Ask Me Anything: A-LIGN’s HIPAA Expert Holds a Reddit Q&A
A-LIGN’s Senior Manager Blaise Wabo recently returned to Reddit to hold another Ask Me Anything (AMA) Q&A session on Reddit’s /r/technology subreddit. Blaise fielded important questions on the state of healthcare security, HIPAA compliance and cybersecurity threats to sensitive health data.
Being a hot-button issue in the world of compliance and security, it didn’t take long for the AMA to amass hundreds of questions from curious Redditors. Below are the top questions, but we encourage everyone to read the full AMA here.
Q: Can you give a brief explanation of what’s changed with HIPAA and HITRUST regulations between the last time you were here and now? Additionally, how well have the companies affected by the seemingly-continuous massive data breaches adhered to those regulations? How much danger is the average citizen in when this info is leaked assuming the affected company encrypts the data? How about when they don’t?
I am glad to be back and doing this HIPAA AMA. So there has not been many changes in HIPAA but on February 11, 2019, HHS (Health and Human Services) announced two proposed rules to support the seamless and secure access, exchange and use of ePHI (electronic protected health information). These rules will focus on patient access to their records and APIs (application programming interfaces) with ePHI. This release was in conjunction with CMS (Centers for Medicare and Medicaid Services) and ONC (Office of the National Coordinator for Health Information Technology) announcing that they are extending the public comment period by 30 days for the two proposed regulations aimed at promoting the interoperability of health information technology and enabling patients to electronically access their health information.
Also, OCR (Office for Civil Rights) has concluded a record year in HIPAA enforcement activity. In 2018, OCR settled ten cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22%. In addition, OCR also achieved the single largest individual HIPAA settlement in history with $16 million from Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. As you can see, hackers are becoming more and more sophisticated and it is the responsibility of covered entities, business associates, patients and every other player in the food chain to secure PHI.
Regarding HITRUST, there has been the release of CSF v9.1, now v9.2 and v9.3 will be in Q3 of this year. Basically, HITRUST made their framework industry agnostic, so it is no longer specific to healthcare and any organization in any industry can now adopt the HITRUST CSF as their risk assessment framework. They have also added GDPR, NYCRR 500, California CPA, Singapore Privacy, and some other regulations to their framework.
Q: I’m an IT Director and currently evaluating 2 different vendors to perform a cybersecurity audit of our infrastructure and processes. One is providing CISSP and CISM certified resources while the other is not; their resources credentials include years of industry experience but no certifications. I’m inclined to choose the better-certified vendor. Any thoughts? The goal is to meet contractual obligations to clients and do our due diligence. We’re not doing it to meet compliance needs. Thanks!
I would say go with the firm that has certified assessors/auditors. You do not want folks that do not understand security to ask you questions.
Q: How often do you perform an audit, find significant problems and the organization does absolutely nothing about it?
It is not the auditor’s responsibility to ensure gaps are fixed; it is management’s responsibility to understand the risk and deploy controls to remediate the gaps identified. Auditors should be careful doing business with organizations that do not take security seriously as their license and reputation could be at risk.
Q: What is your position on PHI transmission before one officially becomes a patient? For instance, many people will email us, disclosing PHI in regular email or a contact form from our website. When and where does HIPAA compliance officially kick in?
It kicks in once that patient has had a diagnostic. If all you have is PII and not PHI as defined by HHS, technically HIPAA does not apply to you.
Q: The medical field is one of the fields that always seems to be out of the loop when it concerns adopting and upgrading the software of pre-existing systems. From what I understand, the certification requirements in the medical industry can make it difficult to be flexible in implementing security updates compared to other industries.
With major threats such as the newly discovered MDS vulnerability, the Spectre/Meltdown vulnerabilities discovered last year, and minor threats discovered on a weekly basis, how do security audits help prepare medical facilities against the constant onslaught of unforeseen threats? Can strict security certifications hamper the mitigation of newly discovered vulnerabilities? Do medical security audits give backend engineers the flexibility they need to quickly fix issues discovered in certified systems?
I would say before deploying any upgrades or fixes, you want to make sure it is tested in a test environment before being deployed to production. Also, security is always based on risk. Make sure a risk assessment is performed periodically to integrate any recently discovered vulnerabilities and implement controls to mitigate those risks.
Q: Can you give some tips for staying secure & HIPAA compliant in therapy sessions conducted online (like trustworthy video chat clients with location tracking), and for storage of therapy notes and records?
- Use a trusted and secure platform
- Ensure the sessions are encrypted including the voice recordings and any notes/chat
- Always advise patients to keep any data confidential and be in a safe environment before initiating the session
Q: Despite more and more organizations taking cybersecurity seriously, breaches continue to happen. Why do you think this is? What is the most common missing control you encounter?
What do you believe is the best bang-for-your-buck control an organization can implement to increase their security posture?
Great question. No matter how secure your environment might be, your weakest link is always your people. So, we must make sure we dedicate a lot of resources to training our people on security awareness, social engineering, etc.
Q: There’s always a lot of attention paid to insufficiently strong security and data breaches but what do you think most healthcare providers do well in terms of cybersecurity (if anything)?
I think healthcare providers are taking security more and more seriously, but to your point, we have a long way to go. I suppose that is why there are laws like HIPAA and consequences for not doing due diligence to follow these laws.