FEBRUARY 2019

COMPLIANCE TODAYM A G A Z I N E

a p u b l i c a t i o n o f t h e H e a l t h C a r e C o m p l i a n c e A s s o c i a t i o n

From in-house counsel to Compliance (p12)

NIURKA ADORNO Regional Compliance Officer

Molina Healthcare of South Carolina &Molina Healthcare of Puerto Rico

+The basics of 42 CFR Part 2 following the 2017 and 2018 revisions (p18)

Providers and the opioid crisis: Compliance officers need to be aware (p24)

Risk assessment obligations for Medicare Advantage and Part D organizations (p31)

Security risk audits and risk mitigation plans to protect PHI (p35)

Does your auditing & monitoring program meet the mark? (p42)

This article, published in Compliance Today, appears here with permission from the Health Care Compliance Association. Call HCCA at 888.580.8373 with reprint requests.

Compliance Today  is printed with 100% soy-based, water-soluble inks on recycled paper, which includes 10% post-consumer waste. The remaining fiber comes from responsibly managed forests. The energy used to produce the paper is Green-e® certified renewable energy. Certifications for the paper include Forest Stewardship Council (FSC), Sustainable Forestry Initiative (SFI), and Programme for the Endorsement of Forest Certification (PEFC).

Articles48 [CEU] Policy governance bolsters the culture

of complianceby Kelly LangeTwelve recommendations to improve policy governance and build trust with regulators, your employees, and your customers.

53 OCR’s Cyber Security Newsletters: “Cheat sheets” for good security compliance in our cyber ageby Iliana L. PetersA HIPAA Security risk analysis is not the same as a gap analysis—and other reasons why you should read the OCR’s newsletters.

59 Focus on facility evaluation and management leveling by Sally EaganFacilities should review their E/M level assignment guidelines and validate that their E/M levels reflect the intensity of the resources used by the hospital in treating patients.

64 Physician practice compliance planning for 2019: OIG Work Plan activitiesby Gary Herschman, Victoria Sheridan, and John D. BarryPractical recommendations for making proactive changes based on a review of various Work Plan projects that are underway or that the OIG plans to address in the near future.

68 Patient harassment: It is no laughing matterby Jaklyn WrigleyFive steps for creating a safe workplace for all your employees, including those who must deal with abusive behavior from patients who “can’t help it.”

888.580.8373 | hcca-info.org

VOLUME 21, ISSUE 2

EDITORIAL BOARDGabriel Imperato, Esq., CHC, CT Contributing Editor Managing Partner, Broad and Cassel

Donna Abbondandolo, CHC, CHPC, CPHQ, RHIA, CCS, CPC Sr. Director, Compliance, Westchester Medical Center

Nancy J. Beckley, MS, MBA, CHC, President, Nancy Beckley & Associates LLC

Robert Carpino, JD, CHC, CISA Chief Compliance and Privacy Officer, Avanti Hospitals, LLC

Charles E. Colitre, BBA, CHC, CHPC, Compliance and Privacy Officer, Crystal Clinic Orthopaedic Center

Cornelia Dorfschmid, PhD, MSIS, PMP, CHC Executive Vice President, Strategic Management Services, LLC

Tom Ealey, Professor of Business Administration, Alma College

Adam H. Greene, JD, MPH, Partner, Davis Wright Tremaine LLP

Gary W. Herschman, Member of the Firm, Epstein Becker Green

David Hoffman, JD, FCPP President, David Hoffman & Associates, PC

Richard P. Kusserow, President & CEO, Strategic Management, LLC

Tricia Owsley, Compliance Director University of Maryland Medical System

Erika Riethmiller, CHC, CHPC, CISM, CPHRM, CIPP/US Chief Privacy Officer, Sr. Director Privacy Strategy, UCHealth

Daniel F. Shay, Esq., Attorney, Alice G. Gosfield & Associates, PC

James G. Sheehan, JD, Chief of the Charities Bureau New York Attorney General’s Office

Debbie Troklus, CHC-F, CCEP-F, CHRC, CHPC, CCEP-I Managing Director, Ankura Consulting

EXECUTIVE EDITOR: Gerard Zack, CCEP, CFE, CPA, CIA, CRMA Chief Executive Officer, SCCE & HCCA gerry.zack @ corporatecompliance.org

