When the first COVID-19 case was recorded, it was difficult to appreciate the extent to which cybersecurity concerns, particularly in connection with the protection of patient healthcare data, would enter into mainstream consciousness. Although many practices and healthcare organizations have recently adopted additional measures to safeguard patients’ protected health information (PHI) through expanded cybersecurity monitoring, remote working conditions and the use of electronic communications pose a security risk and can create access points for cyber criminals that could result in a breach.
Further, with more employees than ever working remotely, it’s critical to ensure that physical spaces like offices, warehouses, and other sites and facilities are properly secured to prevent unauthorized access, use, or disclosure of PHI or other sensitive information.
To protect against these heightened risks, implementing the Health Insurance Portability and Accountability Act (HIPAA) and PHI cybersecurity best practices related to technical and physical security is critical.
Infrastructure and Corporate Policies/Procedures
Federal law provides a technical safeguard framework for covered entities and business associates to implement in connection with access to PHI. Relevant guidance includes the following key elements of significant importance in the COVID-19 era.
- Access control. Implement technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4) of HIPAA.
- Unique user identification (required). Assign a unique name and/or number for identifying and tracking user identity.
- Emergency access procedure (required). Establish (and implement as needed) procedures for obtaining necessary electronic PHI during an emergency.
- Automatic logoff (addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
- Encryption and decryption (addressable). Implement a mechanism to encrypt and decrypt electronic PHI.
Organizations have flexibility, particularly with the addressable requirements, in how they implement these security protocols. These addressable concerns are particularly important in the COVID-19 era given the rise in the use of telehealth.
With patient screenings being conducted through the use of online portals and virtual meeting rooms, patient data are being both stored and disseminated through online network channels, email, and other telecommunications modes. As a result, access control, encryption, and automatic logoff are particularly important.
Although these considerations have always been significant, these safeguard elements are connected to scenarios that were less frequently contemplated prior to the rise of telehealth. Consider the following:
- What if a healthcare professional providing telehealth services has their device stolen or compromised?
- How will a healthcare organization respond to a data breach when its cybersecurity employees are working remotely?
- Is there an emergency plan in place that contemplated both a remote and in-person workforce, and has a functional security incident response team and security incident response plan been implemented?
- If a healthcare professional is providing telehealth services from a location outside the office, is the wireless internet connection that’s being used secure, and is the healthcare professional in a non-public location?
- If a healthcare professional needs to step away from their device during a telehealth visit or while working remotely, will the device log off automatically within a reasonable period of time?
- Are healthcare professionals and support staff properly trained to identify correspondence threats, such as email phishing and ransomware?
These scenarios are meant to identify potential breach vulnerabilities, but they shouldn’t necessarily be cause for concern. In the COVID-19 era, healthcare providers should take time to reevaluate their policies, protocols, and procedures to ensure they address the types of scenarios described above.
It stands to reason that cybersecurity risks are here to stay, but organizations that have contemplated and formally established policies related to threat management will be best prepared to address and resolve breaches. The best practice is to make sure the scenarios above, as well as other scenarios that an organization’s executive team can reasonably expect to face, are addressed prior to their occurrence.
Healthcare organizations may also choose to reevaluate their third-party vendors and internally audit their cybersecurity capabilities. In the COVID-19 era, the following outside vendors should be scrutinized for effectiveness:
- Internet, data, and cellular services;
- Firewall and malware protection;
- Cloud storage;
- Password protection services;
- Email and communications services; and
- Document management software.
The above services may already be adequate, but the best practice is to have a refreshed and informed view of the scope of cybersecurity services being performed and how those services, both independently and as a part of an overarching security plan, fit into a provider’s operations.
Further, internal audits of policies and procedures related to the procurement and ongoing maintenance of third-party services can assist in ensuring an organization is taking adequate measures to effectively leverage third-party expertise alongside internal expertise in its cybersecurity efforts.
In January 2021, the Health Information Technology for Economic and Clinical Health (HITECH) Act was amended to require the Department of Health and Human Services (HHS) to incentivize the use of cybersecurity best practices. Specifically, the legislation requires HHS to take into consideration a covered entity’s or business associate’s use of industry-standard security practices (i.e., recognized security practices) within the past year, when investigating allegations of noncompliance with the HIPAA rules and undertaking enforcement actions.
Organizations have flexibility, particularly with the addressable requirements, in how they implement these security protocols. These addressable concerns are particularly important in the COVID-19 era given the rise in the use of telehealth.
When calculating fines related to a breach, HHS is required to take cybersecurity into consideration and also reduce the extent and length of an audit if the entity being investigated has met industry-standard best practices security requirements. HHS is not permitted to increase fines or the length of an audit when an entity is found to be out of compliance with recognized security practices, however.
“Recognized security practices” means standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology (NIST) Act, the Cybersecurity Act of 2015, and other programs, processes, or regulations that address cybersecurity now or in the future.
Starting earlier this year, HHS Office for Civil Rights investigators began routinely requesting information regarding a covered entity’s implementation of recognized security practices. Having such practices in place may be the key to avoiding hefty fines or penalties in the event of a breach.
Physical Access Protocols and Document Security
Another best practice is to ensure that physical security and document storage policies are up to date. To ensure that patient records are physically secure, organizations must ensure that their facilities are protected through office and warehouse entry control monitoring systems, cubicle and office security, and electronic device protocols.
Additionally, access validation systems (e.g., identification badges and scanned key cards) provide an additional layer of security to protect facilities from unwanted visitors. In the DHS HIPAA Security Information Series program on security standards and physical safeguards, a number of best practices are mentioned:
- Locked doors, signs warning of restricted areas, surveillance cameras, and alarms;
- Property controls, such as property control tags and engraving on equipment;
- Personnel controls, such as identification badges, visitor badges, and/or escorts for large offices; and
- Private security service or patrol for the facility.
Although some of the security measures above appear to be standard, such as locked doors, all are prone to decay and underuse. The best practice is to ensure that employees are routinely trained on the importance of carrying identification, locking doors, and remembering to validate individuals attempting to enter a company’s physical space.
Further, employees may be compelled to cheat some of these safeguards for ease, such as failing to lock documents securely between visits to the file room. The best practice is to enforce physical security measures commensurate with their importance and, as such, implement disciplinary policies for those who fail to adhere to company policies.
Above all else, the COVID-19 era is a time for organizations to retrain employees on the importance of technical and physical security standards and to implement policies if these standards are inadequate or missing altogether.
Above all else, the COVID-19 era is a time for organizations to retrain employees on the importance of technical and physical security standards and to implement policies if these standards are inadequate or missing altogether.
Finally, it’s important to note that healthcare organizations are made up of individuals with disparate training and experience, some of whom do not have technical certifications or expertise in maintaining the security and confidentiality of PHI. As a result, it’s particularly important for organizations to provide education and continued support. An organization whose employees have an understanding of the types of threats that cybersecurity and physical security protect against will foster an environment of vigilance and bolster its defense.
Looking Forward
The technology implications of the COVID-19 era have created significant opportunities for cybercriminals. Since the beginning of this year, there has been a sharp increase in the number of phishing and ransomware attacks, among other cyber issues. Now is the time to identify your risks and vulnerabilities and take steps to mitigate those threats in order reduce the risk of becoming a victim of a cyberattack.
It’s highly recommended that you review your policies and procedures, develop and test your incident response plan, and frequently train employees on identifying and responding to cyberattacks.
Steven M. Harris, Esq., is a nationally recognized healthcare attorney with McDonald Hopkins LLC. Contact him at sharris@mcdonaldhopkins.com.
Reprinted with permission from the American College of Rheumatology.