10 Technology Tips to Avoid HIPAA Violations – Guest Author at Newegg Business

This week I wrote a guest article for Newegg’s Business blog, Hardboiled. I walked through my 10 Technology Tips on How to Avoid HIPAA Violations.

Take a read!

/s/ HH @LegalLevity

Why Compliance Matters to You; or it Should.

Not long ago I got into an argument with an information security (“infosec”) person about that dirty word we all love to hate, compliance <shudder>. This person’s position was that compliance does not matter and does not advance the state of security “at all.” Sadly, these anti-compliance opinions are remarkably commonplace and often have the inverse effect of what the individual really wants, buy-in from decision makers. The impact of anti-comp opinions on our organizations is pervasive, invasive, and overwhelming.

Non-techies are Technology Empaths

The organizations we work for echo our opinions on tech and infosec. So, if you espouse an anti-comp opinion, the employees around you, as well as those you support and train will begin to hold those same beliefs. For a large majority of the workplace, the infosec team operates with borderline magical abilities, which means that those who are not technically inclined will adopt the team’s opinions.  Put simply, ask yourself a question: if you ran a company and your infosec team did not believe that compliance advanced the state of security, how much would you invest in data security; training; or infosec infrastructure? The answer is as little as possible, because if compliance does not matter to my infosec team, then why should it matter to me?

Data Breaches in 2015:

How many of you received a letter from AnthemPremera, or Carefirst regarding the theft of your PHI from an unencrypted server? These three BCBS company breaches saw the loss of ~93million PHI records in the span of six months. In tandem with BCBS, the Office of Personnel Management (“OPM”) discovered catastrophic on-going breaches resulting in ~22 million stolen records, many of which were from top secret security clearance applications. From OPM to BCBS, over 105 million people have had their data stolen this year. The inevitable lawsuits stemming from those breaches will revolve around two primary questions: whether the entities failed to meet industry standards and whether they violated the law; a.k.a. compliance.

Audits and investigations:

Investigations are coming. If you had any doubts or questions about whether the federal government was committed to enforcement actions and audits, read my article on the New Normal of HIPAA breaches, audits, and enforcement. Quickly, the OCR is out there and coming for you whether or not a breach or theft occurs. The OCR plans on auditing 10% of every covered entity and 5% of every business associate, regardless of whether a breach occurred. Add to this ramped up investigatory presence the expanding range of penalties, both company and personal, and the case for compliance begins to crystalize. These efforts are not limited to the HIPAA sector either, the FTC recently released its “Start with Security: Guide for Business” that promises to be a foundation of the FTC’s legal efforts against companies who fail to meet the minimum thresholds of these guidelines.  Simply put, no matter what sector you are in, government efforts and spending are ramping up, often at exponential rates, to ensure that organizations with data are in compliance with the law.

Compliance is your friend

Compliance is no longer a four-letter word relegated to the low rung on the budgetary spreadsheet next to birthday cakes and dry erase markers. Compliance departments are becoming larger, more robust, and increasingly well funded every year. What many anti-compliance advocates do not realize is that compliance does advance the state of security because it gives you a toolbox of legal authority to grab attention and justify spending on what matters to you: advancing information security within your organization.  Not only is an anti-comp attitude unproductive, but it can literally impact your ability to do your job or even keep your job. Compliance means you, as an infosec professional, can get that buy-in on that project, tech upgrade, or conference you need to do your job. If you aren’t advocating for compliance in your organization, you should be, because its advocating for yourself.

It’s simple – advocate now, or pay later.

/s/ HH @LegalLevity

Technology, HIPAA and You Part 4: HIPAAtrek

Wow what a whirlwind of a month. Since my talk at BSides San Francisco I have been in Dallas, Chicago, San Diego, and points beyond working on the intersection of HIPAA and Infosec as a new paradigm for thinking about how we secure PHI. There was also my guest piece @Tripwire on The New Normal in Breaches, Audits and Enforcement.

On top of that I got to meet with a company called HIPAAtrek, located in St. Louis, MO. HIPAAtrek was founded by an amazing group of individuals headed up by Sarah Badahman. As a quick note, I am not a client of HIPAAtrek, nor did I receive any compensation for this review. Part of what I do for this blog is work to find the best and brightest (in my opinion), products and people out there to help you navigate the HIPAA mine field. To that end, here is what I found on my run through of HIPAAtrek.

The goal behind HIPAAtrek is to develop a platform for HIPAA that works to take the complexity and expense out of compliance and compliance tracking. To that end, the people at HIPAAtrek created a web facing product that serves as the dashboard for your HIPAAtrek experience.

Dashboard and User Tracking

The basic five icons are a bit deceiving in the amount of information they really contain. The HT Dashboardmanage users tabs allows you, if you choose, to manage every employee in your company, the level of training, alerts, and even when they have accessed the website to review materials. As someone who constantly struggles to get employees to do training, the ability to track, send out alerts, and badger the crap out of someone appeals immensely. There is even a dashboard to tell me who has viewed alerts or other reminders. Security Reminder LogMy understanding is that in the not to distant future HIPAAtrek will offer the ability to administer and track trainings. If they can add videos, tests, and uploaded training materials this portion of the HIPAAtrek offering will really kick it up a notch. Most audits involve the inevitable questions: who did you train; when did you train; and what did you train. Already, many certifying organizations for healthcare require these types of reports and it would be a real cherry on top.

