The Need for Risk Assessment of Peripheral Devices

LaSalle Consulting Partners continues to emphasize the importance of security and risk assessment in the workplace, particularly for HIPAA covered entities and business associates. One of the areas we have seen overlooked in risk assessment is the peripheral devices that exist on a computer network.

Peripheral devices are devices on your network other than your computers and servers. These include devices such as printers, multi-function copiers, scanners, tablets, and mobile phones. If any of these devices are used to store or process sensitive information, and contain a hard drive or other form of memory, then your organization may be vulnerable to a security breach.

The HIPAA Security Rule risk analysis implementation specification at 45 CFR §164.308(a)(1)(ii)(A) mandates that organizations identify and assess exposures that may compromise the confidential nature of ePHI. Failure to protect confidential ePHI can result in hefty penalties and other legal action.

Affinity Health Plan, Inc. paid federal regulators a settlement amounting to $1.2 million after they returned copy machines to a leasing company, unknowingly releasing the ePHI of over 300,000 individuals contained on the machines’ hard drives. The breach was discovered by CBS Evening News, who purchased the copy machines as part of an investigation, after Affinity Health Plan returned them to the leasing company. While the incident was the first HIPAA settlement involving copiers, it may not be the last.

We recommend subjecting peripheral devices to a risk analysis. This precaution can assist in avoiding the legal and financial consequences of violating HIPAA regulations. Please contact LaSalle Consulting Partners for more information on the risk assessment of peripheral devices.

HIPAA Security Rule and Home Workers

The number of staff that work from home has continued to increase at benefit fund offices as it has with many other organizations. While this can be beneficial for both the Fund office and the remote worker, it also poses HIPAA related security concerns. Lack of security in the home computer environment can lead to a fund office network breach and/or unauthorized access to electronic personal health information (“ePHI”).


Without proper policies and security in place the following can occur:

• Lack of a firewall or an improperly configured DSL or cable modem could allow unauthorized access by a hacker to the home worker’s computer. Once the hacker has gained access to the computer they could possibly use the connection to access the fund office network.
• Depending on the security in effect, it may be difficult to prevent a home worker from copying files from the fund office network to the home worker’s PC. If there is any possibility of this happening, the home worker’s computer should be encrypted similar to the PC encryption at the fund office. This would help prevent unauthorized access to ePHI if the computer were to be stolen.
• Lack of sufficient and up to date Microsoft security patches could allow unauthorized access by a hacker to a home workers computer. Once the hacker has gained access to the computer they could possibly use the connection to access the Fund office network.

These are just a few examples of potential security issues that can occur. Only through proper policies, staff training and technical safeguards can these threats be kept to a minimum. We recommend that HIPAA covered entities establish the same policies for home computers as they do for computers located at the fund office premises. Click here for a document by the Department of Health & Human Services which provides additional guidance to HIPAA covered entities that provide remote access to ePHI.

LaSalle Consulting Partners can help you develop and implement policies that help safeguard ePHI. Please contact me at 312-361-3313 if we can be of help.

HIPAA Permanent Audit Program: the Pre-Audit Survey

The Office for Civil Rights (OCR) is mandated to conduct periodic audits to assess the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules. On February 20, 2014 the Department of Health and Human Services announced plans to utilize a Pre-Audit Survey form to gather information in an effort to assess the size, complexity and fitness of an entity for an audit. Below is a summary of the announcement. 

• The Office for Civil Rights (OCR) will be sending the survey to as many as 1,200 HIPAA covered entities and business associates to determine suitability for an audit, as part of the much anticipated permanent HIPAA audit program. Approximately two-thirds of that survey will be completed by HIPAA Covered Entities and the remainder, Business Associates. Information will be gathered to evaluate the “fitness of a respondent for an audit.”
• The OCR is required to conduct audits to ensure the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules. By acquiring information through the Pre-Audit Survey, the OCR will attempt to determine which organizations may benefit from their audit.
• The survey will take approximately 30-60 minutes. Organizations will need to install software prior to the survey. In response to this requirement, and other time constraints placed on organizations by issuance of the permanent HIPAA audit, the OCR has released the following Burden Statement:

“Burden in this context means the time expended by persons to generate, maintain, retain, disclose or provide the information requested. This includes the time needed to review instructions, to develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information, processing and maintaining information, and disclosing and providing information, to train personnel and to be able to respond to a collection of information, to search data sources, to complete and review the collection of information, and to transmit or otherwise disclose the information.”

Organizations must be prepared for the Pre-Audit Survey. Preparations will entail certain actions (for instance, installing the necessary software), but another significant aspect of preparedness is becoming knowledgeable on OCR mandates and keeping up-to-date with information concerning the permanent HIPAA audit program that will begin soon.

Other possible preparations include, but are not limited to, performing an independent Risk Assessment (a less understood mandate of the OCR), forming policies and procedures to protect ePHI and/or respond to a data breach, and drafting Business Associate Agreements with clients and Business Associates (in the case of HIPAA Covered Entities). For the full announcement, please visit the Federal Register. Please contact LaSalle Consulting Partners for more information on the upcoming Pre-Audit Survey.

Source: https://federalregister.gov/a/2014-03830

The HIPAA Security Rule and Necessity of Risk Assessment

Though most would agree that risk analysis is an important consideration for any organization, HIPAA covered entities are required to conduct such risk assessment to ensure compliance with the HIPAA Security Rule. The Security Rule states that covered entities, organizations responsible for the transmission of e-PHI, must “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization” (§ 164.308(a)(1)(ii)(A)).

While the necessity of risk assessment is certain, the Security Rule does not specify the frequency with which assessment must occur. Instead, the Rule addresses the breadth of analysis which must be conducted. The Rule indicates some considerations for analysis which include (but are not limited to) e-PHI within the organization, external sources of e-PHI, and potential threats to information systems that contain e-PHI. The Security Rule recognizes, however, that risk assessment cannot be standardized due to each organization’s unique relationship with e-PHI.

Listed below are the “Elements of a Risk Analysis”, provided by the U.S. Department of Health & Human Services. The list is intended to aid covered entities in implementing risk analysis methodologies that will best suit their needs.

 

1.       Section 164.308(a)(1)(ii)(A) states: Scope of the Analysis

2.       Data Collection

3.       Identify and Document Potential Threats and Vulnerabilities

4.       Assess Current Security Measures

5.       Determine the Potential Impact of Threat Occurrence

6.       Determine the Level of Risk

7.       Finalize Documentation

8.       Periodic Review and Updates to the Risk Assessment

 

LaSalle Consulting Partners, Inc. is familiar with several organizations that can assist with Risk Assessments. We can help in selecting the best firm to suit your needs. We can also help you prepare for an assessment and remediate any technology related risks that are identified during an assessment. Please contact Frank Zurek at frank.zurek@lpartnersinc.com or call 312-361-3313 for further information.