NEWS AND STORY EDITOR/ADVERTISING: Margaret R. Dragon 781.593.4924, margaret.dragon @ corporatecompliance.org

COPY EDITOR: Patricia Mees, CHC, CCEP, 888.580.8373 patricia.mees @ corporatecompliance.org

DESIGN & LAYOUT: Pete Swanson, 888.580.8373 pete.swanson @ corporatecompliance.org

PROOFREADER: Bill Anholzer, 888.580.8373 bill.anholzer @ corporatecompliance.org

PHOTOS ON FRONT COVER & PAGE 16: Tanya Boggs

Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care Compliance Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Subscription is free to members (a $325 value). Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send address changes to Compliance Today, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Copyright © 2019 Health Care Compliance Association. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means without prior written consent of HCCA. For Advertising rates, call Margaret Dragon at 781.593.4924. Send press releases to M. Dragon, 41 Valley Rd, Nahant, MA 01908. Opinions expressed are not those of this publication or HCCA. Mention of products and services does not constitute endorsement. Neither HCCA nor CT is engaged in rendering legal or other professional services. If such assistance is needed, readers should consult professional counsel or other professional advisors for specific legal or ethical questions.

Compliance Today 3

M ost businesses, whatever the economic sector, acknowledge that they must

devote resources to understanding and implementing data security, particularly given that security incidents and their fallout make the news on a daily, if not hourly, basis. Conversations about risks for data security breaches happen at breakfast tables and boardroom tables around the country, and topics range from social media to national elections to international espionage. For compliance personnel, these conversations boil down to concrete reasons for investing the resources in implementing data security practices and the best ways to do so. Importantly, good data security in our current cyber age is essential for entities of all sizes, types, and focus areas, for a few very persuasive reasons, including:

◆ An entity’s data is its most valuable asset, replacing assets that used

to be considered more high-value, from physical assets to copyrighted material to well-trained employees, in a corporate valuation analysis.1

◆ An entity’s reputation is on the line anytime its data is compromised in a data breach or cyberattack; recent examples of high-profile data breaches have angered both consumers and state, federal, and international legislators and regulators.

◆ Good data security is required under state, federal, and interna-tional law, and violations of these laws can have serious penalties.

◆ With respect to certain critical economic sectors, such as the healthcare sector, the lack of good data security is a safety issue for individuals. For example, if a health-care entity does not implement good data security and falls victim to a security incident or attack that results in either data accessibility

Iliana L. Peters JD, LLM, CISSP

(IPeters@Polsinelli.com) is a Shareholder in the Washington, DC

offices of Polsinelli, PC.

OCR’S CYBER SECURITY

NEWSLETTERS: “CHEAT SHEETS”

FOR GOOD SECURITY

COMPLIANCE IN OUR CYBER AGE

by Iliana L. Peters

The industry’s #1 source of timely news and proven strategies.Stay current in Medicare, research compliance and patient privacy.

SUBSCRIBE TODAY

Published by the Health Care Compliance Association, Minneapolis, MN • 888.580.8373 • hcca-info.org

3 Some Private Payers Demand Direct Access to EMRs, Bypassing UR4 Hospital Lawsuit Over 340B Cut Alleges CMS Exceeds its Authority7 CMS Transmittals and Federal Register Regulations

8 News Briefs

Contents

CMS OKs Audit of ED Facility Fees in TPE;

No Universal Method for Resource Use Exists

In a surprise move, CMS has approved audits of facility fees for the emergency

department (ED) under Targeted Probe and Educate (TPE), the new medical review

strategy. Some hospitals will face scrutiny of the resources they charge Medicare for

in the ED and whether they mesh with a system of their own making.

WPS, the Medicare administrative contractor (MAC) for Iowa, Kansas, Missouri,

Nebraska, Indiana and Michigan, will review the “number and types of interventions

under the facility charge, the visit record showing the signs/symptoms that support

the medical necessity for the interventions and the internal guidelines used to deter-

mine the HCPCS equivalent CPT code (99281-99285) for the hospital resources being

billed (HCPCS to CPT conversion guidelines),” according to its website. CMS may

have given other MACs the go-ahead to review ED facility charges.