POlicy page and todo’s

Policies PageThe policies page is one of my favorite. Each of the icons represents a different policy or group of policies and frankly makes it a lot easier to figure out what you are looking for when browsing. Even in my own policy set, I often have to hunt until I find something. These intuitive links make that easier. The links here are broken into 20 categories ranging from Security Management Process and Contingency Plan to Workstation Use and Breach Notification. Also, along side each picture is a little number that indicates the number of policies contained within. Once you click one of the icons, you are taken to a policy page. Each category takes you to a page that describes the category, the overall purpose and the policy statements that you create. Also a part of this page, is a nifty progress bar that gives you a percentage of completion for your HIPAA policies. Each of these policies is tagged as either ‘Finalized’ or ‘In Progress.’ Reminder Report

This page also gives you a handy download to .pdf option in case those pesky auditors come around or you have an employee who must have paper. Ideally, a feature will be added in the future that will track revision number, date, edits, or even a button to track notes and/or specific things you want to remember when working in this category. Given the emphasis on business continuity and disaster recovery, I could see a place to upload your outcomes, dry runs, and findings from DRBC simulations. This brings me to the real sweet spot and a clear differentiator of HIPAAtrek. By using this Policy Moduleservice they will help you create your own policies from scratch, import policies you have already created, and yes (gasp) review the policies you have for gaps. A lot of services out there either utilize the pump and dump method where you get blank policies to fill in or they fill out policies with zero feedback or input from the stakeholders. HIPAAtrek leverages a different model that actually feels collaborative.

closing thoughts

I have reviewed and used a lot of HIPAA compliance programs that I have not, and would not, review. Too many firms overcharge and under-deliver in an expanding HIPAA compliance field that all too rarely provides fluff and stuff over depth and breadth. As with any compliance efforts, HIPAAtrek will not do the work for you. HIPAA compliance must be looked at like climbing a mountain, you and your organization do the work, but having a sherpa (or HIPAA Sherpa) to guide you along the way makes things significantly smoother and less fraught with icefalls, audits and crevasse. The bottom line is that audits are growing in number and breaches are expanding exponentially. Take a look at this piece I did on the OCR HIPAA Breach Reporting Data if you aren’t convinced.

Prepare now or pay later!

/s/ HH @LegalLevity

Technology, HIPAA and You Part 2: NIST Tool

This is the second part of my series on HIPAA compliance tools, apps and hardware. This week I focus on the NIST HIPAA Toolkit.

NIST Tool

Creators: The National Institute of Standards and Technology is a part of the US Department of Commerce. NIST’s stated mission is to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”  In other words, this is government funded research aimed towards producing useable products, papers, and technology for anyone to use. NIST also co-hosted a conference in 2014 with OCR to discuss HIPAA Security rule issues.

Look and Feel: This tool is as utilitarian as you would expect from something that was funded by the US Government. It does not have splashy graphics, complex reporting or some of the features you might see in traditional for profit applications. That said, what this program lacks in pretty, it makes up for in pure unadulterated HIPAA horsepower. Once you have created a survey, the dashboard serves as a step by step walkthrough survey of the HIPAA statute beginning with 45 CFR 164.308 through 45 CFR 316.  The program works on Mac, Linux and Microsoft platforms.

Under the Hood: All told, there are 809 survey questions in the enterprise version and 492 in the standard version. The primary difference being how in depth you want to get. I used the enterprise version for an umbrella company and the standard edition for the subsidiaries/sister companies.  Each question is geared towards asking, at least in theory, exactly what a HIPAA OCR auditor would ask your company in the unfortunate event you are being audited. For example:

“Has your organization defined the frequency of your Risk Assessment policy and procedures reviews and updates? “

NIST ScreenCap

As you can see, this question is paired with a very basic response of Yes, No, or Not Applicable. In addition, you can flag the question for importance on a color/number scale and make comments. Another very impressive feature of this tool is the ability to upload the documents/policies that support your answer to the question. The feel of survey is that an auditor would use something very similar to run a company through the ringer.

Use: As you work your way through the survey, you will, almost inevitably, find glaring holes in your documentation. That is ok, if you note the misses and keep going, you can run a report that allows you to draw out questions based upon level of completeness or flag level. Ultimately, you can run a report that would, in theory, demonstrate full documentary HIPAA compliance at the click of a button for Administrative, Technical and Physical Safeguards.

A couple other neat features worth pointing out, the survey itself is saved in a .xml format that can be accessed across networks. This means different offices, such as privacy office and security office, could work on the same survey in different locations by importing the .xml file back and forth.  The .xml format also means that the technically minded could manipulate and work with that file.

The primary drawback to this tool revolves around the document attachment feature. Once a document is attached, it must be deleted and re-attached anytime changes are made. This makes using this program as a living document very problematic. The company I am with chose to keep the documents outside of the tool, but reference which policy answered the question(s).

Another negative is that this tool does not address the privacy rule aspects of HIPAA. It is solely concerned with the Administrative, Technical and Physical Safeguards. This tool can appear very daunting and complex.  That said, a methodical approach to this tool will yield good work product.

Final Thoughts: In November of 2011, NIST quietly released this tool to aid organizations in working towards HIPAA Compliance. Surprisingly, I routinely meet practioners who have never heard of this tool. Even taking into account its age (four years old) and missing pieces, it is a surprisingly robust tool that will get almost any entity organized and on the path to compliance. Add to that the versatility of being able to generate a “HIPAA Compliance Report” is amazing and being able to hand this to the auditor as a first step would certainly frame the discussion in a positive way.

Now the website clearly states the tool is for informational purposes only and does not provide the user with HIPAA compliance. However, if I had a choice between a paid third party app and an app from the agency that co-hosted the HIPAA Security Conference with the auditing entity, I would probably pick the NIST tool.  As part of a broad based HIPAA compliance strategy, the NIST tool can be very helpful in tackling the Administrative, Technical and Physical Safeguards requirements.

/s/ HH @legalevity