The Department of Health and Human Services Office for Civil Rights is urging health care providers to review and bolster information access management and access controls to combat the spate of cyberattacks against the sector.
Referencing the 2021 Verizon Data Breach Investigations Report (DBIR), OCR stressed external attacks caused 61% of health care data breaches in the last year, compared with just 39% brought on by insiders.
Combined with the recent Fortinet Health Security report that showed cyberattacks rose by 185% in 2021, the threat of unauthorized access is a pressing health care security issue that can be addressed with adequate identity and access management.
In light of frequent news stories and OCR investigations into the hack of information systems, impermissible access by workforce members, and exposed electronic protected health information, OCR focused its latest cybersecurity newsletter on best practice considerations and review access control methodologies to ensure each provider network is secured.
“Without appropriate authorization policies and procedures and access controls, hackers, workforce members, or anyone with an internet connection may have impermissible access to the health data, including PHI, that HIPAA regulated entities hold,” OCR stressed.
Information management and access controls include policies and procedures for authorizing access to ePHI, and both are required by the Health Insurance Portability and Accountability Act.
HIPAA requires covered entities and relevant business associates to implement these processes with specific implementations to assess and address systems access with reasonable and appropriate safeguards tailored to the needs of their organization.
A risk assessment can support an entity’s choice to not implement a particular specification, as HIPAA also requires entities to document why certain, required safeguards may not be ideal for a specific enterprise. In those cases, the entities must implement an equivalent, alternative measure, if found to be a more reasonable or appropriate choice for the environment.
OCR considers access management as an administrative safeguard and access control as a technical safeguard. In tandem, the tools ensure “organizations implement policies and procedures and technical controls that limit access to ePHI to only authorized persons or software programs that have been granted access rights.”
For access management, HIPAA outlines three implementation specifications: two designed for covered entities and business associates, and the other specific to health care clearinghouses.
Access authorization is the implementation of policies and procedures to govern how an entity enables access to ePHI within the organization, such as the processes that grant, authorize, or respond to requests for access to systems containing ePHI.
OCR reminded organizations that the “policies typically govern the parameters for which individuals in particular workforce roles may be granted access to particular systems, applications, and data.”
“Those parameters would reflect what information access is necessary for a workforce member to do their job,” according to the alert. “For example, a billing clerk role may not need access to medical images on a Pictures Archiving and Communication System (PACS) server in order to carry out their billing responsibilities.”
The recent SC Media report on PACS vulnerabilities show a lack of access controls and user management processes are contributing to the exposure of medical images and other personal health information or identifiers.
The other HIPAA-required process involves access establishment and modification policies, which describes the necessary policies to govern users’ access to workstations, transactions, programs, and other endpoints.
For example, when an employee is let go from an organization or changes departments, a covered entity needs processes in place to either remove, decrease, or increase access to certain systems and data.
OCR stressed that these measures need to include multiple scenarios “ensure that each workforce member’s access continues to be appropriate for their role.”
Meanwhile, HIPAA requires four implementation specifications for access controls, which are designed to limit ePHI access to only authorized users and software programs: unique user identification, emergency access procedures, automatic logoff, and encryption and decryption.
OCR reminded entities that when ePHI is encrypted under NIST specifications, it’s “not considered unsecured PHI and therefore is not subject to the Breach Notification Rule.” That means, when a device is lost or stolen and the ePHI contained within it is encrypted, the entity won’t need to file a breach report with HHS.
The NIST guidance provides detailed steps on how an entity can address its specific encryption needs broken down by storage security basics, encryption technologies and a comparison of each type, and planning and implementation insights.
“Encrypting ePHI in this manner is an excellent example of how implementing an effective encryption solution may not only fulfill an organization’s encryption obligation under the access control standard, but also provides a means to leverage the breach notification rule’s safe-harbor provision,” explained OCR.
“As the use of mobile computing devices becomes more and more pervasive, the risks to sensitive data stored on such devices also increases,” it added. “Many mobile devices include encryption capabilities to protect sensitive data. Once enabled, a device’s encryption solution can protect stored sensitive data, including ePHI, from unauthorized access in the event the device is lost or stolen.”
Automatic logoff is another crucial step that is often overlooked by providers. Particularly in emergency departments and other fast-paced health care environments, users may leave workstations unattended as they may not have time to manually log out of a system. As a result, these providers are inadvertently increasing the risk of unauthorized access.
Providers must implement an automatic log-off mechanism, which will terminate an electronic session after a designated period of inactivity and reduce the risk of unauthorized access or, even worse, the potential for an actor to alter or destroy ePHI. Failure to implement automatic log-off functions also hinders the ability of an organization “to properly investigate such unauthorized access because it would appear to originate from an authorized user.”
In 2020, the Health Information Sharing and Analysis Center (H-ISAC) released an identity management framework targeted to health care chief information security officers. The guide can help covered entities better manage identity and access controls to better support overall enterprise cybersecurity.
H-ISAC is an advocate of leveraging an identity-centric cybersecurity approach in health care, as identity issues are a leading cause of the sector’s data breaches. The ideology is meant to better align resources to threat defenses.
“Identity should be owned and operated by an organizational function motivated by risk, e.g., the CISO, not one motivated by service levels and speed, e.g., the Service Desk or HR,” H-ISAC leaders explained in a supporting white paper. “If your organization is targeted, attackers are likely to start with attacks on identity systems – and if breached, the most likely source is exploitation of weaknesses in identity systems.”
Tackling access management and supportive controls can better support health care entities with defending against the ongoing targeting of providers.