In late September, the Department of Health and Human Service’s Office for Civil Rights (OCR) announced three multi-million-dollar resolution agreements with two covered entities and one business associate. The enforcement actions, which settled violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, were related to breaches of electronic Protected Health Information (ePHI) affecting millions of individuals. Common among all three resolution agreements, OCR cited the organizations for violations of the requirement to conduct an enterprise-wide risk analysis (§ 164.308(a)(1)(ii)(A) of the HIPAA Security Rule). In two of the cases, OCR flagged failures in implementing a risk management process (45 C.F.R. § 164.308(a)(1)(ii)(B) of the HIPAA Security Rule).
These OCR enforcement actions re-affirm what the Office has been communicating for years – OCR will continue to prioritize enforcement of covered entities’ and business associates’ compliance with the risk analysis and risk management requirements of the HIPAA Security Rule. Healthcare organizations should take stock and assess their risk analysis and risk management processes, and if they do not meet OCR’s expectations and industry best practices, take appropriate action now to address these deficiencies. As explained below, conducting risk analysis and risk management will not only enable a healthcare organization to better protect itself and its ePHI, but also help it to avoid costly fines and irreparable reputational damage.
The three recent Resolution Agreements
On September 21, 2020, OCR announced that Athens Orthopedic Clinic PA (Athens) agreed to pay $1.5M to OCR and adopt a corrective action plan to address potential violations of the HIPAA Privacy and Security Rules. On June 26, 2016, a journalist notified Athens that a database of Athens’ patient records may have been posted online for sale. On June 28, 2016, a hacker contacted Athens and demanded money in return for a complete copy of the database it stole. Athens determined that the hacker accessed the organization’s electronic medical record system and exfiltrated patient health data for over a month. Athens filed a breach report informing OCR that 208,557 individuals were affected by this breach. OCR’s investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.
OCR announced on September 23, 2020 that CSPSC LLC, (“CHSPSC”) agreed to pay $2.3M to OCR and has agreed to a corrective action plan to remediate HIPAA compliance deficiencies. CSPSC is a management company that provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc. In April 2014, the FBI notified CHSPSC that it had traced a cyberhacking group’s advanced persistent threat to CHSPSC’s information system. Despite this notice, the hackers continued to access and exfiltrate ePHI of 6.1 million individuals until August 2014. OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.
Most recently, on September 25, 2020 OCR announced that Premera Blue Cross (PBC) agreed to pay $6.85M to OCR (the second largest settlement of all time next to Anthem’s $16M 2018 settlement with OCR), and would implement a corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules. In May of 2014, cyber-attackers gained access to PBC’s information technology system through a phishing attack and installed malware that gave the hackers access to PBC’s system. The attack went undetected for nearly nine months until January 2015, and resulted in the disclosure of more than 10.4 million individuals’ protected health information. OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.
Why is OCR so focused on risk analysis? Because without risk analysis the healthcare organization doesn’t don’t know whether it is adequately protecting ePHI.
Roger Severino stated in the PBC Settlement press release: “If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will.” It still surprises us how some of the largest healthcare organizations underinvest in risk analysis, or skip it all together. These organizations might think they are better off spending their money on security tools, rather than first analyzing risks, which in turn enables one to identify which security tools and other controls are most needed and where they should be implemented first. While, there are baseline controls that should be implemented for all information systems, without conducting a risk analysis how does the organization know if these controls are sufficient to reduce risks to ePHI to an acceptable level? Without a risk analysis, there may be gaping holes left in the security program. And as Director Severino said, hackers are sure to find these gaps.
Calling it a risk analysis, does not make it OCR-Quality® Risk Analysis
In working with hundreds of healthcare organizations (and helping many to respond to OCR investigations), we commonly see confusion as to what a risk analysis is. It’s not a vulnerability scan, it’s not a high-level security assessment, and no, it is not a checklist of controls. The risk analysis process must be comprehensive to include all systems with ePHI, follow all nine elements of OCR’s Guidance on Risk Analysis, and rely on an industry accepted process such as NIST 800-30 Guide for Conducting Risk Assessments.
Risk analysis is only one piece of the risk management process
The organization must have an established risk management process, which includes (1) defining how it measures and calculates risk, including establishing a risk tolerance threshold, (2) identifying information systems and components with ePHI, and assessing and analyzing vulnerabilities and threats (risks) to these systems, (3) responding to those risks, including deciding how to treat the risks, and when mitigation is chosen as a course of action, implementing additional security measures, and reconciling residual risk, and (4) monitoring changes in risks and effectiveness of controls in mitigating risks as an on-going, continuous process. Failure to implement and execute a systematic risk management program will result in a haphazard approach to addressing risks to ePHI, and will leave the organization vulnerable to cyberattacks that may have been otherwise prevented.
Compliance aside, risk analysis offers a strong return on investment
Clearwater Customers more know more than anyone that beyond the benefit of meeting OCR’s expectations, an OCR-Quality Risk Analysis helps them to have consistent, well-defined conversations about cyber risk, and make better decisions as to how to protect the organization. Through strong risk analysis and risk management programs, our Customer have been able to direct spending and resources optimally, and get more “bang for their buck” with every dollar invested in cybersecurity. They use our IRM|Analysis® software-as-a-service to conduct a risk analysis on their information systems. Built in workflow helps facilitate decisions on how they treat their high risks – accept, avoid, transfer, or mitigate. In the case of mitigation, IRM|Analysis’ Risk Response Optimizer helps them to choose the controls that reduce the most risk, and they can exercise and document a thoughtful approach to planning and implementation of additional controls that aim to reduce the risk score to an acceptable level. Our Customers are able to weigh the cost and effort of implementing various controls against the benefits and amount of risk reduction they bring. As a result, they have achieved compliance and also strong ROI on their security investments.
OCR has indicated time and again that risk analysis and risk management, as required under the HIPAA Security Rule, are priority areas of focus in its investigations related to breaches of ePHI. The recent enforcement actions emphasize the need to conduct enterprise-wide risk analysis that follows OCR’s guidance (including all nine required elements of a risk analysis). Further, healthcare organizations must implement risk management plans to reasonably and appropriately respond to risks that exceed their risk tolerance thresholds.
A checklist, vulnerability scan, or high-level security assessment is not a replacement for risk analysis, and relying on these types of assessments to analyze risks to an organization’s ePHI can lead to disastrous results. Neglecting to conduct an OCR-Quality Risk Analysis leaves the organization vulnerable to ransomware attacks and breaches of ePHI, and organizations that don’t invest in these programs may be subject to OCR enforcement.
The risk analysis and risk management process, including all resulting remediation actions, must be done by the book and must be fully documented. In mid-to-large organizations, enterprise-wide risk analysis is a complex process, and it can only be performed well if the organization has both the expertise and the appropriate software tools with embedded algorithms and workflows processes that are specifically designed to meet OCR’s standards.
It is ultimately the responsibility of leadership to ensure its security team is prioritizing risk analysis and risk management, and that the team has the resources and tools to do it the proper way. If the process is done correctly, risk analysis and risk management will better protect the organization and its ePHI. And if a breach should occur, the organization will be able to demonstrate to OCR – and its patients or customers – that it took reasonable and appropriate steps to assess and manage risk. As a result, it will be more likely to avoid costly fines and reputational damage.
Reach out to the Clearwater team with your questions at firstname.lastname@example.org.