HIPAA Survival Guide Newsletter, July 2021

Compliance is a journey and not a destination, which implies the creation of a culture wherein compliance is something you do as part of your organization's mission and not as some necessary evil. Creating a Culture of Compliance consists of consistently performing a repeatable set of processes. This article provides examples of repeatable processes that may provide a successful Culture of Compliance in your organization.

The journey occurs along the continuum and you must get comfortable with the idea that you may never arrive at your destination. Full Compliance is so daunting a challenge that the best you may ever do is to attack high priority risks, then medium priority, rinse, and repeat. Your operational environment is always changing in our “always-on” 24/365 culture that we live in. There is no escaping prioritizing some risks over others, ad infinitum. In any Regime, some requirements are foundational, those that are a must-do, or cannot be ignored, and contain objectives that must be met before you can even think about mouthing the words "we are in compliance."

Risk/Gap Assessments

HIPAA's required Risk Assessment process is generally done on an annual basis or when there is a material change in your environment that requires a review of remediated risks from prior Assessment efforts. The same is true for Privacy Regimes to ensure that liability is reduced or eliminated. Although assessments are repeated as appropriate, there is a permanent and continuous need for evergreen processes to reinforce that risks and gaps remain remediated. The regimes often do an adequate job of spelling out the evergreen processes required to maintain compliance—although out of necessity you must read between the lines to understand the intention that underpins the requirement.

Remediation

Remediation is one of the toughest efforts within your compliance initiative. First, your assessment, or gap analysis, enables the determination of those risks that require effort to maintain compliance and avoid liability and fines. After identifying the Risk, the next step is to perform remediation efforts to "plug the hole" and ultimately to document what was done to maintain compliance. Often this step is one of the most difficult as it may not generally be addressed or completed by a single individual and obtaining assistance in a lackluster organizational compliance culture may be like "pulling teeth." Compliance officers must nudge, require, assess, and repeat. Remediation remains a consistent challenge under security regimes because of the underlying changes to software and/or hardware environments that underpin your defenses. Software patches can be a nightmare for organizations with many servers and firmware upgrades are exploding due to the Internet of Things (IoT).

Training

HIPAA and other regulatory regimes require workforce training. Not once, not twice, but maybe annually or even more frequently as the regulations change. Generally, new employees must be trained within thirty (30) days of hire, but often the entire staff is provided repeatable opportunities (annually) to ensure knowledge transfer regarding regulatory requirements, especially when the laws change. It is axiomatic that if you do not understand a regime's requirements then there is no conceivable way to build a compliance program for it.

Universally the workforce complains about not having enough training, or the right training, in just about any subject matter domain you can name. Compliance is no different. So how does a Culture of Compliance maintain and provide knowledge for their workforce? Educate, Educate, Educate! Consider using “bite-sized” training modules so that workforce members can avoid the drudgery of listing to an hour-long video when they are looking for a two-minute answer.

Security Reminders

Given the quality of today's "alert tools," (e.g., Google Alerts) it should be relatively straightforward to preserve your workforce up-to-speed with the latest threats. For example, fulfilling the "Addressable" implementation specification ("Security Control" or "Control") under the following section of the HIPAA Security Rule should be a "no brainer:"

(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). (ii) Implementation specifications. Implement: Security reminders (Addressable)

Remember, an "Addressable" Control is not optional! Simply ignoring an Addressable Control is likely to get you a "willful neglect" fine which starts at $50K a pop (ouch). It means: (1) that you must implement the Control as stated in the Rule; or (2) that you must implement a suitable alternative for an organization of your size, sophistication, resources, etc.; or (3) you must document a compelling rationale as to why you decided to do nothing.

Periodic security updates are rather basic and unfortunately, rarely get implemented, or if they do, the action to update all members of the workforce (including management) sometimes fails. This simple rule requires actionable results. What does that mean? It means that workforce members receiving these updates need to understand the implications of a variety of cybersecurity actions that could – for example – penetrate your perimeter just because one person clicked on the wrong link in an email! Educate, Educate, Educate your workforce! You must find a way for your workforce to engage in the process. For example, as new phishing schemes are revealed, periodic online phishing training would go a long way toward hardening your defenses. Phishing remains the number one attack vector that the bad guys use to penetrate your network.

Cybersecurity Safeguards to Protected Information

Of paramount importance, personal and health information (i.e., PII & ePHI) must be protected from beginning to end (e.g., the moment it enters the healthcare system and until it is securely destroyed). “According to the Department of Health and Human Services, there has been an almost 50 percent increase in healthcare cybersecurity data breaches between February and May 2020 compared to 2019. This is thought to be a result of the COVID-19 pandemic distracting the industry due to the sweeping changes required, putting extra pressure on already inadequate healthcare cybersecurity measures.”[1] 

Another cybersecurity issue is our “beloved cell phones” to keep us updated throughout the day. Text messaging has become ubiquitous on mobile devices, but how far do you have to go to keep your texting compliant? “’ According to one survey, approximately 72 percent of mobile phone users send text messages.’[2] Clinical care is not immune from the trend, and in fact, physicians appear to be embracing texting on par with the general population. Another survey found that 73 percent of physicians text other physicians about work.”[3]

If there is one thing that hackers like, it is a target that's "soft" and large. Complex organizations in industries that have been slow to adopt and secure protected information are precisely that, soft targets. These organizations usually have broad and mostly poorly defended "attack surfaces," which provide hackers with many routes to enter and through which they can not only exfiltrate data but also compromise services and hardware.

Summary

This brings us to the critical question we wanted to pose in this article: "How do you establish and maintain the creation of a "Culture of Compliance" within your organization?" Compliance is not a "set and forget or once and done" process. In our 24/7 365 online world, cybersecurity must be transformed from some necessary regulatory evil to a mission-critical value proposition for patients and other stakeholders.

Keep your workforce knowledgeable, inform them of material changes in the law, events that mandate new Risk Assessments or Gap Analyses, like significant modifications to your operational environment. Keep your compliance process evergreen and remember that you cannot have a Culture of Compliance without reinforcement. If a robust compliance program can prevent and/or mitigate damage, penalties, or monetary fines, then this is a huge organizational and cultural win.

[1] Death by Ransomware: Poor Healthcare Cybersecurity HIT Consultant

[2] "www.comscore.com/Press_Events/Reports October 2011 U.S. Mobile Subscriber Market Share."

[3] The American Health Information Management Association