Today USB drives (also known as flash drives and thumb drives), are common place.  They can store a lot of data, they are cheap and very easily transported.  A 2GB flash drive can be bought for $7.00 or less.  These drives give you the ability to carry documents, spreadsheets, pdf files and other data from one computer to another.  Unfortunately along with convenience comes security risks. 

An employee working on a document could copy it to a flash drive, bring it home and make modifications to the document.  The employee could then copy the document back to the flash drive and bring it to work in the morning and copy the revised document back to their computer or network drive.  Just as easy as it is to copy a document; an employee may copy a series of reports extracted out of an EMR,  a spreadsheet with a list of patient’s financial information, or a schedule of patients and demographics for the next week.   The employee may have all the best intentions of working on the information at home.  Now suppose that the employee misplaces the flash drive on the way home.  In addition, the data on USB drives are usually not encrypted.  The size of a flash drive is about the size of a house key and some drives attach right to a key chain.  We have all lost or misplaced keys and losing a flash drive is equally likely.  If the employee loses the flash drive then a practice is looking at a HIPAA security breach.  Along with the security breach may come fines, the cost and expense of breach notifications and the negative press that a practice may incur. 

Another security risk that may occur centers around viruses and spyware / malware.  The employee may bring home data to work on at night.  The employee’s home computer may be infected with a virus or have malware loaded on it.  When the employee saves the modified data it may also transfer a virus or malware back to the flash drive. The virus can then be transferred to a practice’s network when it is copied to the employee’s computer or network drive.

One way to prevent these type of security risks is to create a policy that prohibits the use of USB drives.  Unfortunately a USB drive is so small and easily concealed that an employee may ignore the policy.  Employees may ignore the policy not because they are intentionally stealing data but simply to bring work home in an effort to “catch-up” or finish a task. 

According to an article by Ars Technica, the National Security Agency (NSA) has developed a tool that will detect USB drives on internal computer networks. 

Although having strong IT security policies can help reduce the risks, it’s not always easy to enforce such policies. The NSA built a tool, called USBDetect, that is designed to help government agencies track the usage of USB storage devices on their internal networks. The tool is not publicly available, but is briefly described in a section of the NSA’s 2011 budget proposal, which was highlighted yesterday by NextGov defense technology blogger Bob Brewin.

“A Computer Network Defense Tool developed by NSA, USBDetect 3.0, is available to U.S. Government (USG) users free of charge. USBDetect gathers data (locally or on a network) from personal computers running Microsoft Windows 2000 or later operating systems, and reports unauthorized usage of Universal Serial Bus (USB) thumb (a.k.a. flash) drives, external hard drives, compact disk drives, and other storage devices,” the budget proposal says. “The USBDetect tool provides USG network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks.”

As noted in the article the NSA tool is only available to government agencies and not commercially available.

There are commercial programs that will disable the use of USB drives.  The program makes a USB drive inaccessible and therefore prevents data from being copied to and from the USB drive.  Unfortunately this adds administrative overhead because some employees have legitimate needs to use USB drives including copying non-patient information data, presentations, etc. 

The purpose of this post is to highlight the security risks associated with USB drives.  The need for policies preventing the copying of patient information are required.  In addition there is a need for employee training and alerts to potential dangers associated with USB drives.  There are technologies that can help guard against the security risks but they present a different set of issues and administrative overhead.

This is the third part in an on-going series about the HIPAA Security Rule. So far I have discussed the following:

• Security Rule Overview
• Security Rule Principles

As I mentioned previously, the Security Rule is broken into three main parts; the administrative, physical and technical safeguards. We will now dive into the administrative safeguards.

The administrative safeguards make up 50% of the Security Rule. So if you implement the administrative safeguards you are half way done! Below is a list of the Standards, Sections and Implementation specifications.

I am going to take the rest of this article to discuss just the Security Management Process and more specifically the Risk Analysis and Risk Management implementation specifications. I believe the whole foundation of the HIPAA Security Rule is based on the Risk Analysis and Risk Management implementation specifics.

Keeping in mind that the principle behind HIPAA is protecting patient information, it is important to determine where patient information resides and determine what risks could potentially prevent you from protecting the information. Once you determine where the patient information resides and what the risks to protecting it are, you can then put in place procedures that will reduce these risks and strengthen your ability to protect the information.