It seems like an odd choice for an audit because there’s no national standard

for selecting ED facility evaluation and management (E/M) levels of service, says

Ed Gaines, chief compliance officer of the emergency department division of Zotec

Partners in Greensboro, N.C. “From a coding compliance standpoint, it doesn’t make

much sense. Every hospital is charged by CMS with adopting an ED facility coding

standard and implementing that standard consistently—there is no ED facilitycontinued 

On the Eve of Trial, Hospital, M.D.s Settle

Stark Case for $20M; ‘Writing’ Is a Focus

The day before their trial was set to begin—Nov. 15—UPMC Hamot, a hospital

in Erie, Pa., and Medicor Associates, a cardiology group, agreed to pay $20.7 million

to settle false claims allegations that their lucrative medical directorships violated the

Stark Law, according to the attorney representing the whistleblower and a court order.

The whistleblower alleged in the false claims complaint and a pretrial statement that

the hospital used the medical directorships—which allegedly were light on work and

poorly documented—to reward the cardiologists for patient referrals.

During the legal skirmishing, all hospitals got a message from a federal court that

refused to throw out the case: the writing requirement in the Stark Law exceptions

should be taken seriously. “People see it as a technicality, but the court determined that the writing require-

ment is material to payment,” says Houston attorney Adam Robison, with King &

Spalding, which was not involved in this case. “No payments should be made to physi-

cians without a signed, written agreement.”The settlement hasn’t been announced yet by the Department of Justice, which

didn’t intervene in the case. The alleged violations occurred between Oct. 8, 2004,

and March 31, 2010, before UPMC owned the hospital—then called Hamot Medical

Center—which UPMC bought in 2011.

Volume 26, Number 42 • November 20, 2017Weekly News and Compliance Strategies on CMS/OIG Regulations,

Enforcement Actions and Audits

Managing Editor Nina Youngstrom nina.youngstrom@hcca-info.orgCopy Editor/Designer Bill Anholzer bill.anholzer@hcca-info.org

continued on p. 5 

Award-winning RMC provides valuable guidance on where Medicare auditors are going next, how the False Claims Act and Stark Law are being enforced, and what new regulations mean to your organization. Commentary from field experts brings topics to life and gives insight into compliance best practices. Available in print and online.

Member $665Non-member $765Weekly — 8 pages

SUBSCRIBEhcca-info.org/rmc

888.580.8373

3 Allegations, Inquiries, and Investigations Reported by Institutions of Higher Education by Year, 2006–20154 Somewhat in the Background, NIH’s Extramural RIO Plays Important Role

6 Changing Values, Fight for Animals’ ‘Legal Personhood’ Impact Studies

8 Three NSF Resolutions, Three OIG Audits Highlight Differing Opinions

11 In This Month’s E-NewsPivotal ORI Misconduct Investigative Chief

Resigns; Both Divisions Now Lack Leaders

Susan Garfinkel, who for nearly 15 years helped shepherd the HHS Office of

Research Integrity’s critical investigative team through vacancies, retirements and a

controversial new director, is herself now leaving ORI. Beginning Dec. 11, Garfinkel

will join Ohio State University in a new position as assistant vice president for research

compliance, OSU officials confirmed to RRC. She is resigning her position as ORI’s

director of the Division of Investigative Oversight (DIO) this month (RRC 10/20/17).

Barring any quick hires, Garfinkel’s departure leaves the agency responsible for

ferreting out fabrication, falsification and plagiarism in research supported by NIH

and other related agencies minus the heads of both of its divisions. Further slowing

down ORI’s work, it is currently operating with perhaps half the number of investiga-

tors it had two years ago. All the moves follow the appointment in December 2015

of ORI Director Kathy Partin, whose tenure has been rocky since the start. Within six

months of Partin’s arrival, investigative staff first began—without success—to plead

for help from higher-ups in HHS (RRC 10/16, p. 1).

“The DIO investigators were stunned and deeply saddened when we heard from

Susan that she was leaving,” one staffer who requested anonymity told RRC. “But no

one was surprised by the news. We all are thrilled for her to have this opportunity to

escape the dysfunction of ORI. We all have nothing but respect for Susan and count

ourselves lucky to have had the opportunity to work with and learn from her and John

Dahlberg,” who formerly held Garfinkel’s position before retiring.

News and Analysis for Colleges, Universities, AMCs and Other Non-Federal EntitiesNIH: Exceptions to sIRB Policy To Be ‘Rare;’

‘Compelling Justifications’ Still Unknown

Twice delayed, NIH’s controversial mandate for the use of a single institutional

review board (sIRB) of record for multisite research is set to go into effect in just

under three months. But many questions remain unanswered, the most pressing

among them is how to get out of having to comply with the requirement.

