The top HIPAA threats are threats from insiders who, either due to a lack of HIPAA training or a lack of security awareness, violate HIPAA standards or make mistakes that allow cybercriminals to access healthcare networks. While more training could help mitigate these top HIPAA threats, a fairly enforced sanctions policy will likely be more effective.

Many articles listing the top HIPAA threats pretty much follow a similar theme. Protect devices against theft, protect data against cybercriminals, and protect yourself against unauthorized third party disclosures by signing a Business Associate Agreement. Unfortunately these articles are way off the mark.

Inasmuch as the recommendations are sensible, and indeed should be followed, they fail to address the top HIPAA threats – employees. According to the recently-published IBM X-Force Threat Intelligence Report, 71% of recorded data breaches in the healthcare industry are attributable to employee actions. Employees responsible for data breaches are divided into two categories – “malicious Insiders” (25%) and “inadvertent actors” (46%).

A Quarter of Healthcare Data Breaches Attributable to Malicious Insiders?

Although IBM´s Intelligence Report focuses on the number of breaches – rather than the number of records breached – the percentage of data breaches attributed to malicious insiders appears high. However, it is not the case that a quarter of the medical profession is stealing Protected Health Information for personal gain. A closer inspection of the data reveals the “malicious insiders” category includes employees snooping on the medical records of friends, colleagues, and celebrity patients.

Snooping was identified as the largest single cause of data breaches in the healthcare industry in a 2013 study conducted by Veriphyr Identity and Access Intelligence. As snooping constitutes an unauthorized disclosure of Protected Health Information, it is classified as a violation of HIPAA and therefore – by the number of violations alone – is one of the top HIPAA threats covered entities should be aware of. It is certainly a threat OCR would expect a covered entity to address in a HIPAA risk assessment.

Other Data Breaches Attributable to Malicious Insiders Tend to Attract Headlines

Whereas snooping can be the biggest cause of employee HIPAA violations by number, the biggest cause of employee HIPAA violations by records breached is insider data theft. In a recent high-profile case, a secretary employed by the Jackson Health System in Florida was charged with accessing more than 24,000 computerized patient records and selling the data to criminals, who subsequently used it to file fraudulent tax returns with the Internal Revenue Service.

A spate of high-volume data breaches around the same time prompted the HHS´ Office for Civil Rights to issue a reminder to covered entities to take action to prevent insider data theft. Unfortunately many covered entities appear not to have responded to the reminder. A survey conducted in late 2016 revealed half of healthcare IT professionals were more concerned about insider data theft than external data theft, but were not given the resources to deal with the threat.

Are Inadvertent Actors Really More of a HIPAA Threat than Cybercriminals?

According to the basic data it would appear so. However, the category of “inadvertent actors” includes victims of phishing attacks and IT professionals who fail to configure their security mechanisms properly; so it may be more accurate to rename this category “employees who inadvertently invited cybercriminals to steal data”. Nonetheless, the percentage of reported data breaches attributable to inadvertent actors is nearly twice that of external hacks.

This would imply another of the top HIPAA threats is a lack of employee awareness. Phishing is a massive threat to HIPAA compliance, but it is one that can mitigated with phishing simulation training. Similarly, errors made by IT security can be reduced by implementing procedures to review the configuration of security mechanisms on a regular basis – which should be part of an annual risk assessment in any case. Basically, data breaches due to inadvertent actors are mostly avoidable.

The Top HIPAA Threats and How to Defend Against Them

At HIPAA Journal we strongly recommend covered entities encrypt data, implement two-factor authentication and conduct due diligence on business associates. These practices – and others provided by HIPAA threat-style articles- will help defend against some HIPAA threats, but not the top HIPAA threats. In order to defend against the top HIPAA threats of snooping, insider data theft and a lack of employee awareness, covered entities need to:

• Implement strong policies relating to employee conduct and enforce them with an equally strong sanctions policy.
• Implement effective access controls that monitor who accesses PHI when and where, and what happens to it afterwards.
• Implement a comprehensive HIPAA training program to raise employee awareness – particularly in the area of Internet security.

More than anything, covered entities need to allocate more resources to eliminating data breaches attributable to employee actions. If the data provided in the IBM X-Force Threat Intelligence Report is taken at face value, covered entities should allocate three times as many resources to defending against the top HIPAA threats that come from within than they allocate to external threats.

The post The Top HIPAA Threats Are Not What You Think appeared first on The HIPAA Journal.

Healthcare compliance software is a comprehensive management tool that helps professional compliance officers to effectively oversee compliance efforts across their organization’s facilities, by proactively managing risk, streamlining workflows, improving collaboration, and demonstrating the achievement of compliance objectives to stakeholders.

What Are The Benefits Of Healthcare Compliance Software?

For a compliance pro, the benefits of compliance software are:

1. Increased Visibility: Compliance software provides real-time visibility into compliance activities across sites, including incident management, allowing the chief compliance officer to monitor progress, track key metrics, and identify areas that require attention, on  a per site and per employee basis. This increased visibility and granularity enhances the chief compliance officer’s ability to effectively oversee compliance efforts across the organization.

2. Streamlined Workflows: Compliance software automates many administrative tasks related to compliance management, such as tracking compliance activities, scheduling self-audits, and managing documentation. This saves time and reduces manual effort for all compliance team members.

3. Enhanced Reporting: Customizable reporting and analytics allow compliance officers to generate detailed reports on compliance activities, performance metrics, and audit findings. These reports help communicate compliance efforts to senior management, regulators, and other stakeholders, showcasing a commitment to compliance excellence. They also make evidence tracking simple so that this can be provided for an audit.

4. Centralized Documentation: By providing a centralized repository for storing and managing compliance-related documents, such as policies, procedures, training materials, and audit reports, healthcare compliance software ensures that all relevant documentation is organized, up-to-date, and easily accessible when needed.

5. Improved Collaboration: Facilitating collaboration and communication among compliance team members, stakeholders, and other departments, compliance software for healthcare organizations improves coordination and alignment on compliance initiatives. This enhances the chief compliance officer’s ability to create an exemplary compliance culture across the organization.

6. Reduced Risk: By automating compliance processes, providing real-time visibility into compliance activities, and facilitating proactive risk management, healthcare regulatory compliance software helps compliance officers minimize risk and mitigate potential compliance failures.

What To Consider When Purchasing Healthcare Compliance Software?

There are three aspects to consider when purchasing healthcare compliance software:

1. Essential Functionality

2. Software Specifications

3. Business Considerations

The following buyer’s framework has been designed to guide you to find the most suitable solution for your organization’s compliance objectives, through a comprehensive and objective assessment of available options.

1. What Essential Functionality Is Required For Healthcare Compliance Software?

The best healthcare compliance software solution is a flexible all-in-one healthcare compliance system that follows a recognized framework like the OIG-HHS Seven Fundamental Elements Of An Effective Compliance Program. It should offer real-time visibility of compliance objectives across all the organization’s facilities, and because all organizations are different, it should have both prebuilt and fully customizable options.

The following is the essential functionality for your organization’s healthcare regulatory compliance requirements:

1. All In One Compliance

• Does the software cover all healthcare regulatory areas such as HIPAA, OSHA, and SOC 2 compliance?
• Does the software allow you to customize your own compliance standards?
• Does it include OIG exclusion screening and monitoring?

2. Risk Management

• Self-audit and external audit management
• Risk scoring
• Gap identification
• Remediation planning
• Evidence tracking

3. Incident Response & Management

• Anonymous incident reporting for employees
• Breach incident reporting
• Breach management tools for internal and external incidents

4. Policies & Procedures

• Templated and customizable policies and procedures
• Policy and procedure management
• Central storage of policies and procedures
• Employee attestation management
• Employee portal for easy access to review policies

5. Employee Training

• Train, track, and manage compliance training for employees
• Up-to-date compliance training modules
• Personalized, individual employee training certificates
• Training beyond HIPAA covering other HR needs such as OSHA and Fraud Waste & Abuse

6. Vendor Management

• Identify and track business associates
• Customizable business associate agreement templates
• Store and track business associate agreements
• Vendor due diligence and risk scoring
• Contract management and vendor exclusion screening

7. Multi-Site Management

• Manage the compliance levels at each site in an organization separately

8. Reporting

• Customizable reporting templates including reports to demonstrate compliance with stakeholders or regulators
• Centralized documentation storage
• Audit logging and reports

8. Employee Screening

• Ability to check the HHS OIG Exclusions list
• Sanction screening 
• Employee conformance scoring
• HRIS integrations

2. What Are The Software Specifications To Consider For Compliance Solutions?

Software specifications are aspects of a solution, such as usability or scalability, that are not about specific functionality but describe the broader qualities of the software. Specifications can help inform your decision when comparing healthcare compliance management software options.

1. Ease Of Use

• Assess the software’s overall user experience, including the user interface and navigation menus.
• Does the software have an intuitive interface that includes workflows for conducting compliance activities?
• Do dashboards demonstrate at a glance the overall compliance state of the organization, while also showing individual tasks, messages, and alerts like in our example below?

• How user-friendly are the training modules that employees will be required to take as part of the organization’s compliance?

2. Customization

• Are workspaces customizable?
• Are documents such as policies customizable?
• Are reports customizable?

3. Scalability & Flexibility

• Can the software accommodate your organization’s current scale, for example, to manage multiple locations?
• Can it scale up and adapt to your organization’s evolving future needs?

4. Integration Capabilities

• How will the software integrate with your existing IT infrastructure and the other third-party applications used within your organization?
• Cloud-based solutions are the easiest to implement, and have the advantage that ongoing infrastructure maintenance is the responsibility of the software vendor.

5. Future Proofing

• How will the software vendor address regulatory changes and updates to ensure ongoing compliance in a timely manner?

3. What Are The Business Considerations When Choosing Software?

Often when evaluating functionality and specifications, a favored vendor will quickly emerge. Nevertheless, it is recommended that you fully examine the commercial and business considerations before a final decision is made.

1. Vendor Reputation

• Is the software endorsed by any medical associations?
• Does the vendor have up-to-date case studies and testimonials from other similarly sized healthcare organizations that have successfully implemented the solution?
• It is always a good idea to speak directly with existing customers about their experiences with both the software and the vendor.
• It is better to speak to “random” customers than those provided by the vendor because it is highly unlikely they will provide a reference for an organization with a poor experience.
• If you have compliance department contacts across the healthcare industry consider reaching out to ask if anyone has direct experience with your favored vendor.

2. Vendor Training & Support

• Does the vendor offer live support throughout the initial implementation phase?
• What training is offered for your compliance team?
• After setup what ongoing support is offered? Is it 24 x 7?

3. Costs 

• Look for a transparent breakdown of pricing structures, including initial setup costs, licensing fees, and any additional charges for support or updates.
• Is there a one-time purchase cost or is it a subscription-based model? Subscriptions have become the most common way to purchase cloud-based software.
• If fees are charged on a per-seat subscription basis then how will they change as the organization grows?
• If cost is an issue and it appears that the solutions on your shortlist are similar, ensure you create a price comparison table taking all factors into account, such as extra costs for training or support.
• You can also do the same comparison exercise based on growth scenarios. You don’t want to choose a cheaper solution now that turns into a far more expensive solution later on.
• Does the vendor offer discounts? For example, they may offer a group discount for an association you may already be a member of. It’s always worth asking as often this can be 15% or more off the list price annually.

4. Free Trial Or Money Back Guarantee

• A full demonstration may be enough to help you make your decision, but sometimes a short trial period can be helpful if you have any doubts. It also allows you to ask your colleagues to take a look at their convenience before a final decision is made.
• Not all software is suitable for a free trial because of the effort required for the setup by both the vendor and the healthcare organization. In this scenario, you could ask for a guarantee that if you are not satisfied you have the option to back out of the agreement within a certain period.

5. Software Licence Period

• What is the commitment period you are signing up for? Is it month-by-month or year-by-year? Is there a minimum period such as three or five years? Read the small print on any agreement before you send it to your legal department.
• The advantage of shorter periods is that the onus is on the software vendor to ensure you are kept happy because they won’t want you to cancel. Alternatively, if you are willing to sign up for a longer period then you may be able to negotiate a lower annual cost.

Free Buyer’s Guide

We have compiled a free buyer’s guide to choosing the best healthcare regulatory compliance software. This includes a checklist for the three aspects discussed in this article where you can rate up to three different solutions and compare your results. This guide to choosing healthcare compliance software can be downloaded by filling in the form on this page.

The post Building a Stronger Compliance Program With Software appeared first on The HIPAA Journal.