To further illustrate the point, let’s apply the Security Management process to your house. Your house protects you and your family as well as your possessions; let’s call all of these your valuables. In order to protect your valuables you need to know the inventory of your valuables. While you probably won’t forget your spouse and kids, you may not remember the gold watch tucked away in your dresser drawer. So the first step should be to write down all of your valuables. Once you have a complete inventory of your valuables you need to determine the importance of them to you. Let’s break the importance into three categories; high, medium and low. Most likely your family ranks at the top of your importance list and would fall into the high importance category. The gold watch may have a significant financial value or may be a gift from someone making it important but not nearly as important as your family. Let’s put the gold watch into the medium category. Your mailbox may be on the list but of very little importance. If anything were to happen to your mailbox you can easily replace it with minimal financial impact so we will put that in the low category. So now you have a complete list of all your valuables and you have assigned an importance category to each of them. The next step is to determine the potential threats to your valuables.

No matter where you live the threat of crime always exists. If you live in a low crime area the threat may be lower but conversely if you live in a high crime area the threat could be very real. Once again we will break each threat into a category of high, medium or low. A flood is another threat to your valuables. If you live by a river or lake the threat of a flood could be high. A hurricane could be another threat but if you live in Kansas the threat is probably very low. At the end of this process you have a list of all potential threats to your valuables as well as the likeliness of the threat occurring.

Now you take the list of your valuables that are categorized by their value to you and you take the threats and their likeliness of occurring and you have identified where you need to focus your attention. If your family is of high value and the threat of crime is high, you will spend a lot of attention on securing your house. This could entail adding additional locks to your doors or installing a security system. On the other hand, your mailbox is of low value so you may choose not to worry about adding any addition security other than securing it to a mailbox post. Your home security management process is complete when you go through the list of your valuables and have implemented steps to protect them from the potential medium and high threats.

The process of protecting your valuables is the exact process that the Security Rule calls for in regard to protecting EPHI. Determine where your EPHI resides. Like the home illustration, you probably won’t forget your EMR (i.e. family) but EPHI may reside in email or digital x-rays on a network share (i.e. the gold watch). Make sure you have a complete list of all your EPHI and write it down. Categorize the importance of the EPHI. As a rule of thumb I like to say that the more EPHI you have in a system and the more people that access the EPHI, the higher the importance of the system (high category). The lower the EPHI and the less amount of people accessing the system the lower the importance of the system (low category). Another rule of thumb, if the system contains very important or highly confidential information then the system would fall into the high category. Conversely, if the system is encrypted or requires special software to access the EPHI then this would lower the category of the system. Next step is to identify the threats to your EPHI and categorize the likeliness of the threat occurring.

The loss of EPHI is always something to be concerned about (high category). In addition fire, flood or a natural disaster are other threats to consider. Once again each of these threats need to be categorized with the likeliness of the threat occurring.

The final Security Management step is to implement procedures to protect your EPHI against the medium or high potential threats. Let’s look at a few threats and some steps to strengthen your ability to protect your EPHI:

What you will notice is that after the Security Management process, the rest of the Security Rule is all about minimizing the potential risks to your EPHI. Each of the Steps to prevent threat listed in the above table is a specific Standards and/or Implementation Specifics in either the Administrative, Physical or Technical safeguards of the Security Rule.

In future posts, I will go over the rest of the administrative safeguards as well as discuss the physical and technical safeguards.

In this article, I gave an overview of the HIPAA Security Rule.  Let’s drill down a little further and go over the principles of the Security Rule.

There are two very good papers published by CMS that give an overview of the Security Rule.  The papers include Security 101 for Covered Entities and Security Standards: Implementation for the Small Provider.  In an ideal world, the Security Rule would sound like a cooking recipe that tells you the exact ingredients you need, how to mix the ingredients and how long you should cook everything to have the final product.  However, reading the papers, you’ll immediately notice they are very vague, giving you what is required to comply with the Security Rule, but they don’t tell you how or what you need to do to comply.  No recipe here – which brings me to my first point; the Security Rule is not a detailed step by step process that tells you how to implement the rule.

Take this line from the Security Standards:

“The Security Rule provides a flexible, scalable and technology neutral framework to allow all covered entities to comply in a manor that is consistent with the unique circumstances of their size and environment.”