The policy requires a sIRB to conduct “the ethical review of NIH-funded

multi-site studies for participating sites” for “all competing grant applications

(new, renewal, revision, or resubmission)” that are due as of a certain date. It

applies “to domestic sites of multi-site studies where each site will conduct the

same protocol involving non-exempt human subjects research funded wholly

or in part by NIH, including grants, cooperative agreements, and Research and

Development (R&D) contracts.”Saying the use of a sIRB will streamline oversight while relieving compliance

burdens without reducing subject protections, NIH has been trying to put the re-

quirement in place since 2014. In December of that year, it posted a draft version of

the policy (RRC 12/4/14). That was followed by a final policy in June 2016.

Volume 14, Number 11 • November 2017

Published by the Health Care Compliance Association, Minneapolis, MN • 888.580.8373 • hcca-info.org

Editor Theresa Defino theresa.defino@hcca-info.orgCopy Editor Nancy L. Gordon nancy.gordon@hcca-info.org

continued

continued on p. 10

Contents

RRC helps research organizations and investigators understand laws, regulations and funding policies necessary to avoid the negative publicity, financial setbacks and management problems that can result from noncompliance. Available in print and online plus a weekly email with the latest news.

Member $405Non-member $465Monthly — 12 pages

SUBSCRIBEhcca-info.org/rrc888.580.8373

Published by the Health Care Compliance Association, Minneapolis, MN • 888.580.8373 • www.hcca-info.org

3 Patient Privacy Court Case

4 Ransomware Attacks Grow; Most Incidents Are Reportable Breaches6 To Protect PHI, Improve Credential Protection, Shun Password Sharing9 OCR Complaints Received by Calendar Year

11 OCR’s To-Do List Includes Guidance, Regulations12 Privacy Briefs

OCR: After an Opioid Overdose, Sharing

Patient Information Can ‘Help Save Lives’

Doctors and other medical professionals can tell the friends and loved ones that a

person who overdosed may be abusing opioids or other drugs or substances without

fear of violating the HIPAA privacy rule. “We know that support from family members and friends is key to helping people

struggling with opioid addiction, but their loved ones can’t help if they aren’t informed

of the problem,” Roger Severino, director of the HHS Office for Civil Rights (OCR) says

in a statement. Severino made his remarks as OCR issued what he called “clarifying guidance” on

Oct. 27 to “give medical professionals increased confidence in their ability to cooperate

with friends and family members to help save lives.”

The two-page guidance came days after a presidential declaration that the misuse

of opioids in the United States is a “public health emergency.”

As OCR explains, “Current HIPAA regulations allow healthcare providers to share

information with a patient’s loved ones in certain emergency or dangerous situations.”

But providers who misunderstand HIPAA “can create obstacles to family support

that is crucial to the proper care and treatment of people experiencing a crisis situation,

such as an opioid overdose,” OCR says. “It is critical for healthcare providers to continued 

HIPAA Doesn’t Mean ‘No’: McGraw Shares

OCR Insights as She Joins Records Start-Up

A long-time patient advocate and sought-after speaker on the HIPAA compliance

conference circuit, Devin McGraw brought her passion and expertise to the HHS Office

for Civil Rights (OCR) in 2015. At the time, she called her new position as deputy direc-

tor for health information privacy “the job of a lifetime.”

An acknowledged critic and sometimes fan of OCR, McGraw had already run the

well-regarded Health Privacy Project and spent a year with a law firm by the time she

joined the federal workforce (RPP 7/15, p. 8). McGraw’s reputation as a stalwart was so

cemented that her Twitter handle is simply @healthprivacy. Her move to OCR raised

eyebrows, but she saw it as a unique opportunity to bring a “focus on outreach, educa-

tion and guidance” and to be “influential” in creating policies regarding the data pri-

vacy and security matters about which she cares deeply.

But almost as quickly as she came, McGraw was gone from OCR. In September,

a tech start-up in Silicon Valley that’s building an electronic health record for consum-

ers lured her from OCR to become its chief regulatory officer. The company is so new

that McGraw can’t yet disclose its name, she tells RPP. In a wide-ranging interview,

McGraw shares her reasons for leaving, highlights of her tenure—including what made

her “tear my hair out”—and thoughts about the work of the officemates she’s leaving

behind at OCR.

