OCR Reminds Healthcare Organizations of Risk Management Steps
Federal regulators are reminding healthcare organizations not to overlook the security risks related to collaborative file sharing tools and other cloud-based services.
In a cyber awareness newsletter, the Department of Health and Human Services’ Office for Civil Rights notes: “Cloud computing and file sharing services can introduce additional risks to the privacy and security of electronic protected health information that organizations must identify as part of their risk analysis process and mitigate as part of their risk management process.”
OCR notes that a recent study conducted by research firm the Ponemon Institute found that nearly half of organizations surveyed from a variety of industries, including healthcare, stated that they had at least one confirmed file sharing data breach in the last two years.
OCR adds that among the top security concerns listed by organizations using file sharing are: temporary workers, contractors, or third-parties accessing data they should not see; employees accidentally exposing data; and broken security management processes.
Additionally, misconfigurations of file sharing and collaboration tools, as well as cloud computing services, are common issues that can result in the disclosure of sensitive data, including ePHI, OCR notes. “Too often, access, authentication, encryption and other security controls are either disabled or left with default settings, which can lead to unauthorized access to or disclosure of that data.”
Kate Borten, president of privacy and security consulting firm, The Marblehead Group, says healthcare entities often overlook the risks associated with file sharing and cloud computing.
“Using the cloud for file repositories and data sharing carries multiple risks,” she says. “The products began as personal – not enterprise – tools and lacked many basic security and privacy controls. Now that enterprise versions are available with security and privacy capabilities, they can be very secure and practical. But they must be used appropriately.”
Organizations sometimes fail to control these tools centrally, similar to a production system, she notes. “And even then, there is risk in putting the decision to easily disclose ePHI in the hands of users. In a traditional system, granting data access to an outside party would need to be approved and handled centrally by IT or a security designee. But file sharing allows users to bypass this critical control.”
File sharing features – such as synching data between all of a user’s devices – that are designed to make the individual’s life easier have led to unintentional breaches, she says.
“Because a file sharing tool is not a production system and it may not be mainly used to share PHI, organizations sometimes fail to understand the need for a BA contract,” Borten adds. “Often, organizations accept standard vendor language as a service level agreement without giving it serious review and trying to negotiate with vendors.”
Joe Meyer, regional technical director of risk management and governance of North America operations for the consultancy NCC Group, says organizations should address specific issues concerning the “need to share.”
“Many covered entities will go through the necessary channels filling out agreements, non-disclosure agreements, contracts, etc. in order to start the file transfer process,” he says. “However, very rarely, if at all, do we see a duration of time, expiration date, or allocated time frames in which transfers will/ can/ or should occur.”
Organizations must share only the bare minimum amount of data to “a very specific group of users, at or within a certain time,” he stresses. This allows the access to be better controlled, monitored and audited.
Risk Assessments Essential
OCR notes that many file sharing misconfigurations and errors should be detected and corrected as part of an organization’s risk analysis and risk management processes or as a result of its evaluation process in response to environmental or operational changes within the organization.
“As part of that process, vulnerability scans may help to identify technical vulnerabilities such as missing patches, obsolete software and misconfigurations of many common file sharing and collaboration tools,” OCR states.
The security concerns, however, are not unique to any particular file sharing or cloud computing technology, OCR notes.
“Thus, when using these technologies, covered entities and business associates must conduct an accurate and thorough risk analysis, adopt risk management policies to ensure risks are reduced to a reasonable and appropriate level and enter into comprehensive business associate agreements – and service level agreements where appropriate – to ensure the protection of ePHI and compliance with the HIPAA rules before implementing any file sharing or cloud computing service that will be creating, receiving, maintaining or transmitting ePHI.”
Meyer says that when dealing with cloud services providers, signing a business associate agreement is an insufficient way to ensure security.
“Many organizations think that simply moving to the cloud makes them secure, so they stop doing all of the tasks that made them secure,” he says. “So they discontinue their security tasks, because they assume the cloud services provider is. All organizations … need to truly understand what they are responsible for and what the cloud services provider is responsible for.”
OCR notes that in addition to a business associate agreement, “a service level agreement is commonly used to address more specific business expectations between the CSP and its customer.” That agreement should include details on system availability and reliability; back-up and data recovery; the manner in which data will be returned to the customer after service termination; security responsibility; and use, retention and disclosure limitations, OCR notes.
Importance of BAAs
The lack of business associate agreements between covered entities and cloud services providers that subsequently experience a breach is a HIPAA compliance shortcoming that OCR has repeatedly highlighted following the agency’s investigations into some major incidents appearing on the federal “wall of shame” website of breaches affecting 500 or more individuals.
For instance, in a spreadsheet that’s downloadable from the “wall of shame” website, OCR notes in several entries that the agency found either absence of, or insufficient, BAAs during investigations into more than a dozen breaches reported by covered entities last year related to a cyberattack on the cloud-based electronic health records vendor Bizmatics Inc.
While so far it does not appear that any of the reported breaches related to the cyberattack on Bizmatics has resulted in enforcement action by OCR involving fines or settlements, OCR has in several other cases penalized organizations for a lack of a business associate agreement with a vendor handling PHI.
For instance, last year, OCR entered a $400,000 HIPAA settlement with Care New England Health System, citing the lack of an updated business associate agreement.