Wow, that seems to say a lot but when you finish reading it you realize that it doesn’t say that much at all.  My take on it is that there are a set of rules you need to follow which include procedures and technologies you need to implement but specific procedures and technologies will not be defined.  Furthermore, based on the size of your organization you may or may not implement the same procedures and technologies and you may choose not to implement some of the procedures and technologies at all.  To clarify, if you are a large hospital with a full-time IT staff you will have the ability to implement different procedures and technologies then a small practice that has no full-time IT staff. 

The Security Rule is composed of a series of Standards.  A good description of a Standard can be found in the  Security Standards:

“Each Security Rule standard is a requirement: a covered entity must comply with all of the standards of the Security Rule with respect to the EPHI it creates, transmits or maintains.”

So no matter your organization size or level of IT ability, a Standard has to be implemented.

Within some Standards are Implementation Specifications:

“An implementation specification is a more detailed description of the method or approach covered entities can use to meet a particular standard. Implementation specifications are either required or addressable.”

 • A required implementation specification is similar to a standard, in that a covered entity must comply with it.

• For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, a covered entity decides if it will implement the addressable implementation specification; implement an equivalent alternative measure that allows the entity to comply with the standard; or not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment. Covered entities are required to document these assessments and all decisions.

• Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be implemented. An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.

 Required implementation specifications have to be implemented no matter what your size or ability.  Addressable implementation specifications are not optional but you have to determine if your ability to implement the specification is reasonable and appropriate.  A good example of this is email encryption.  A large hospital has the ability and resources to ensure that all emails that contain electronic patient information have to be sent via secure encrypted email.  A smaller practice may decide that email encryption is too complicated or expensive to implement.  Instead the smaller practice may decide that they will not send electronic patient information via email at all, thus removing the need for email encryption.  Both organizations have addressed the implementation specific but did it in different ways that make sense to each of them.

If you determine that an addressable implementation specification is not reasonable or appropriate for your organization, you need to document the rationale for your decision.  Make sure you can defend the decision in the future which could be years from when you actually made the decision.

If you are a small,  midsize or large medical practice, the take away from this article should be that the Security Rule is not a specific list of things you have to do or a defined list of technologies you have to implement.  The Security Rule is a set of guidelines that give you some flexibility and take into account a practice’s size and resources. 

In future posts, I will dive into each of the Security Rule Standards and try to help you make sense of them.

If you haven’t heard about HIPAA yet, you probably have been living under a rock.  If you ask most people about HIPAA, patients and practice staff alike, you will probably get responses back concerning the privacy and protection of health information.  Most practices have implemented the basic required steps to protect patient privacy.  Two of the most common requirements include HIPAA privacy notices that patients are required to sign, and publicly available HIPAA privacy policies.  However, as more and more practices are moving towards electronic health records systems (EHRs), there is a more complex side of HIPAA that many small, midsize and even large practices may not have focused on – the HIPAA Security Rule.

I plan on future articles that go into the HIPAA Security Rule much more in-depth but for now let’s look at the Security Rule at a high level.  The HIPAA Security Rule requires that practices put in place policies and procedures to ensure that electronic protected health information (EPHI) is properly protected.   A good comparison regarding EPHI between the HIPAA Privacy Rule and the Security Rule is stated in the Centers for Medicare & Medicaid Services (CMS) Security 101 for Covered Entities:

Electronic vs. oral and paper: It is important to note that the Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained or transmitted. For example, EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.

There are three main parts of the HIPAA Security Rule as defined by CMS for small providers:

1. Administrative Safeguards – These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
2. Physical Safeguards – These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
3. Technical Safeguards – These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

As I mentioned, I plan on drilling down into each of the main parts of the Security Rule.  For a very good overview from CMS, take a look at the Security Standards: Implementation for the Small Provider document.  The document goes into further detail of each of the three parts and provides questions and examples to help you better understand the concepts and principles.

While healthcare providers and their associates–which include third-party administrators, claims processors, attorneys, accountants and software providers–have been required since September 2009 to report breaches of 500 medical records or more if the records include non-encrypted data, some states have been enacting tougher laws. Now, it looks as though the federal government will be upping fines–in some cases up to $1.5 million–related to the leak of personal information, as well.

Beginning in mid-February, penalty ranges now will correspond to what the violator did or did not know. Willful neglect, for example, will cost between $10,000 and $50,000 per violation. There are several other categories of neglect and knowledge.

Of late, there have been a number of large, publicized breaches, including 15,000 compromised records of Kaiser Permanente patients and 450,000 compromised records of Health Net of Connecticut patients.

Source