Volume 17, Number 11 • November 2017Practical News and Strategies for Complying With HIPAA

Editor Theresa Defino theresa.defino@hcca-info.orgSenior Writer Jane Anderson

Copy Editor Nancy Gordon nancy.gordon@hcca-info.org

continued on p. 9 

Contents

RPP examines the most pressing patient privacy issues. From HIPAA to cyber security to privacy cases moving through courts, RPP provides in-depth analysis and practical compliance strategies that will save organizations from costly settlements and damaging patient complaints. Available in print and online.

Member $485Non-member $565Monthly — 12 pages

SUBSCRIBEhcca-info.org/rpp

888.580.8373

PREMIUM NEWSLETTERSHCCAExclusive

SubscriberContent

hcca-info.org/newsletters

Report-newsletter-2019-ad_8.5x11-2pg.indd 1 1/2/19 10:45 AM

Compliance Today 53

...if a HIPAA covered entity or business associate does not identify all the places where ePHI “lives,”...then it cannot sufficiently protect the ePHI against threats or exploitation of vulnerabilities...

or data integrity compromises (i.e., patient data is made either inaccessible or incorrect), the healthcare entity cannot treat patients, or may treat patients incorrectly, which could seriously affect the health or lives of the patients.

So, what does good data security hygiene look like from a cybersecurity perspective, particularly in the healthcare sector? How are healthcare entities supposed to keep up with a constantly changing risk landscape? What are the risks that the regulators are most concerned with and that healthcare entities should prioritize? These are all good questions; the answers are regularly discussed in Cyber Security Newsletters, a monthly publication by the Department of Health and Human Services (HHS), Office for Civil Rights (OCR), which is the primary regulator responsible for implementation and enforcement of the Health Insurance Portability and Accountability Act Privacy, Security,

and Breach Notification Rules (HIPAA Rules).2

Although regulated entities are generally familiar with settlement agreements and civil money penalties (CMP) published by OCR,3 and the insight they provide into the data security issues on which OCR is focusing its enforcement efforts, many regulated entities are not leveraging the information contained in the Cybersecurity Newsletters4 to augment their HIPAA Security Rule compliance efforts, particularly with regard to high-risk issues. Reviewing some of the most recent Cyber Security Newsletters is particularly instructive to understand recurring HIPAA Security Rule compliance issues that create cybersecurity risks for HIPAA covered entities and business associates.

HIPAA Risk Analysis — Identify ePHI and risks to itThe HIPAA Security Rule requires, as a foundational administrative safeguard for electronic protected health information (ePHI), that HIPAA covered entities and their business associates (as defined by the HIPAA Rules) undertake a comprehensive and enterprise-wide analysis (or assessment, as it is referred to in other economic sectors) of the risks, including threats and vulner-abilities to all of the ePHI they hold.5 The requirement is essential for purposes of identifying all of an entity’s data and the risks to it, including those associated with any cybersecurity threats or vulnerabilities that could be exploited by cybersecurity threat vectors or attackers.

This requirement is fairly straightforward; that is, HIPAA covered entities and their business associates must identify:

◆ the ePHI they hold, including through data inventories, mappings, and flows;

◆ the threats to and vulnerabilities of the ePHI, given the people, entities, and assets that create, access, maintain, and transmit such ePHI, including systems, applications, devices, workforce members, and partners; and

◆ the likelihood that these threats or vulnerabilities could be exploited, which is the risk to ePHI.

Essentially, this means that HIPAA covered entities and their business associates should understand where their ePHI is throughout its lifecycle (from creation to maintenance to destruction), and what the risks (including cybersecurity threats or vulnerabilities that could be exploited by cyberthreat vectors or attackers) to it are, given where it is created, accessed, maintained, and transmitted until it is destroyed.

The point is — if a HIPAA covered entity or business associate does not identify all the places where ePHI “lives,” and the risks to ePHI in those places, then it cannot sufficiently protect the ePHI against threats or exploitation of vulnerabil-ities, which will very likely result in a breach.

