OCR's Cyber Security Newsletters: "Cheat sheets" for good security compliance in our cyber age

By Iliana L. Peters, JD, LLM, CISSP

Iliana L. Peters (IPeters@Polsinelli.com) is a Shareholder in the Washington, DC offices of Polsinelli, PC.

Most businesses, whatever the economic sector, acknowledge that they must devote resources to understanding and implementing data security, particularly given that security incidents and their fallout make the news on a daily, if not hourly, basis. Conversations about risks for data security breaches happen at breakfast tables and boardroom tables around the country, and topics range from social media to national elections to international espionage. For compliance personnel, these conversations boil down to concrete reasons for investing the resources in implementing data security practices and the best ways to do so. Importantly, good data security in our current cyber age is essential for entities of all sizes, types, and focus areas, for a few very persuasive reasons, including:

  • An entity’s data is its most valuable asset, replacing assets that used to be considered more high-value, from physical assets to copyrighted material to well-trained employees, in a corporate valuation analysis.[1]

  • An entity’s reputation is on the line anytime its data is compromised in a data breach or cyberattack; recent examples of high-profile data breaches have angered both consumers and state, federal, and international legislators and regulators.

  • Good data security is required under state, federal, and international law, and violations of these laws can have serious penalties.

  • With respect to certain critical economic sectors, such as the healthcare sector, the lack of good data security is a safety issue for individuals. For example, if a healthcare entity does not implement good data security and falls victim to a security incident or attack that results in either data accessibility or data integrity compromises (i.e., patient data is made either inaccessible or incorrect), the healthcare entity cannot treat patients, or may treat patients incorrectly, which could seriously affect the health or lives of the patients.

So, what does good data security hygiene look like from a cybersecurity perspective, particularly in the healthcare sector? How are healthcare entities supposed to keep up with a constantly changing risk landscape? What are the risks that the regulators are most concerned with and that healthcare entities should prioritize? These are all good questions; the answers are regularly discussed in Cyber Security Newsletters, a monthly publication by the Department of Health and Human Services (HHS), Office for Civil Rights (OCR), which is the primary regulator responsible for implementation and enforcement of the Health Insurance Portability and Accountability Act Privacy, Security, and Breach Notification Rules (HIPAA Rules).[2]

Although regulated entities are generally familiar with settlement agreements and civil money penalties (CMP) published by OCR,[3] and the insight they provide into the data security issues on which OCR is focusing its enforcement efforts, many regulated entities are not leveraging the information contained in the Cybersecurity Newsletters[4] to augment their HIPAA Security Rule compliance efforts, particularly with regard to high-risk issues. Reviewing some of the most recent Cyber Security Newsletters is particularly instructive to understand recurring HIPAA Security Rule compliance issues that create cybersecurity risks for HIPAA covered entities and business associates.

HIPAA Risk Analysis: Identify ePHI and risks to it

The HIPAA Security Rule requires, as a foundational administrative safeguard for electronic protected health information (ePHI), that HIPAA covered entities and their business associates (as defined by the HIPAA Rules) undertake a comprehensive and enterprise-wide analysis (or assessment, as it is referred to in other economic sectors) of the risks, including threats and vulnerabilities to all of the ePHI they hold.[5] The requirement is essential for purposes of identifying all of an entity’s data and the risks to it, including those associated with any cybersecurity threats or vulnerabilities that could be exploited by cybersecurity threat vectors or attackers.

This requirement is fairly straightforward; that is, HIPAA covered entities and their business associates must identify:

  • the ePHI they hold, including through data inventories, mappings, and flows;

  • the threats to and vulnerabilities of the ePHI, given the people, entities, and assets that create, access, maintain, and transmit such ePHI, including systems, applications, devices, workforce members, and partners; and

  • the likelihood that these threats or vulnerabilities could be exploited, which is the risk to ePHI.

Essentially, this means that HIPAA covered entities and their business associates should understand where their ePHI is throughout its lifecycle (from creation to maintenance to destruction), and what the risks (including cybersecurity threats or vulnerabilities that could be exploited by cyberthreat vectors or attackers) to it are, given where it is created, accessed, maintained, and transmitted until it is destroyed.

The point is—if a HIPAA covered entity or business associate does not identify all the places where ePHI “lives,” and the risks to ePHI in those places, then it cannot sufficiently protect the ePHI against threats or exploitation of vulnerabilities, which will very likely result in a breach.

However, HIPAA covered entities and their business associates often have misunderstood this requirement to be an audit or gap analysis, and instead of analyzing the risk to the ePHI, they assess the gaps in their enterprise practices against the requirements of the HIPAA Security Rule or another cybersecurity framework, such as the NIST Cyber Security Framework.[6] A gap analysis or audit is also a helpful exercise, and is required by the evaluation requirement of the HIPAA Security Rule at 45 CFR § 164.308(a)(8), but it is not a risk analysis.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings