HIPAA Security Rule Checklist

Posted by Steve Alder

A HIPAA Security Rule checklist helps covered entities, business associates, and other organizations subject to HIPAA compliance to fulfil the requirements of the Security Standards for the Protection of Electronic Protected Health Information (better known as the HIPAA Security Rule). Complying with the Security Rule Standards can reduce the likelihood of HIPAA violations and data breaches attributable to human error and bad actors.

Introduction to the HIPAA Security Rule

The HIPAA Security Rule in Part 164 Subpart C of the HIPAA Administrative Simplification Requirements consists of regulations, standards, and implementation specifications that have the objective of ensuring the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) created, collected, maintained, or transmitted by covered entities, business associates, and other organizations subject to HIPAA compliance.

All organizations subject to HIPAA must comply with the “applicable” Security Rule  regulations, standards, and implementation specifications. However, because the Security Rule is technology neutral, organizations are allowed a “flexibility of approach” with regards to what security measures are implemented. The flexibility of approach also extends to how organizations fulfil the requirements of “addressable” implementation specifications.

What is a HIPAA Security Rule Checklist?

A HIPAA Security Rule checklist is a summary of the main regulations, standards, and implementation specifications likely to be applicable to most organizations. The reason for the checklist being a summary is that, due to the different types of organizations required to comply with the Security Rule and the flexibility of approach allowed by the Security Rule, there is no one-size-fits all HIPAA Security Rule checklist that will match every organization’s requirements.

Organizations should use this HIPAA Security Rule checklist as the foundation of their own checklists – paying careful attention when developing a checklist to the General Requirement (§164.306(a)) that organizations not only have to protect against any reasonably anticipated threats to the security and integrity of ePHI, but also protect against any reasonably anticipated uses or disclosures of ePHI not permitted or required by the Privacy Rule.

Who This HIPAA Security Rule Checklist Is For

This HIPAA Security Rule checklist is for any member of the workforce with a responsibility for HIPAA compliance. This could be the HIPAA Security Officer or a member of the Compliance Team depending on the size of the organization, or – if elements of compliance are delegated to other teams – this HIPAA Security Rule Checklist could be a valuable guide for a member of an IT, HR, Legal, or Security Team.

With regards to the types of organization this HIPAA Security Rule checklist should help, it has been designed not only to be relevant to HIPAA covered entities and business associates, but also to subcontractors of business associates, vendors of personal health devices, and organizations that do not qualify as covered entities under HIPAA, but may do so under a state law – for example, the Texas Medical Records Privacy Act.

10 Important Elements of Security Rule Compliance

While it is important to review and understand every Security Rule regulation, standard, and implementation specification, there are ten important elements of Security Rule compliance that will apply to most organizations.

1.     Read the Security Standard General Rules

The Security Standard General Rules include the conditions that apply when exercising the flexibility of approach and determining when an addressable implementation specification is not reasonable or appropriate. It is important not to bypass this section because the standards and implementation specifications within it are relevant to the remainder of the checklist.

2.     Conduct a Thorough Risk Assessment

In order to ensure the confidentiality, integrity, and availability of ePHI, it is necessary to know how and where ePHI is created, collected, maintained, and transmitted. For this reason, it is important to identify any unsanctioned software and apps used by members of the workforce (“Shadow IT”) and any systems or devices they connect to.

3.     Control and Monitor All Access to ePHI

Depending on the outcome of the risk assessment, you will be in a better place to determine what access controls are required to ensure only authorized members of the workforce have access to ePHI. However, it will still be necessary to monitor access in order to identify when passwords are shared impermissibly or when login credentials are compromised.

4.     Develop Training Program and Sanctions Policy

The Security Rule requires all organizations to implement a security awareness training program for all members of the workforce regardless of their access to ePHI. Organizations are also required to develop and enforce a sanctions policy for any violation of a security policy or procedure, regardless of whether the violation results in a data breach.

5.     Implement Procedures for Reporting Security Incidents

The Security Rule requires organizations to implement policies and procedures to manage security incidents; but, in order for this standard to be effective, it is important organizations are made aware of security incidents as quickly as possible. For this reason, it is advisable to implement procedures for reporting security incidents as quickly as possible.

6.     Disaster Recovery and Emergency Mode Operation

Most healthcare providers have to implement measures for disaster recovery and emergency mode operation as a condition of participating in Medicare. However, as downstream disasters can affect healthcare providers’ operations, it is essential that all organizations develop, test, and revise disaster recovery and emergency mode operation plans.

7.     Business Associate and Subcontractor Agreements

The reason for including business associate and subcontractor agreements in this HIPAA Security Rule checklist is to remind organizations to refer to §164.504(e) of the Privacy Rule, which includes important information about conducting due diligence on business associates and subcontractors before releasing ePHI to a third party.

8.     Configure Software to Comply with the Security Rule

Most modern software solutions include the capabilities such as (for example) data integrity controls, encryption, and automatic logoff. However, the software is not always configured by default to comply with the Security Rule. The settings of all software used to create, collect, maintain, or transmit ePHI should be reviewed to ensure it is used compliantly.

9.     Address Threats to Facility, Device, and Media Security

It is a best practice to maintain an inventory of devices and media used to create, collect, maintain, and transmit ePHI; and, in addition to ensuring that the devices and media are protected from unauthorized access, the facilities in which they are located should also be protected from unauthorized access to prevent tampering and theft.

10.   Schedule a Review of the HIPAA Security Rule Checklist

The final implementation standard in the Security Rule requires organizations to maintain documentation, review it periodically, and update it as required in response to environmental or operational changes. Due to the changes expected in 2024, organizations are advised to schedule a review of the HIPAA Security Rule checklist for within twelve months.

Expected Changes to Security Rule Standards in 2024

In December 2023,  the Department of Health and Human Services published a Healthcare Sector Cybersecurity Strategy – a concept paper that proposes measures to secure the healthcare industry from cyber threats in line with President Biden’s National Cybersecurity Strategy.  One of the measures proposed in the concept paper is to update the Security Rule to include new cybersecurity requirements.

Due to the length of time it takes for proposed Rules and changes to existing Rules to evolve into Final Rules, it is unlikely the new cybersecurity requirements will take effect in 2024. However, there are several other Rule changes in the pipeline that are likely to impact Security Rule compliance in 2024. These include (but are not limited to):

  • The publication of “recognized security practices” that will be considered when determining the amount of a civil monetary penalty for violating HIPAA.
  • The requirement to include disclosures of ePHI for treatment, payment, and healthcare operations in an accounting of disclosures (see 42 USC §17935(c)).
  • The application of HIPAA violation penalties to impermissible disclosures of Substance Use Disorder Patient Records currently protected by 42 CFR Part 2.
  • A new category of “attested” uses and disclosures to prevent reproductive health care data being used or disclosed for a “non-health” purpose.

Organizations that encounter challenges in preparing for these expected changes – or that have difficulty developing a HIPAA Security Rule checklist – are advised to seek professional compliance advice.

The post HIPAA Security Rule Checklist appeared first on HIPAA Journal.

Meridian Behavioral Healthcare Discloses 99,000-Record Data Breach

Posted by Steve Alder

Data breaches have recently been reported by Meridian Behavioral Healthcare, Network 180, Erie VA Medical Center, and Fred Hutchinson Cancer Center.

Meridian Behavioral Healthcare

Meridian Behavioral Healthcare, Inc. in Florida has recently confirmed that protected health information was exposed in a security breach that was detected on August 11, 2023. Third-party cybersecurity specialists were engaged to investigate the breach and on December 4, 2023, confirmed that 98,808 individuals had been affected. Written notifications were mailed on December 22, 2023. The information exposed in the breach varied from individual to individual and may have included names, addresses, Social Security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.

Meridian Behavioral Healthcare said it is not aware of any misuse of patient data but has offered the affected individual complimentary credit monitoring services. Additional security measures have been implemented within its network, and data security policies and procedures are being reviewed and will be updated to better protect patient data.

Network 180

The Kent County Community Mental Health Authority, which does business as Network 180, has notified 59,334 individuals about unauthorized access to their protected health information. A security breach was detected on October 18, 2023, and the attack was contained by the IT department the same day. Third-party cybersecurity experts were engaged to investigate the breach and confirmed on October 25, 2023, that the unauthorized activity stemmed from a phishing attack.

An employee clicked a malicious link in an email that directed them to a website where they were prompted to enter their credentials, which were captured by the attacker and used to access the employee’s email account. Network 180 said multi-factor authentication was enabled on the employee’s account; however, the MFA controls were bypassed in the attack. The threat actor was able to access the employee’s email account between September 28, 2023, and October 18, 2023, and during that time exported data from the account, including names, addresses, dates of birth, full or partial Social Security Numbers, health insurance policy information, medical information, other demographic information (i.e., race or gender), and in a limited number of cases, financial account or payment card numbers and/or driver’s license numbers.

Network 180 said it has taken several steps to improve the security of its Office 365 email accounts and has hired cybersecurity staff to proactively monitor its systems. The affected individuals have been notified and offered complimentary credit monitoring services for 12 months. Network 180 deserves credit for being transparent about the data breach and providing detailed information in its breach notice to the affected individuals.

Erie VA Medical Center

Erie VA Medical Center has apologized for an impermissible disclosure of patient data in mid-November. A printing error was made when sending appointment scheduling and appointment reminders to patients, which resulted in the reminders being sent to incorrect patients. The postcards only included information concerning the appointment and did not include sensitive or other identifying information. 2,380 veterans in Delaware, Kentucky, Maryland, New Jersey, New York, Ohio, Pennsylvania, Virginia, & West Virginia were affected. The postcards were sent to the correct recipients on November 16, 2023.

Fred Hutchinson Cancer Center

Fred Hutchinson Cancer Center has notified 544 patients that some of their sensitive data has potentially been exposed. Fred Hutch was notified on October 27, 2023, by a provider that their laptop computer had been lost while traveling. The laptop was used to access a Microsoft Outlook application through which patient information could be accessed. The provider said the laptop was password protected and has now been configured to initiate a remote wipe of the hard drive if it comes online. Fred Hutch conducted a review to find out what types of data were accessible through the laptop and determined that names, addresses, phone numbers, dates of birth, medical record numbers, patient account numbers, dates of service, and certain clinical information had been exposed, and for a limited number of patients, also Social Security numbers.

Notification letters were sent on December 26, 2023, and complimentary credit monitoring services have been made available to individuals who had their Social Security numbers exposed. Fred Hutch has provided additional education to the workforce on safeguarding mobile devices. This is the second data breach to be reported by Fred Hutchinson Cancer Center in the past few weeks. A much more serious breach occurred between November 19 and November 25, 2023, when a cybercriminal group breached its network and stole patient data. Fred Hutch has not yet confirmed how many patients have been affected but the hackers claimed to have infiltrated the data of around 800,000 patients. When the ransom was not paid, the threat actors started threatening patients directly.

The post Meridian Behavioral Healthcare Discloses 99,000-Record Data Breach appeared first on HIPAA Journal.

Hospital IT Help Desks Targeted in Sophisticated Payment Fraud Scam

Posted by Steve Alder

U.S. hospitals are being targeted by cybercriminals in a sophisticated payment fraud scam, according to the American Hospital Association (AHA). The AHA has received multiple reports of scammers contacting hospital IT departments to perform password resets and enroll new devices to obtain multifactor authentication (MFA) codes. Once access has been gained to employee email accounts, they send instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts. The funds are then transferred to overseas accounts.

According to the AHA, scammers contact IT departments and pose as revenue cycle employees or other employees in sensitive financial roles. They provide stolen personal information to verify their identity to pass the security checks that are necessary to perform a password reset to enroll a new device to receive MFA codes. The devices used to receive the codes often have a local area code. With a new device enrolled, the scammer will receive MFA codes, allowing them to access employee email accounts. This technique also allows the scammers to defeat phishing-resistant MFA.

The AHA has received dozens of reports from U.S. hospitals that have been targeted and had payments diverted to attacker-controlled accounts. Anyone who falls victim to such a scam should immediately report it to the Federal Bureau of Investigation (FBI) and their financial institution to try to get the transfer blocked and recover the fraudulently transferred funds. The FBI has been able to successfully block fraudulent transfers of funds if notified within 72 hours of the transfer being made.

Hospitals should consider implementing stricter IT help desk security protocols to ensure they do not fall victim to these scams. John Riggi, AHA’s national advisor for cybersecurity and risk, suggests that as a minimum, any requests for password resets should require a call back to the number on record for the employee requesting a password reset and enrollment of a new device. Some hospitals have implemented procedures that require any such request to be made in person at the IT help desk. Riggi also suggests implementing policies that require the supervisor of the employee to be contacted to verify any such request. “This scheme once again demonstrates how our cyber adversaries are quickly evolving their tactics to defeat technological cyber defenses through social engineering schemes,” said Riggi.

The post Hospital IT Help Desks Targeted in Sophisticated Payment Fraud Scam appeared first on HIPAA Journal.

Citrix Patches 2 Actively Exploited NetScaler ADC and Gateway Zero Days

Posted by Steve Alder

Two zero-day vulnerabilities have been identified in customer-managed Citrix NetScaler Application Delivery Controller and NetScaler Gateway devices that are being exploited in the wild. The vulnerabilities are present in the NetScaler management interface can be exploited in unpatched devices that are exposed to the Internet.

The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog, and while attacks have been limited, CISA warns that the vulnerabilities are frequent attack vectors for malicious cyber actors and exploitation is likely to increase in the coming days. In December, Citrix released an advisory about a vulnerability dubbed CitrixBleed (CVS-2023-4966) which has been extensively exploited by ransomware groups. As such, CISA has advised all federal agencies to ensure the patches are applied as soon as possible and at most within a week.

The two recently disclosed zero-day bugs are unrelated to CitrixBleed.  CVE-2023-6549 is a high-severity buffer overflow vulnerability with a CVSS base score of 8.2. The flaw can be exploited in a denial-of-service attack. CVE-2023-6548 is a medium-severity code injection vulnerability with a CVSS base score of 5.5, which can be exploited to achieve remote code execution. In order to exploit the latter, an attacker would need to be authenticated but only requires low-level privileges.

The vulnerabilities are far less severe than CitrixBleed, nonetheless, customers have been advised to promptly apply the patches as the vulnerabilities are under active exploitation. Proof-of-concept exploit code is not believed to have been publicly released but that is likely to happen soon and exploitation will increase considerably.

The vulnerabilities are present in the following NetScaler ADC and NetScaler Gateway versions:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302

Citrix has released patches to fix both vulnerabilities and has suggested a workaround if that is not possible.

The post Citrix Patches 2 Actively Exploited NetScaler ADC and Gateway Zero Days appeared first on HIPAA Journal.