HIPAA Survival Guide October 2019 Newsletter
Webinar Title: How Other People Comply with the Security Rule (Redux)?
Description: This webinar will review one of the most insidious Required implementation specifications of the HIPAA Security Rule: Information System Activity Review and provide some "show and tell" of an elegant and affordable solution to this problem.
Accurately Detect Inappropriate Access - The First Time It Happens
Advanced data science enables automatic and accurate reporting of impermissible use by anyone who accesses your clinical or business systems.
Time: 2:00 - 3:30 p.m. EST
October 2019 Newsletter Article
HIPAA SECURITY REMINDERS
Given the quality of today's "alert tools," (e.g. Google Alerts) fulfilling the "Addressable" implementation specification ("Security Control" or "Control") under the following section of the Security Rule should be a "no-brainer:"
(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce
(ii) Implementation specifications.
Implement: (A) Security reminders (Addressable). Periodic security updates.
Still, we believe that this seemingly rather basic Security Control rarely gets implemented, and when it does, it's done in a manner that is either trite or overwhelming, neither of which make it actionable for your Workforce. First, let's clear up (again) a myth about what an "Addressable" Control means.
One bright-line rule that you can take to the bank is that it doesn't mean optional! In plain English, an Addressable Control under the Security Rule means: (1) that you must implement the Control as stated in the Rule; or (2) that you must implement a suitable alternative for an organization of your size, sophistication, resources, etc.; or (3) you must document a compelling rationale why you decided to do nothing. Simply ignoring an Addressable Control is likely to get you a "willful neglect" fine; which starts at $50K a pop (ouch).
The challenge here is that we can think of no compelling rationale(s) why even the smallest Covered Entity or Business Associate cannot implement this control. Further, let us remind you of one of the guiding principles that underpins the Security Rule and that is, you are required to do what is "reasonable and appropriate." We often call these legal "weasel words" because it is how HHS, or a court of law, can "bite you" even when you believe that you are otherwise in full compliance. For example, encryption is also an Addressable Control under the Security Rule, but if you are storing your PHI on the cloud (e.g. on AWS or Azure), where you can literally encrypt with "clicking a checkbox," do you really believe that the authorities would find it "reasonable and appropriate" if you failed to check the box? Of course not.
So that begs the question, why is this Control so often ignored or implemented in a manner that makes it virtually useless? One reason is that you can't continue to provide "motherhood and apple pie" Security Reminders and not expect them to be ignored, (e.g. do not share passwords, use strong passwords, lock your workstations when not in use, don't open emails from people you don't know, etc., etc.). It's not that "motherhood and apple pie" are bad things in and of themselves, it would be silly to suggest that. However, if that's what your Reminders consistently regress to then it's akin to your mom nagging you to clean your room when you were a kid. You may eventually do it because the nagging becomes "worse than the cleaning," or out of fear of some more dire form of reprisal (e.g. taking your Nintendo away) but it's unlikely to change your conduct going forward. Mom will continue to nag because you will continue to need it.
That brings us to the critical question we want to pose in this article: "What is the purpose of Security Reminders?" From our perspective, the purpose is to change your organizational compliance DNA over time so that this small, but meaningful, Control significantly contributes to the creation of a "culture of compliance" within your organization. Compliance is not a "set and forget or once and done" process. In the 24/7 365 online world that we all now inhabit, cybersecurity must be transformed from some necessary regulatory evil to a mission-critical piece of your value proposition for patients and other stakeholders. Even a small breach is going to ruin your day and cost you thousands of dollars to analyze and report. If a robust Reminder program can prevent and/or mitigate the same, then this is a huge organizational win.
So, what should a robust Reminder program consist of? Like so many things in the HIPAA compliance universe, there's no single way to go about implementing one. However, as a guiding principle, it should produce "news your Workforce can use" (i.e. in addition to motherhood and apple pie) regarding emergent "zero-day" exploits, including but not limited to, remediation for new: (1) phishing schemes; (2) attack vectors; (3) ransomware; and (4) encryption strategies, etc. Reminders should also be used to inform your Workforce of material changes in the law and events that mandate new Risk Assessments, like mergers and acquisitions, moving your data center, and other significant modifications to your operational environment.