However, HIPAA covered entities and their business associates often have misunderstood this require-ment to be an audit or gap analysis, and instead of analyzing the risk to the ePHI, they assess the gaps in their enterprise practices against the requirements of the HIPAA Security Rule or another cybersecurity framework, such as the NIST Cyber Security Framework.6 A gap analysis or audit is also a helpful exercise, and is required by the evaluation requirement of the HIPAA Security

54 Compliance Today

Article

Rule at 45 CFR § 164.308(a)(8), but it is not a risk analysis.

HIPAA risk analysis vs. gap analysisOCR’s April 2018 Cyber Security Newsletter7 focused specifically on this issue, and highlighted the differ-ences between what OCR considers a comprehensive, enterprise-wide risk analysis, versus a gap analysis for purposes of compliance with the HIPAA Security Rule. OCR notes that a “risk analysis is a comprehen-sive evaluation of a covered entity or business associate’s enterprise to identify the ePHI and the risks and vulnerabilities to the ePHI.” Alternatively, a “gap analysis is typically a narrowed examination…to assess whether certain controls or safeguards required by the Security Rule are implemented.”

The April 2018 Cybersecurity Newsletter then goes on to outline the elements of a risk analysis, particularly as explained further in NIST Special Publication 800-30:

◆ A comprehensive scope ◆ Identification of all locations and systems where ePHI is “created, received, maintained, or transmitted”

◆ Identification of threats and vulnerabilities (both technical and nontechnical)

◆ Assessment of current security measures

◆ Determination of likelihood and impact

◆ Determination of the resulting level of risk

◆ Documentation of all elements ◆ Revisions and updates

The April 2018 Cyber Security Newsletter also provides an example of a typical gap analysis, which would not comply with the requirements of the HIPAA Security Rule with regard to a risk analysis.

The example table in the newsletter starts with a column on the left that includes specific requirements of and citations to the HIPAA Security Rule, then moves across the page to the right to include a description of specific requirement and assessments of whether a particular entity has fully implemented the requirement cited. Again, although this type of exercise is helpful for an entity to determine whether it has, in fact, implemented the requirements of the HIPAA Security Rule or another law or framework, a similar audit or analysis does not accurately reflect the risks to the ePHI in the entity’s enterprise, particularly given that there is no assessment of these risks anywhere in the audit or analysis.

The bottom line is that if a HIPAA covered entity or business associate has undertaken a gap analysis, rather than a HIPAA-compliant risk analysis, it may have correctly implemented some of the requirements of the

HIPAA Security Rule or correctly addressed the recommendations of another tool or framework, but it still may have missed some of the ePHI in its enterprise and, correspondingly, the risks to that ePHI, which is left unprotected and exploitable by cyberthreats and attackers.

Prioritize patchingProbably the scariest cyberthreat to HIPAA covered entities and business associates is one that may be the easiest for cyberattackers to exploit — unpatched applications, software, or systems. Entities in all sectors frequently underestimate the ease of finding “a recipe” on the internet to exploit a known vulnerability in a particular type of application. However, well-resourced nation-state attackers can exploit these unpatched systems or applica-tions, and extremely unsophisticated attackers can also take advantage of “holes” in systems or applications that result from a lack in updated

Compliance Today 55

Article

coding or patching, or they may direct others to do so.

OCR’s June 2018 Cybersecurity Newsletter8 is particularly helpful in walking HIPAA covered entities and business associates through the logic behind, and the process for, patching on an enterprise level. OCR notes that, “vulnerabilities may be present in many types of software including databases, electronic health records (EHRs), operating systems, email, applets such as Java and Adobe Flash, and device firmware.” Further, OCR explains that, as provided for by NIST, patch management is the process of “iden-tifying, acquiring, installing and verifying patches for products and systems,”9 and OCR suggests some specific steps for patch management, including:

◆ Evaluation: Evaluate patches to determine if they apply to your software/systems.

◆ Patch testing: When possible, test patches on an isolated system to determine if there are any unforeseen or unwanted side effects, such as applications not functioning properly or system instability.

◆ Approval: Once patches have been evaluated and tested, approve them for deployment.

◆ Deployment: Following approval, patches can be scheduled to be installed on live or production systems.

◆ Verification and testing: After deploying the patches, continue to test and audit systems to ensure that the patches were applied correctly and that there are no unforeseen side effects.

