, there are key steps aligned with the original HIPAA Security Rule’s administrative, physical, and technical safeguards that can be followed and continue to apply to the health care industry today. The initial one-page chart provided in the 2003 HIPAA Security Rule Federal Register document (www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf) provides a basic and practical reference even today.
To identify the most current compliance practices, start with the implementation specifications as contained in the original Security Rule as a base and augment them with current “industry best practices.” This will significantly lessen or avoid an insider threat such as the one described previously. One way to identify the current “best practice” is to also follow the National Institute of Standards and Technology (NIST) 800-66 Special Publication document.5 Another option for gaining the most current health care–data exchange industry best practices is pursuing accreditation with organizations such as the Electronic Healthcare Network Accreditation Commission or securing HITRUST certification. These independent third-party accreditation/certification programs allow for an organization to “prove” to its trading partners and stakeholders alike that it meets a certain level of privacy and security standards measurement. During the accreditation/certification process, best practices are uncovered that serve to raise the bar of compliance. Programs like these are dynamic, so once certificate/approval status is obtained, an organization can rely on the certifying body to update requirements in accordance with changing regulations and best practices.
How to Discern Best Practices
The original HIPAA Security Rule and current NIST publications can be used together to identify current practices.
The following section offers a closer look at some of the categories listed within the HIPAA Security Rule that apply to the insider threat scenario noted previously. Three important areas are set forth below: conducting background checks, training and reporting, and device monitoring and management.
Conduct Background Checks
Common industry practice is to conduct screening (personnel reference and background checks) prior to engaging workforce members (especially those with access to sensitive information such as protected health information (PHI) defined by HIPAA and personally identifiable information as defined by other federal and state laws). Based on the level of data handled by the organization and the specific job role for which a worker is being considered, further investigation, including criminal and even credit checking, should occur.
For best practices, see the HIPAA Security Rule CFR 164.308 Workforce Security — Workforce Clearance Procedures.
Assuming the health care provider employer in the case noted at the beginning of this article had documented policies and procedures to conduct appropriate background screenings on all workforce members prior to hiring (and providing access to sensitive information), an additional improvement might be to increase the level of background checks to include criminal and possibly credit checks—appropriate when filling a job-based role that handles PHI. An article written about the case in question stated that this specific worker had a criminal history, including previous guilty pleas for theft by deception and simple assault. Including a criminal background check for all workers handling PHI as a policy may have prevented this situation.
Training and Reporting
Initial and ongoing training of all workforce members on the organization’s written policies and procedures and expectations of technology usage not only is required but also facilitates ongoing compliance with privacy, security, and cybersecurity requirements. People and their behavior are the most valuable assets an organization possesses, and yet workforce members can also be among the most serious threats to an organization’s compliance. Setting and gaining ongoing conformance with expected policies, procedures, systems, and data handling is absolutely core to an organization’s ability to safeguard sensitive information. Excellent suggestions for best practices and sample questions are found in the HIPAA Security Rule CFR 164.308 Security Awareness & Training and in NIST 800-66 Special Publication “Develop and Approve a Training Strategy and a Plan.”
Current practices call for health care organizations to train upon hire at least annually in a formal mode on all privacy, security, and cybersecurity/breach policies and procedures. Having workers provide acknowledgment of this training along with an acceptable use agreement (list of key points as a reminder of the detailed training curriculum) is a method to ensure all workers are aware of their responsibilities.
Ongoing training, required acknowledgments of expected rules and behaviors, and awareness that closed-circuit TV and/or other workers might observe such activity may have deterred this worker from committing the crime; it also might have increased workforce members’ awareness so they could catch and report on the action sooner. Again, an organization’s workforce members are its most valuable asset. If policies are clearly documented and all workers are trained to report any suspected issue, the workforce report of a potential incident can be the most expeditious method to uncover an issue gone wrong. Perhaps someone in the office in the case discussed previously suspected the foul play and reported the issue.
Device Monitoring and Management
HIPAA security compliance is dependent upon both the workforce members’ behavior (their ability to follow the policies set by the organization) and the way that technology is configured and monitored to enforce those behaviors set by policy. In the case discussed, it’s unclear whether or not the organization allowed workers to handle business/data using their personal devices/phones/tablets—otherwise known as “bring your own device” (BYOD). Regardless of whether the organization allows BYOD use, clear policies and procedures should be in place to define worker expectations, and technical controls should enforce the desired behaviors. Numerous technical options are available to promote centralized technical management of BYOD usage. It’s most likely, though, that the worker in question was not supposed to use her personal device at work. If so, her behavior could have been monitored using a workstation and other physical safeguards (such as closed-circuit TV and or mobile device monitoring). Other workforce members should have been trained on the appropriate and inappropriate use of cell phones and should have identified and reported the ssue as well.
Best practices are found in the HIPAA Security Rule CFR 164.310 Physical Safeguards — Facility Access Controls — Facility Security Plan and Workstation Use; HIPAA Security Rule — Implementation Specification Title: Audit Controls CFR 164.312 Technical Safeguards; and NIST 800-66 Special Publication: Conduct an Analysis of Existing Physical Security Vulnerabilities.
Technology can be used to enforce and support the monitoring of policy. If BYOD had been allowed, there could have been monitoring or controls placed on the issued cell phone/mobile device. If BYOD was not allowed, a strong policy and procedure and reminders of the sanctions of consequences for misuse to all workers may have decreased or avoided this scenario. If closed-circuit TV had been implemented throughout the physical environment where work is conducted, perhaps the inappropriate use of the cell phone to take pictures could have been caught earlier. Perhaps it was in place and was used as evidence to support enforcement.
Decades later, the basics of the HIPAA security rule contain valuable information. Current industry best practices provide specific information on how the security rule’s implementation specifications can be actionized. The above information shows how one can leverage public materials to identify compliance requirements and best practices. Put the lessons you’ve learned from others’ mistakes and others’ implementation of best practices in place in your organization today.
— Lesley Berkeyheiser is an Electronic Healthcare Network Accreditation Commission senior reviewer and HITRUST practitioner with decades of experience implementing privacy and security regulations and other related health IT requirements across the health care industry.
1. Breach reporting portal. Office for Civil Rights website. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
2. October 2022 OCR cybersecurity newsletter. Health and Human Services website. https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-october-2022/index.html. Updated October 25, 2022.
3. Why care about cybersecurity. Health and Human Services website. https://405d.hhs.gov/whycare
4. AG Shapiro files charges against medical assistant for stealing patient information for financial gain. Pennsylvania Office of Attorney General website. https://www.attorneygeneral.gov/taking-action/ag-shapiro-files-charges-against-medical-assistant-for-stealing-patient-information-for-financial-gain/. Published November 10, 2022.
5. Marron JA. Implementing the Health Insurance Portability and Accountability Act (HIPAA) security rule. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-66r2.ipd.pdf. Published July 2022.