Peeling Back The Onion: A Deeper Dive on Provider SRAs
Security Risk Assessments (SRAs) are critical, recurring opportunities for healthcare organizations – especially healthcare providers – to ensure their cloud infrastructure and other systems are secure. In our previous blog post, The Other Critical Care: Shoring Up Patient Data With Provider SRAs we discussed the fundamental questions every entity should keep in mind as they prepare and conduct their SRA. These touch on how often you conduct an SRA, which systems you audit and include as part of your assessment and designating and publishing the security officer so that your entire organization is aware.
As the industry’s largest managed cloud and defense company, ClearDATA is uniquely attuned to the needs and requirements of healthcare organizations as they endeavor to stay compliant with HIPAA and other healthcare-specific regulatory frameworks. In this article we peel back the layers of the onion, and share the questions and concerns we have discussed with hundreds of CIOs and CISOs to help them conduct superior SRAs.
Workforce Security Training
The unfortunate fact is that many cybersecurity incidents and breaches are the result of human error – in all industries. Even the most rigorous and world-class software programs, tactics, techniques, and procedures provide little to no utility if an employee creates an easily guessed password or leaves their laptop accessible in a public space, where prying eyes can potentially exploit valuable data.
It’s for that reason that we advise CIOs and CISOs to step back and ask themselves if they are screening their workforce members. Are they trustworthy? Are they disciplined? Are they trained? How are you screening for those things? One of the simplest steps for a healthcare executive tasked with defending their IT systems and ePHI is to first look at who has access to their data. Employees with a history of malicious data usage, or even careless data security practices, ought to have modified permissions that strictly limit their access to sensitive ePHI, if they have any access at all.
Once employees are screened and confirmed for access to ePHI, the next step is to administer security training so they are empowered and aware of how to protect patient data. Some of the most up-to-date and successful training programs we have seen include a focus on preventing phishing attacks. Phishing attacks are increasingly sophisticated and resemble actual emails, and for many non-technical users, these emails may appear to be genuine. Your entire organization should be able to recognize, avoid, and report potential phishing attacks.
Additionally, employees should never back up PHI or other sensitive data on unregistered storage devices or in personal cloud storage. At a minimum, we recommend conducting annual training on the most relevant security policy considerations, such as the use of encryption and PHI transmission restrictions. Provide staff with training on and awareness of phishing e-mails.
Antivirus (AV) Software
This is a highly effective option to protect the confidentiality, integrity, and availability of ePHI. Antivirus (AV) software is widely used in healthcare, and it represents a low-cost but effective investment in organizational security. Especially when it comes to protecting against computer viruses, malware, spam, and ransomware threats. Every endpoint or instance in your organization should be protected by antivirus software, with pre-configured automatic updates.
If applicable, your organization’s medical devices should directly support AV software, or the manufacturer should ensure you can add AV software. If you cannot add in AV software, install compensating controls that enforce an AV scan after the device is serviced and before reconnecting to the network.
A critical first step when conducting an annual SRA is to create and inventory of where the organization’s PHI exists. Is this an easy task? Surprisingly, most provider IT departments don’t have a thorough, up-to-date inventory of where PHI is stored or how it moves. Many HCO’s benefit from asking the question, “How do you know you’re protecting PHI in you don’t know where it lives?” Start your SRA with a comprehensive PHI inventory and then methodically review your policies and procedures against the inventory to make sure you’re protecting your patient’s PHI.
How Do You Manage and Control Personnel Access to ePHI, Systems, and Facilities?
We are encouraged by the market trend that single sign-on (SSO) systems, much like multi-factor authentication, are now tablestakes in organizations with sound security practices. SSO automatically manages access to all software and tools once users have signed onto the network, provides ease of access for workforce members when they log into company systems, and the technology behind it allows organizations to monitor and log access.
Do You Use Encryption to Control Access to ePHI?
The secure collection and management of ePHI is so critical that whenever possible, we recommend you implement a mechanism to encrypt and decrypt ePHI. Many providers opt to install encryption software on endpoints that connect to your EHR system, especially mobile devices like laptops.
