Photo from Unsplash
Originally Posted On: https://zillasecurity.com/blog/what-you-need-to-know-about-hipaa-access-reviews/
Every industry is under pressure to protect its confidential data these days. But the pressure to protect data is particularly acute in the healthcare industry in the U.S., where the Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs the security of patient health information (PHI) in both physical and electronic form. And, even though it was enacted a quarter century ago, HIPAA has a lot to say about securing access to sensitive information, even in today’s digitally transformed, cloud-enabled healthcare marketplace. That includes guidance on monitoring access to healthcare information.
HIPAA’s High Stakes
The stakes for healthcare organizations are high. HIPAA includes an enforcement mechanism that allows the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which administers the law, to issue monetary fines for violations. These days, those fines can be quite large. Also, while healthcare firms’ lax security practices may have escaped notice a decade ago, these days hackers and ransomware gangs are quick to spot them and take advantage, leading to massive data breaches and other malicious acts. OCR investigations follow many of these, and recent cases suggest that poor security around user access and activity is a common problem cited by OCR.
For example, in 2020 the health insurer Premera Blue Cross agreed to pay a $6.85 million fine for breach in which the protected health information of 10,466,692 individuals was obtained by hackers. OCR concluded that Premera had failed to conduct a comprehensive risk analysis and had implemented insufficient hardware and software controls to protect electronic patient health information (e-PHI). Also last year, CHSPSC LLC, the Tennessee based management firm that works with healthcare providers paid a $2.3 million penalty in the wake of an OCR investigation following a cyber attack and theft of data on more than 6 million individuals. OCR found the firm failed to conduct a comprehensive risk analysis, wasn’t reviewing information system activity reviews, and had insufficient access controls and security incident response procedures.
What do healthcare firms need to know about what HIPAA has to say about user entitlements and access reviews? We break it out for you below.
HIPAA’s Security Rule
Most of the data protection and access provisions of HIPAA are covered under what’s known as the HIPAA “Security Rule.” That requires covered entities (essentially: organizations that maintain PHI) to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic PHI (or e-PHI). Covered entities have to ensure the confidentiality, integrity, and availability (CIA) of any and all e-PHI they create, receive, maintain or transmit. They must also identify and protect against what are termed “reasonably anticipated threats to the security or integrity of the information” and “reasonably anticipated, impermissible uses or disclosures.”
HIPAA’s Security Rule doesn’t mandate technology solutions, but asks covered entities to consider protections in light of their own infrastructure and needs, the risks they face and changes to their IT and operating environment. In that way, the requirements of HIPAA are general, not specific, and adapt along with changes in technology and practice.
Administrative Safeguards: Focus on Information Access
A key element of HIPAA’s administrative protections are so-called “administrative safeguards” to limit access to protected PHI data. These safeguards bear on access and user entitlements directly, as they require covered entities to both have a “security management process” that anticipates risks to e-PHI and implement measures to “reduce risks and vulnerabilities” to that data. Also, the administrative safeguards require HIPAA-covered entities to “implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role. (See 45 C.F.R. § 164.308(a)(4)(i))
Security Management Requirements Demand Activity Review
Among the guidance for implementing the Administrative Safeguards requirement are items that bear directly on user access and entitlements.
First, HIPAA requires covered entities to conduct an analysis of “risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” Covered entities are then required to implement “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” to comply with the Security Rule. In addition, covered entities are required to “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
Information Access Management Focuses on User Authorizations, Auditing
The HIPAA Administrative Safeguards also specify that covered entities have policies and procedures focused on information access. As part of that, the HIPAA guidance suggests organizations develop clear processes and procedures for granting access to e-PHI whether that reside on a workstation or is accessible in other ways. Furthermore, covered entities are expected to have the ability to “establish, document, review, and modify” a user’s right of access to a workstation, transaction, program, or process.
Technical Safeguards: Access Control and Audits
The Security Rule also specifies Technical Safeguards that HIPAA covered entities are expected to implement to protect e-PHI. While the rule does not mandate the use of specific technologies, it does identify security capabilities that organizations handling PHI and e-PHI are expected to have. Among those are the ability to impose access control around e-PHI and audit capabilities for systems containing e-PHI.
Health Data Access Controls
Guidance (PDF) from the Department of Health and Human Services (HHS), which administers HIPAA, indicates that the organizations should implement access controls that “enable authorized users to access the minimum necessary information needed to perform job functions” and that “rights and/or privileges should be granted to authorized users based on HIPAA’s Information Access Management standard, which is part of the Administrative Safeguards section of the Rule described above.
Though it doesn’t use the term, HHS’s guidelines on access controls follow the concept of user “least privilege.” HIPAA covered entities should have access controls that are “appropriate for the role and/or function of the workforce member,” with workers – even administrators – only having access to EPHI as appropriate for their role and/or job function.” Other implementation specifications of the law that go along with the Access Control standard include unique user identifications, automated time-outs and the use of encryption to protect data.
Health Data Audit Controls
The other standard in the Technical Safeguards section that bears on user access and entitlements is the requirement for Audit Controls. While the HIPAA guidelines don’t specify how these controls should be implemented, they do require HIPAA-covered entities to “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
HIPAA leaves it up to covered entities to determine critical aspects of how and what to audit. There are no requirements for what data must be collected and audited, how often audits should take place and so on. Rather, covered entities are expected to consider their risk, their technical infrastructure and organizational structure to help answer these critical questions.
HIPAA and HITRUST Common Security Framework
Many organizations that wish to show compliance with HIPAA have found the HITRUST Common Security Framework (CSF) to be a useful one for safeguarding electronic protected health information (ePHI) and other critical health information. HITRUST CSF provides organizations with a compliance framework for HIPAA (as well as regulations like GDPR, SOC2, and PCI DSS). While HITRUST certification is not a stand-in for HIPAA compliance, the framework is comprehensive in addressing the kinds of data security and data privacy issues that are the focus of HIPAA compliance. As a result, successful certification under the HITRUST CSF is often taken as the equivalent of HIPAA compliance.
When it comes to user access, the HITRUST CSF includes auditable controls for user access rights, password- and privilege management that align with HIPAA’s own requirements. Specifically, both HIPAA and HITRUST mandate the control and review of user access rights to protected health information (PHI) for appropriateness (45 CFR § 164.308(a)(3)(ii)(B)). HITRUST and HIPAA also both call for organizations to manage and monitor user de-provisioning to secure access to PHI. , in line with HIPAA 45 CFR § 164.308(a)(3)(ii)(C).
Twenty five years after its passage, no healthcare organization can claim ignorance of HIPAA or its requirements. And, while OCR audits may be a low-level risk for HIPAA covered entities, ransomware gangs and cyber criminals intent on stealing sensitive health data are doing the government’s work for it: finding vulnerable healthcare entities and laying their failings out for all to see. Government auditors and fines often follow soon after.
What can healthcare providers and other HIPAA covered entities do? First of all: understand what the law asks of them, specifically around issues of user access and monitoring. As this blog post notes: the Administrative Safeguards and Technical Safeguards that are part of the HIPAA Security Rule provide guidance on the kinds of monitoring and controls that HIPAA covered entities should have in place.
The next step is for organizations to implement adequate controls and stay ahead of attackers. Partnering with a firm like Zilla is one way to accelerate compliance with HIPAA’s Security Rule.