Faxing PHI is still a prevalent method of transferring information throughout the entire healthcare ecosystem. While the technology is rapidly changing in many areas of the industry, it is important to remember that “low-tech” methods can be useful in keeping faxed PHI secure. HIPAA allows PHI to be transferred by fax for treatment, payment, healthcare operations, and other reasons assuming appropriate safeguards are in place. Here are few best practices on securing PHI when it is transferred by fax,
Place the fax machine in a secure location that is not accessible to the general public;
Always use a cover page that includes the sender’s name and contact information, the intended recipient’s name, a confidentiality statement, and instructions if is it sent to an unintended recipient. The cover page should not include any PHI;
Remove incoming faxes promptly; and
If your fax machine is storing any PHI, have a process to permanently remove it before you take the machine out of service.
Before you send a fax,
Sending PHI to an unintended recipient is a common occurrence which should be investigated to determine if a breach of PHI occurred. If you send a fax to the wrong person,
Notify the appropriate person (i.e. Privacy Officer) immediately;
Attempt to retrieve all copies of the fax or ensure the recipient destroyed the fax; and
Complete an incident alert form as directed.
While it may not have seen the same technological improvements or disruptions as other methods of communication, if used appropriately, faxing can still be a secure way to exchange PHI.
Last week the latest ransomware worm is spread across the world. It encrypts files and demands a ransom payment in return for the decryption key.
This malware attack is commonly called “Petya” and, as a worm, it can spread from one computer to another without human intervention within a Windows network. As such, it targets organizational windows networks which are common in Healthcare. The initial infection appears to be via the EternalBlue malware that was used in WannaCry. It also may use the software updates from Ukrainian financial software vendor MeDoc, as well as MS Word documents containing malicious code.
The propagation within the local network is done using PsExec and WMI services. The result of infection is encryption of files and the Master Boot Record. Once an infected system has been encrypted, it should be restored from backup. It is not clear if payment of the ransom will result in a usable key.
To prevent this malicious software from infecting your systems, check the following.
- Ensure all systems have up to date patches. In particular, make sure that MS17-010 has been successfully install on all windows systems.
- Disable the utility called “psexec.exe”. This is often installed as a service. If possible, it should be disabled.
- Block the file C:\Windows\perfc.dat from running.
- Review information here on a potential vaccine. While this is not a kill switch, can can be useful in preventing an attack.
Unfortunately, once a system (or the network) has been infected, it may be too late and significant data loss is the likely outcome.
Please take a moment to attend to this risk by patching all systems, evaluating your vulnerabilities, deploying the vaccine, and training staff about suspicious files.
Please let us know if you have additional questions.
Did you realize that using out of date software, or software that is no longer supported by the manufacturer, poses a significant risk to PHI? This is notable because last month Microsoft stopped supporting the Windows Vista Operating System (“OS”). While Vista is not widely used in the healthcare industry, there are still an anticipated 200 million users worldwide.
Vista notwithstanding, you may very well be using a software that has reached the end of its life and is no longer being supported. This is concerning because without the consistent security updates that come with a supported software, your applications are vulnerable to malicious software and other threats. Moreover, hackers are known to target these vulnerabilities. These threats are not mitigated by encryption of anti-virus software, which do nothing to stop exploitation of OS vulnerabilities.
You should periodically (2-4 times a year) run a vulnerability scan on your system to detect for unpatched software or software that is no longer supported by the manufacturer. You should use the results of each scan to update your software, thus mitigating your vulnerabilities. If you are using an application that is no longer supported by the manufacturer, you should immediately update to a current version. These small steps are easy ways to reduce your risk and help your protect PHI.
Last week the U.S. Department of Health and Human Service Office for Civil Rights (“OCR”) announced a $400,000 HIPAA settlement with Metro Community Provider Network (“MCPN”), a Federally Qualified Health Center (“FQHC”) in Colorado. The settlement is the result of a 2011 breach in which a hacker used a phishing campaign to access employees’ email accounts and obtained PHI of 3,200 individuals. Here are a few things you can learn from this situation and prevent the same from happening to your organization.