As part of any patch management program, and as OCR discusses briefly in the June 2018 Cybersecurity Newsletter, the process for implementing patches

should be closely monitored. Although most patches are routine and do not result in significant changes to applications or systems, some patches update systems or applications in unexpected ways, such as by setting all security features back to default settings or inadvertently misconfiguring a setting that results in leaking data to the internet, for example. As such, HIPAA covered entities and business associates should appropriately evaluate the changes to their applications or systems in association with any patches, as required by the HIPAA Security Rule at 45 CFR § 164.308(a)(8) and as discussed in the bullets above.

Mobile devices — A vector for attackMobile devices create particular challenges for entities of all types and in all sectors, including HIPAA covered entities and business asso-ciates. Mobile devices are extremely vulnerable to theft or loss and, as such, if not properly protected, can not only provide a thief with access to all of the valuable information held on the device itself, but also create a vector or gateway into an entity’s enterprise for an attacker to exploit. OCR’s August 2018 Cyber Security Newsletter10 describes tech-niques, tools, and HIPAA Security Rule requirements that can be

used to protect the ePHI on mobile devices and to protect HIPAA covered entities and business asso-ciates more generally from attacks that exploit the vulnerabilities of mobile devices.

The August 2018 Cyber Security Newsletter describes mobile elec-tronic devices as including “a broad range of hardware such as laptops, smartphones, servers, desktops, and tablets. Electronic media includes electronic storage devices, such as hard drives, USB drives, CDs/DVDs, tapes and memory cards.” Mobile devices of all types are essential to the business of healthcare today, but they are particularly vulnerable to all types of threats — just by the nature of their being “mobile.” These include risks such as theft, loss, and other types of cyber-threat exploitation.

For example, many people do not realize that a large majority of mobile devices are networked (i.e., they have the capability to connect to the internet, as part of the “Internet of Things”), and may do so without the user’s knowledge on a regular basis. As such, they can be used by cyber-attackers as a jumping -off point into a HIPAA covered entity’s or business associate’s enterprise,11 or as part of a “botnet” or other large-scale computing attack.12 Finally, to the extent that transmissions of ePHI to and from

Mobile devices of all types are essential to the business of healthcare today, but they are particularly vulnerable to all types of threats...

56 Compliance Today

Article

mobile devices (e.g., pagers or smartphones) are not protected, the ePHI can be intercepted in transit by cyber-attackers seeking to exploit the information collected from those devices during transit.

The first, and perhaps the most important, effort to protect mobile devices is (similar to the HIPAA risk analysis effort) the identification and tracking of all of the entity’s mobile devices during their useful life and as they move in and out of any particular HIPAA covered entity or business associate. As with ePHI and a risk analysis, if you don’t know where all of your mobile devices are at any particular moment, you cannot appropriately protect them.

So, as OCR asks in the August 2018 Cyber Security Newsletter:

◆ Is there a record that tracks the location, movement, modifica-tions or repairs, and disposition of devices and media throughout their lifecycles?

◆ Does the organization’s record of device and media movement include the person(s) responsible for such devices and media?

◆ Are workforce members (including management) trained on the proper use and handling of devices and media to safeguard ePHI?13

Any corresponding efforts to protect mobile devices should answer the additional question that OCR asks in the August 2018 Cybersecurity Newsletter regarding mobile device security: “Are appropriate technical controls, for example, access controls, audit controls, and encryption, in use?”14

Let’s take a moment to walk through these specific tools and requirements with regard to how they can be used to protect mobile devices from cybersecurity threats.

Access controls include all of the policies and techniques that HIPAA covered entities and business associates use to allow access to their ePHI to only those persons and entities that should be able to access that data.15 This includes not only determining who or what should have access, but also what type of access and how it should be provided. In other words, not every person or entity needs access to all of the data in an enterprise through a particular mobile device, for example; and all people or entities accessing these mobile devices must do so in a secure way, using techniques that should include multifactor authentication or strong usernames and passwords or passphrases. For example, can workforce members access an entity’s enterprise systems using any device, or only particular devices, such as those owned and/or controlled by the entity (as is generally recom-mended)? Are all default usernames

and passwords on devices of all types (including copiers, printers, medical devices, etc.) changed regularly, as is generally required? Have vulnerabil-ity scans been run on mobile devices and any critical or important issues identified remediated, as is generally required?

Audit controls include all of the policies and tools that HIPAA covered entities and business associates use to track who and what are accessing their ePHI, and how.16 In other words, entities should have logs and reports that identify:

◆ Which persons or entities are accessing, creating, modifying, or transmitting their ePHI?

