Summer 2019 OCR Cybersecurity Newsletter (Aug. 29, 2019)
HHS’s Office for Civil Rights (OCR) has published its Summer 2019 Cybersecurity Newsletter, addressing threats posed by malicious insiders with access to protected health information (PHI) and outlining steps to detect and prevent leakage or destruction of PHI by authorized users acting with malicious intent. The newsletter explains that malicious insiders can exfiltrate PHI stored on an organization’s IT systems in various ways, including transmitting information in encrypted messages, copying information to a mobile or storage device such as a cell phone or USB drive, or physically removing or stealing equipment.
Emphasizing the importance of early detection, OCR highlights steps to identify suspicious activity, including—
Understanding the Operating Environment. Knowledge of PHI’s location, format, and movement through the organization is crucial to conducting a comprehensive risk analysis, which forms the basis for policies, procedures, and security measures to reduce risks to PHI to a reasonable level. Organizations should identify who is permitted to interact with PHI and what PHI they can access as the foundation for appropriate access controls. The newsletter notes that organizations should leverage their risk analysis when establishing access controls, including physical, network, and role-based controls. Moreover, organizations must understand how users interact with PHI to adopt appropriate safeguards. Because certain devices—such as laptops, smart phones, and mobile storage devices—are difficult to control, OCR suggests that organizations consider limiting unnecessary mobile device use and preventing copying of PHI to unauthorized external devices.
Monitoring Activity. The newsletter cites trends such as the migration to cloud computing, increased use of mobile devices, and the adoption of Internet of Things technology (i.e., embedding internet accessibility in common devices, machines, and appliances) as factors reducing an organization’s ability to detect anomalous user behavior or other indicators of misuse. To minimize this risk, an organization should employ audit controls and other safeguards to detect suspicious user activities, such as traffic to an unauthorized website or downloading data to an external device (e.g., a thumb drive).
Adapting to Change. Organizations should view security as a dynamic process requiring continuous awareness, assessment, and action under changing circumstances. The PHI that users can and should access may change over time, and organizations should be especially sensitive to insider threats in cases of involuntary termination of employment, ensuring that access to PHI is terminated before the user leaves employment.
EBIA Comment: The newsletter provides helpful context for the very real threats posed by malicious insiders—while noting that insiders’ unintentional or inadvertent actions can also introduce security threats. Covered entities and business associates may wish to review the provisions cited in the newsletter and assess the adequacy of their corresponding policies and procedures. OCR’s selection of this topic for the newsletter may presage increased enforcement activity in this area. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXX.B (“Administrative Safeguards”), XXX.C (“Physical Safeguards”), and XXX.D (“Technical Safeguards”). You may also be interested in our webinar “Nuts and Bolts of HIPAA Uses and Disclosures” (recorded on 7/25/19).
Contributing Editors: EBIA Staff.