The Centers for MEDICARE and MEDICAID Services (CMS) released a report this week that documented findings from reviews it conducted last year of ten poorly-performing health care organizations’ HIPAA security compliance. The report documented the bad and ugly of health care security failings, with a number of recommendations springing forth from CMS review of organizational security practices (or lack thereof).
Channel Insider examined the report and gleaned four major recommendations from CMS that easily translate into opportunities for channel partners to add value to the security services and products they offer their health care clients.
Risk Assessment
During its review of health care organizations last year, CMS found many of them fell down in the very foundational security practice of risk assessments. Even though HIPAA’s security rules are pretty vague and forgiving, most organizations failed to either have any kind of risk assessment process at all, to document the risk assessment practices to update their risk assessment practices to new threats or to cover all risk factors in their assessments.
“(Health care organizations) should develop and formally document a policy requiring the completion of a periodic risk assessment covering all systems and applications which store, process, or transmit ePHI,” CMS reccomends in the report, stating that at a minimum organizations covered by HIPAA should be conducting risk assessments every three years.
Solution providers can really help add value to their customer’s security and compliance process by layering in risk assessment services on top of the standard security products they offer to the health care vertical.
Currency of Policies and Procedures
CMS is a big believer that HIPAA’s security guiding light is that security practices need to be driven by documented policies and procedures. The big weaknesses that it found in many organizations was that they lacked any kind of framework to regularly review and update policies and procedures based on risk. Obviously, this flaw was likely tied to weaknesses in the risk assessment stage previously mentioned.
CMS recommends that organizations not only document their policies and procedures, but that they standardize them across departments and that they build in a way to manage and track changes within policies. CMS also notes that organizations need to develop an efficient means of disseminating updates and informing employees of the changes that affect them. Finally, it suggests employing periodic external or internal evaluations of the efficacy of the policies and procedures and their compliance with the HIPAA security rule.
While the final recommendation is one of the most obvious stages a channel partner can inject itself into a health care security improvement initiative–by offering objective analysis of current policies and practices—the entire practice of policy development and evolution is a prime opportunity for the channel. Policies and procedures should be highly tailored to an organization’s individual business practices and risks. Experts in the channel often have far more experience crafting the right set of policies for customers of all types and sizes than an individual IT jack-of-all-trades employed at the typical health care business.
Security Training
One of the key requirements HIPAA makes of organizations is that they train users with access to sensitive patient information about the right way to securely handle this information. Unfortunately, CMS found that most organizations under review did not document training policies and did not track or retain evidence of employee security training. Most organizations did not conduct security awareness training before granting employee access to sensitive information and did not offer any kind of refresher courses to remind employees how to deal with patient information.
CMS suggests that health care organizations require employees to undergo security training and develop some sort of system—preferably automated—to track participation within training. It recommends employees should be subject to training during the hiring process and on an annual basis after that, with training materials updated regularly based on threats identified within regular risk assessments and on changes made to the ever-evolving policies and procedures.
The channel can play a part in two key aspects of this security awareness training improvement. The first is by helping along the development of a meaningful training program based on the organization’s policies and procedures. And the second is through the integration of automated audit compliance technology that ties into access control technology.
Encryption
HIPAA’s security rules require that organizations utilize encryption technology to protect electronic protected health information, but CMS found in its reviews that organizations are still far behind in their encryption implementations.
According to the report, CMS found that encryption was not implemented on all workstations and laptops with sensitive information, it wasn’t implemented to protect the transmission of data that contained sensitive information and that strong encryption wasn’t consistently implemented.
According to the report’s authors, “guidance, the increasing number of incidents involving lost portable devices, and the decreasing cost of encryption solutions has resulted in an environment where encryption may not be optional under the mantra of reasonable and appropriate.”
That’s a clear warning shot to health care organizations to get their encryption practices in order, and fast. Solution providers can offer advice and strategy to bring about meaningful change in this arena by helping health care clients develop a road map that lays out a sane timeline for implementation. This can be bundled into risk assessment and mitigation planning. Once that advanced work is done, it should be apparent which encryption technologies need to be implemented first, based on organizational risk.