OIG Security Audits—Coming to a Practice Near You?
Just how secure is your practice’s EHR?
That’s one of the many questions the Office of Inspector General (OIG) will ask if it pays your office a visit next year.
In its recently-released FY 2016 Work Plan, the OIG says it will perform audits of “various covered entities receiving EHR incentive payments from CMS to determine whether they adequately protect electronic health information created or maintained by certified EHR technology.” The OIG also listed this item in the mid-year update to its FY 2015 Work Plan.
Tom Walsh, CISSP, president and CEO of tw-Security, says that the OIG audits likely grew out of concern that Figliozzi & Company—the entity with which CMS contracted to perform Meaningful Use audits—wasn’t properly enforcing various requirements of the regulation, one of which pertains to HIPAA security. Although practices may have undergone CMS MU audits in the past, the OIG audits—often viewed as more stringent—are definitely on the horizon, he adds.
Security in the digital age
Securing protected health information (PHI) has become increasingly challenging in the age of EHRs, says Walsh. He recalls one physician practice that lost PHI after a hacker installed ransomware on the practice’s EHR. When the practice refused to pay the ransom, the hacker posted PHI on the Internet.
Other dubious hackers register domains that are slight variations of the well-known domains of local hospitals or physician practices. For example, the hacker might use the name of a hospital in his or her domain but change a lower case L to the number one, both of which look very similar. When an unsuspecting patient receives an email with a link to the hacker’s website, one can only imagine the information to which the hacker will have access once that patient believes he or she is providing clinical and financial information to his or her provider.
Stories like these are unfortunately not uncommon, says Walsh, which is another reason why the OIG is focused on security. What exactly will the OIG look for?
“The number one failure pertains to the risk analysis,” says Walsh. “The reason is because it’s the most misunderstood of the Meaningful Use core objectives.”
Although the Office of the National Coordinator provides a Security Risk Assessment (SRA) tool to assist practices, Walsh says the nearly 500-page document is anything but helpful for the average understaffed physician practice in which the practice manager has far too many responsibilities.
“Over the years, many practices have opted—sometimes unwillingly—to join larger healthcare systems because these systems have the resources to manage all of this,” he says. “It’s becoming harder and harder for small practices to keep up with all of these regulatory requirements.”
The SRA tool, which is based on the original HIPAA Security Rule of 1998, is also outdated. Interestingly, the tool doesn’t include terms such as hacker, firewall, intrusion, mobile device, and many other key words relevant in today’s highly-technological environment.
“We’re trying to assess organizations against a security rule that was written in the late 90s when we were still in a mainframe computer environment,” says Walsh.
In more simplistic terms, Walsh says a risk assessment should include the following steps, each of which should be described via formal policy:
- Identify threats, current controls, and vulnerabilities.
- Determine the likelihood (or probability) that each threat will occur.
- Describe the impact of the threat, if realized.
- Assign an overall risk score for each identified threat.
- Create a risk summary report that includes a description of how the practice will handle each risk (i.e., whether the risk will be accepted or whether the practice will take steps to mitigate the risk).
Mitigating risk in your practice
One of the easiest ways to mitigate risk is to simply require stronger passwords (i.e., those with a minimum of 8 characters). Walsh says hackers often use password-cracking programs to easily break into shorter passwords. Passwords with six characters, for example, can be hacked in 72 hours or less. It would take a hacker 75 years to hack into an 8-character password. If the practice uses a patient portal, require patients to use complex passwords as well.
Another simple solution is to block all in- and outbound Internet traffic from most foreign countries. Only allow certain URLs or IP addresses. Exceptions could include a foreign technical support company or an outsource revenue cycle vendor, for example.
Following are several other steps practices can take to mitigate risk:
- Educate the workforce about new cyber-threats and email phishing schemes.
- Enable automatic timeouts.
- Enable power-on passwords.
- Encrypt any data to which your business associates have access.
- Encrypt stored data. If you don’t encrypt certain databases, be prepared to describe to the OIG and other auditors why you made that decision.
- Implement mobile device security for smartphones, laptops, and tablets. Require encryption, and develop a policy for when and how providers will access PHI via their devices.
- Monitor audit logs frequently.
- Require stronger security controls (e.g., secure WIFI) for remote workers/telecommuters.
Also address these other vulnerabilities
Walsh says practices must also be cognizant of these potential vulnerabilities to the security of PHI:
- Free document-sharing websites
- Free email services
- Lack of defined level of access control
- Mobile devices
- Outdated security patch management
- Smartphone backups to the cloud
- Storing PHI in the cloud
- Weak passwords
Be leery of free services, says Walsh. “There’s a problem with anything that’s free. You’ve got to ask yourself, ‘What’s the business model?’ It’s all about data mining,” he says. The solution is to pay for the right tools that offer security and encryption, he adds. “You work hard to build the business and build a name in the community. The last thing you want to do is let people down. If you don’t properly protect your data, do you think patients will come back?”