After you have established encryption practices, maintain audit trails of the encryption in case a device is ever lost or stolen. This simple and inexpensive precaution may prevent a complicated and expensive breach. Many manufacturers already offer local encryption in case a device is stolen. Although it should go without saying, do not send PHI via email. If you have to send emails with sensitive information, implement an e-mail encryption module that enables users to securely send e-mails to external recipients or to protect information that should only be seen by authorized individuals.
Do You Use Alternative Safeguards in Place of Encryption?
If you have devices that cannot be encrypted, or they are managed by a third party, implement physical security controls to discourage theft or unauthorized removal. Some organizations opt for anti-theft cables, locks on rooms where devices are stored, and key card technology to monitor access to company devices.
As an alternative to – or in addition to – encryption, many healthcare organizations benefit from prohibiting the use of unencrypted storage, such as thumb drives, mobile phones, or computers. If your organization decides to offer the aforementioned mobile storage mediums, require their encryption before deploying them in your organization.
Audit Your Information Systems
All systems which create, receive, maintain, or transmit ePHI (including any firewalls, databases, servers, and networked devices) should be examined to determine how security settings can be implemented to most appropriately protect ePHI.
Keep in mind, these vulnerability scans may yield large amounts of data, which organizations urgently need to classify, evaluate, and prioritize to remediate security flaws before an attacker can exploit them.
Do You Manage The Access and Use of Your Facilities, Especially Those That House ePHI?
Even though it may seem overly formal or unnecessary, we strongly recommend organizations create written procedures that document restricted access and use of company facilities. Just as network devices need to be secured, physical access to the server and network equipment must be restricted to IT professionals or other workforce members who are approved to access servers or other critical infrastructure.
Physical access precautions include keypads, locks, security cameras, etc. We also recommend that healthcare organizations have an inventory of the practice’s facilities that house equipment which create, maintain, receive, and transmit ePHI. Policies and procedures should outline managements’ involvement in facility access control and how authorization credentials for facility access are issued and removed for the workforce members and/or visitors.
Going further on the topic of physical access, we recommend you disable network ports that are not in use. Maintain network ports as inactive until an activation request is authorized. This minimizes the risk of an unauthorized user plugging in to an empty port to access to your network. In conference rooms or waiting areas, establish guest networks that separate organizational data and systems. This separation will limit the accessibility of private data from guests visiting the organization. Validate that guest networks are configured to access authorized guest services only.
Do You Keep an Inventory of Electronic Devices and Audit Reports?
Data sprawl, shadow IT, and growing equipment inventories all come with the growth of an organization. While it is critical for healthcare companies to continue to grow, we suggest that IT leaders and designated security officers establish policies to inventory all electronic devices and their functions, with ongoing documentation and updates every 4-6 months.
Once you have your documentation and audit policies in place, it is essential to store your records for safekeeping in case you are audited for a certification, such as HITRUST, or you are audited by a government regulator. A good rule of thumb is to retain records of audit report review for a minimum of six (6) years, consistent with retention requirements for all information security documentation. While some states or jurisdictions may have additional requirements beyond the 6-year retention requirement, 6 years is a safe starting point for many organizations.
Do You Ensure Access to ePHI is Terminated When An Employee Leaves The Company?
We recommend written procedures documenting termination or change of access to ePHI upon termination or change of employment, including recovery of access control devices (including organization-owned devices, media, and equipment), deactivation of information system access, appropriate changes in access levels and/or privileges pursuant to job description changes that necessitate more or less access to ePHI, time frames to terminate access to ePHI, and exit interviews that include a discussion of privacy and security topics regarding ePHI.
These post-separation employment policies are especially relevant for healthcare companies that are already operating in the cloud because employees no longer have to be on-prem in order to access sensitive company data. And even if an employee is transitioning to another role in the organization, IT teams need to confirm that the employee still requires the same level of permissions and access in their new capacity.
SRAs for Healthcare Organizations
Throughout these two articles we have emphasized the value in conducting regularly scheduled, programmatic Security Risk Assessments that are designed to keep your organization compliant with government regulations (i.e., The Office of Civil Rights Guidance Document) and secure from cyber threats. If you have additional questions about conducting a rigorous SRA or want professional expertise to ensure your organization is safe from potential threats, reach out to our Professional Services team. ClearDATA has worked with hundreds of healthcare companies to create secure cloud operating environments and protect the incredibly valuable PHI every healthcare organization collects.