◆ What specific ePHI was accessed and how?

◆ What specifically is being done with the ePHI and how. Was it changed?

◆ How was it accessed or transmit-ted and by whom and where?

Compliance Today 57

Article

Takeaways ◆ An entity’s data is its most valuable asset, and an entity’s reputation is on the line anytime its data

is compromised. ◆ Good data security is required under state, federal, and international law, and violations of these laws can

have serious penalties. ◆ Lack of good data security is a patient safety issue. ◆ Cyber Security Newsletters from HHS OCR are a fantastic source of advice on important cybersecurity issues. ◆ Given the tools available to protect data from cybersecurity threats, good data security just makes

good sense.

Audit controls also include ensuring that all of the important information in these logs and reports is reviewed regularly and that any irregularities are addressed. So, the questions with regard to mobile devices become: Are audit capabilities enabled on all mobile devices throughout a HIPAA covered entity’s or business associate’s enterprise? Are the audit logs and access reports from the entity’s mobile devices reviewed regularly, and is suspicious activity investigated?

Encryption is generally required for HIPAA covered entities and business associates, unless the entity can specifically document the reason encryption in a particu-lar circumstance and to particular ePHI is not reasonable and appro-priate, as well as the compensating controls the entity put in place in lieu of encryption. Encryption is particularly important to address the risks to ePHI on or transmitted from mobile devices.17 Theft and loss are still the major breach incidents that HIPAA covered entities and business associates experience and, as a result, it just makes good sense to encrypt the ePHI at rest on mobile devices. That said, ePHI being transmitted from mobile devices may also be vulner-able to attack and/or interception.

As such, encryption is important to implement for ePHI in transit from mobile devices of all types, including smartphones, pagers, and medical devices as well.

Mobile devices, large and small, must be considered particularly vulnerable to threats of all kinds, including not only those that immediately come to mind, such as theft and loss, but also those that are more sophisticated and menacing, such as cyberattacks. Remember that almost every device in your enterprise (or your home, for that matter) can be a vector for an attack, and take steps to protect yourself and your enterprise.

Good data security just makes good senseUltimately, the Golden Rule applies to data, just as it does elsewhere in life, with a bit of finesse: “Do unto others’ data as you would have them do unto yours.” In other words, although there are several very persuasive business reasons to implement good data security, ultimately, we all have the responsibility to be good stewards of consumer data wherever we encounter it, because we expect the same of the businesses and their employees that hold our data. And, given the tools available to protect data from cyberse-curity threats, good data security just makes good sense. CT

Endnotes1. Lisa Morgan, “How Valuable Is Your Company’s Data?” InformationWeek; March 14, 2018.

https://ubm.io/2TdjtNL2. HHS.gov, Health Information Privacy. http://bit.ly/2f29dZG3. HHS.gov, HIPAA Enforcement. http://bit.ly/2Ve3Rv04. HHS.gov, Cyber Security Guidance Material. http://bit.ly/2Ajaa7R5. 45 C.F.R. § 164.308(a)(1)(ii)(A) Administrative safeguards. http://bit.ly/2QV9Neh6. NIST Cyber Security Framework, http://bit.ly/2SlkHXj7. HHS OCR, “Risk Analysis vs. Gap Analyses – What is the difference?” Cyber Security Newsletter, April 2018.

http://bit.ly/2Q32X0A8. HHS OCR, “Guidance on Software Vulnerabilities and Patching” Cybersecurity Newsletter, June 2018.

http://bit.ly/2EQSMet9. NIST Patch Management, http://bit.ly/2VauQrz10. HHS OCR, “Considerations for Securing Electronic Media and Devices” Cyber Security Newsletter,

August 2018. http://bit.ly/2F7HQZf11. Stephen Northcutt: “The Risk of Default Passwords” SANS Technology Institute, Security Laboratory: Methods

of Attack Series; May 11, 2007. http://bit.ly/2QOY5BE12. Paul Sabanal, “Thingbots: The Future of Botnets in the Internet of Things” SecurityIntelligence;

February 20, 2016. https://ibm.co/2T9OC4w13. Ibid, Ref #5 at (a)(5)14. 45 CFR § 164.312 Technical safeguards. http://bit.ly/2CAnkyU15. Idem at (a).16. Idem at (b).17. Idem at (a) and (d).

58 Compliance Today

Article