Conduct a Risk Analysis: It is a common theme throughout breach settlements, but it is worth repeating; conducting a security risk analysis is a fundamental part of preventing a breach. MCPN did not conduct a risk analysis until after it discovered the phishing incident. A risk analysis should be conducted and reviewed to ensure it is still accurate. It should also be thorough enough to identify all of the risks within the organization, and should be organization wide. A risk analysis should include an analysis of all devices which store, process, access, or transmit PHI as well as all locations (offices, cabinets, off-site storage, the cloud, etc) with PHI. The output of the risk analysis should be a comprehensive risk management plan which outlines remediation activities and how risks will be identified and evaluated in the future. While a risk analysis is a point in time assessment, the risk management plan must outline how the organization will consistently manage and mitigate risk into the future.
Implement and Update Policies and Procedures: OCR’s investigation indicated that MCPN had inadequate policies and procedures. This led to either a complete lack of PHI protection, or the inconsistent implementation of safeguards. Having policies and procedures that are implemented and consistently updated lends to consistent implementation of the safeguards themselves. Without the policies and procedures, it is difficult to effectively protect PHI.
Train Your Staff: MCPN did a poor job of training its employees. Better training may have prevented that one employee from clicking on the phishing e-mail. Training is an essential component of protecting PHI. In your organization you should train all of your employees at hire, and at least once each year. You might also consider sending a simulated phishing campaign to your staff. This could be a critical opportunity to educate staff on what to look for in a phishing email and potentially prevent one in your own organization.
While this most recent breach settlement is similar to other recent settlements, it emphasizes the notion that conducting a risk analysis, having policies and procedures, and training employees are the fundamental building blocks of protecting PHI.
Does Your Org Need Cyber Insurance?
Are You Prepared to Prevent a Healthcare Data Breach?
Timely Healthcare Data Breach Notification
Everyone within your organization has at least one role. Access to Protected Health Information (“PHI”) may be required for each role, but all roles might not require the same level of access. A great way to ensure staff are only accessing the minimum amount of PHI necessary to do their job, and thus satisfying the minimum necessary rule, is by implementing role based access control.
In order to establish a practice of role based access control, you will first make a list of all roles within your organization. Then, assign a minimum amount of access to PHI to each role. The list of roles, and thus the associated access, should extend beyond just those people within your organization. It should also include contractors, reviewers, IT staff, and the like. Most EHR systems will make this process rather easy, and allow you to define roles and assign corresponding access.
At the same time you are implementing this safeguard, you will also want to document it with an applicable policy and a procedure. These documents will verify how you limit PHI access to the minimum amount necessary, and will help ensure this process continues amid staff turnover and organizational maturity. Finally, you also want to implement a system of periodic audits to ensure the roles and assigned access are still adequate and that users have been assigned to the appropriate role. This simple check can help you identify necessary updates to your process and identify mistakes before they turn into vulnerabilities.
We all know that password protection is very important to keep our sensitive information safe; whether it be locking our smartphone or computer with a password, or the individual applications you use. However, all passwords are not created equal. Let’s look at some of the most important things to keep in mind to help you maximize the security of using a password,
Choose A Strong Password: Your password must be strong. In order to create a strong password it should be a combination of upper and lower case, alphanumeric, and special characters which is at least eight characters long. It should not be something easily guessed like your birthday, or “Password.” Best practice is to use a passphrase where numbers and symbols have been separated. For instance, the phrase “Julie bumped her head” would be “Ju1i3_6umped_h3r_he@d.”
Change Passwords Frequently: Passwords should be changed with a high degree of frequency. Best practice is to change passwords every 90 days, and to not permit the reuse of the last six passwords. While this might create some struggles for staff, the benefit of having frequently changed passwords will be worth it.
Never shared or disclosed: It will come as no surprise that passwords should not be shared with anyone. If you have a procedure in your organization in which the IT department issues passwords to users, that should be changed. Furthermore, passwords should never be written down. If passwords are shared or disclosed to someone other than the unique user, it should be changed immediately.
Passwords have the power to contribute significantly to your organization if they are managed correctly. Strong passwords should be required, they should be changed frequently, and kept secure in all instances.