If one lesson is clear from the constant stream of recent settlements announced by the Office for Civil Rights, it is that covered entities are not implementing risk management plans to reduce risks to protected health information (PHI) to an acceptable and appropriate level. The frequency of seeing the same finding is a strong indicator of a more systemic issue – that organizations could use more detailed guidance on how to manage risks.
The Office for Civil Rights (OCR) has issued advisories that a HIPAA covered entity or business associate that is affected by the “WannaCry” ransomware attack or other malware should respond to the incident as a reportable breach under the HIPAA/HITECH Breach Notification Rule.
In your midst is a shadowy network of illicit devices poisoning the carefully controlled ecosystem you and your networking operations team have painstakingly built. Years of toiling with management to fund new initiatives, educating users to act securely, managing policies and procedures with careful and diligent precision are at risk of being rendered useless.
Thus far in 2017, the Office for Civil Rights (OCR) has announced that they have negotiated settlements or levied penalties in seven cases that have resulted in covered entities and business associates paying over $14.3 million. In all but one of these cases, organizations have also been saddled with multi-year corrective action plans in which HHS will exercise oversight of their compliance with the HIPAA standards. At this pace, OCR will eclipse its record-setting performance of 2016 in which there were 13 formal enforcement actions that had covered entities and business associates paying $23.5 million in fines and penalties for HIPAA violations.
Compliance officers everywhere want to believe the compliance program they oversee is effective. Some believe it is effective, some hope it will be found effective and some know the program is not effective because of significant gaps in one or more of the seven elements of an effective compliance program. If you are a believer, ask yourself, “What methods have I established to demonstrate effectiveness?” If you are filled with hope – well hope is not a strategy. If you know your program has gaps, what are you doing to address those gaps? An additional resource now exists to help evaluate effectiveness. The OIG/HCCA Measuring Compliance Program Effectiveness: A Resource Guide released March 27, 2017, provides recommendations on what to measure and how to measure it under each of the seven elements.
Earlier this month, New Mexico became the forty-eighth state to enact a data breach notification law. Only Alabama and South Dakota remain without such requirements. The Data Breach Notification Act goes into effect on July 1, 2017. Organizations that are subject to the requirements of the HIPAA breach notification standards are exempt from the statute.
CynergisTek is alerting you to a number of changes the Centers for Medicare & Medicaid Services (CMS) is proposing to the requirements of the EHR Incentive Program that would apply to the program in either 2017 or 2018. The changes to the EHR Incentive Program, which would primarily apply to hospitals, are contained in a proposed rule, Medicare Program: Hospital Inpatient Prospective Payment Systems for Acute Care Hospitals and the Long Term Care Hospital Prospective Payment System and Proposed Policy Changes and Fiscal Year 2018 Rates, which is due to be published in the Federal Register on April 28th. The publication of the 2015 MU proposed rule in the Federal Register will start the customary 60-day public comment period which would be scheduled to end June 27, 2017.
The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), published an advisory in the March issue of its “Cybersecurity Newsletter” warning of a well-known attack method known as the man-in-the-middle (MitM) attack. This type of attack is used by attackers to, exactly as it sounds, become a man in the middle of a secure connection. So, while the victim thinks they are connecting to their destination website (e.g. bank, social media, email, etc), the attacker is taking over the connection and can see any data “in the clear” before it is forwarded on to the actual destination.
While researching future blog post topics, I discovered that many people are searching on Google in the hopes of better understanding the benefits of having a penetration test done. This is a great question, and it is especially important to understand the answer even if your organization is not governed by regulatory or compliance requirements to have a penetration test done. There are plenty of reasons to conduct a pen test, or red team assessment, on your organization’s technical environment.
Most healthcare organizations today have a compliance program, but how many can say the program is effective and more importantly feel confident they could demonstrate effectiveness? It is not uncommon to hear, “I cannot define effectiveness but I know it when I see it.” Why is this important? All compliance professionals know having a paper compliance program (compliance plan that sits on the shelf along with well drafted but not implemented policies and procedures) is not effective. But as one assesses what an organization is doing as it relates to the seven elements of an effective compliance program based on the Federal Sentencing Guidelines and all the various OIG compliance program guidance documents, the process gets more convoluted. How much is enough, and do you just want to do “the bare minimum”?