HIPAA Say What!?!
[08:40] Today ,we are going to cover a few different HIPAA points in our HIPAA Say What!?! segment:
Follow up on status of Scripps attack.
Scripps Health Attackers Stole PHI of 147,000 Patients
Notifications have begun. Good news is they say the patients being notified were included in documents exfiltrated from outside the EHR itself. This whole case is a reminder for everyone to think about more than your backup when it comes to planning for these incidents.
- Create a communications plan… for staff, partners, patients and external contacts like law enforcement and the news stations.
- Plan to treat patients without access to systems for at least 10 days, but note that number keeps growing.
- Do not assume all PHI is in your EHR. Documents are a treasure trove of information about your business AND your patients. The minute you think you don’t have PHI somewhere is the minute you make a plan to confirm that with regular audits.
- Prepare to notify patients as soon as possible. These patient messages on FB made it clear they thought they should be notified during the attack. Communicate that to patients, but don’t drag it out when you are in the news. They are watching the clock.
- Know that recovery will take weeks and even months based on the number of days you are down – Scripps is learning that one right now.
We will continue to watch this. But, I am interested to see how long it takes for them to have their feet back under them fully. At least as much as we can learn about it. This is a huge system so there were bound to be issues when it happened. So far, it seems they are hanging in there very well. Best of luck to them as they take on this major challenge of recovery and repair.
We got news yesterday that another hospital system is dealing with an attack that apparently started on Monday. Talk about a tough way to start a new job, check out what is happening in Central Florida: New COO takes over at The Villages hospital as ransomware attack freezes computers.
Another right of access agreement
[24:56] The Diabetes, Endocrinology & Lipidology Center, Inc. has the honor of being the 19th group to make this list. The issue started with a patient complaint in August 2019 and ended with an OCR resolution agreement in June 2021. The investigation started in Oct 2019 and found that the West Virginia practice had, indeed, not provided the information to a woman asking for records about her son’s care.
From the press release:
The $5,000 payment and 2 year CAP are pretty standard. We don’t get to learn much more about the details. I really do wish we could learn more about why the practice hadn’t provided the records in these cases. I specifically want to know if this was because someone didn’t know they were violating the law or because they actually believed they were doing the right thing.
It’s HIPPPPAAA again!
[29:36] Just one more thing. It is so hard to read news stories without having a moment. As I was trying to read the news about the new SCOTUS ruling on the Computer Fraud and Abuse Act ( Supreme Court Votes to Limit Computer Fraud and Abuse Act) it didn’t take long before someone thought about HIPAA. If you think you would say “I just can’t keep reading” you can relate to how I was feeling at that point.
Maturity Model Matters
[32:30] We have discussed maturity assessments more than once on our show. Both of the main ones happened in 2019, which we know was a whole different world than what we live in today. In case you missed them, here are links to those podcasts:
Maturity Assessments – Ep 206 and 6 Signs Of HIPAA Program Maturity – Ep 222
But this year, and each of the coming years, we will all be discussing something called the CMMC more and more as time goes on. The use of this model is being discussed all over the cybersecurity world because it breaks controls into levels so you can see what implementation level or maturity level your program is at any given moment. There are several articles out there that try to explain what the whole thing is about. My favorite one is done by CSO Online – CMMC explained: What defense contractors need to know.
As the title suggests right away, this maturity model is published by the DoD and required for all defense contractors to begin implementing. Yes, we are all about HIPAA. However, this is the direction we know things need to go towards in healthcare as well as any industry that takes cybersecurity seriously.
The CMMC defines varying requirements that relate to different maturity levels for your program. To have any kind of contract in this industry, you will eventually need to be certified with at least a Level 1 CMMC. Eventually, to have access to classified information of any sort, you will need to reach Level 3 and the major folks will have to reach all the way to Level 5 to stay in the game.
The program is being rolled out starting this year with a certain number of contractors selected to meet the Level 1 requirements. Each year they will add more contractors and higher levels. Until all contracts will start requiring some level of certification.
They haven’t finalized how the certifications will happen yet. You can’t even take the course to become a certified assessor until this fall. But, don’t doubt that this will be discussed in all corners of the industry as the roll out continues.
What are CMMC levels?
[36:17] The levels assume you are doing something because there isn’t a zero level. It says if you have everything required for Basic Cyber Hygiene, you are Level 1. Intermediate is Level 2, Good Cyber Hygiene is Level 3.
Didn’t we just talk about cyber hygiene and how there are several layers of it? In this case there are 17 Cybersecurity Practices considered to be Basic Cyber Hygiene. Level 2 jumps to 72 practices. By the time you’ve hit Levels 3 – 5, you can prove you follow 130, 156 and 171 practices respectively.
A very specific note to point out from the Assessment guide:
What about healthcare maturity models?
[42:23] Last fall, HC3 did a presentation on using some version of a maturity model for healthcare. There is no doubt it would make sense to do some sort of implementation along these lines in healthcare. Maybe that is what we end up doing in 405d but who knows at this point. It just makes sense. Granted the NIST CSF has their implementation tiers that are something in this ballpark, but the CMMC is much more specific.
We have been doing this for years but using my own formula. We look at the threat and vulnerability to ask what is your plan first. Then, how well have you done getting the documentation, training, and incident response plans in place to make that happen.
I am definitely looking into how we can apply the CMMC concepts to our HIPAA assessments. Our model expects that you must be at least at what would be Level 3 here to be following HIPAA in the most basic sense. I found it very interesting that you must reach that level to get a contract with access to confidential information. Sounds like there is a lot in sync from that perspective. Honestly, the goal to be at Level 4 is what all companies should desire today, but if we can get them all at a Level 3 everything would be so much better in our cybersecurity world.