GRC Approach Builds Strong Foundation For OCR Audit Readiness

By Sam Abadir, Director of Product Management at LockPath

Healthcare providers are shouldered with many serious responsibilities. From patients’ physical health and safety to their data security and privacy — and everything in between — doctors’ offices and hospitals operate on stringent standards. With the evolution of HIPAA, patient privacy and information security have become as important as healthcare outcomes. As the Office for Civil Rights (OCR) steps up Phase 2 HIPAA audits and post-breach investigations, healthcare providers and their business associates (BA) are under increasing pressure to ensure that their programs for protecting electronic protected health information (ePHI) are thorough, effective, and compliant.

The OCR’s list of recent settlements and enforcement actions should be incentive enough. Piling on the alarming statistics from recent studies on healthcare data security drives the point home: nine out of ten healthcare organizations reported a data breach in the past two years, and 45 percent reported more than five breaches in the same period. Due to the valuable nature of ePHI (personal and financial) and lack of data security, cybercriminals target healthcare organizations most frequently. Ransomware attacks are especially harmful and costly, often leaving providers without access to patient records and critical systems. According to the FBI, $209 million in ransomware payments were reported in the first quarter of 2016, a dramatic increase from the $24 million paid in all of 2015. According to a recent poll, more than half of U.S. hospitals have experienced at least one ransomware attack in the past year.

Healthcare providers are under siege facing the dual challenges of cyber-attacks and OCR audits. As they recognize that they are a target, and their patient’s data is in the crosshairs, they should seek an approach that addresses both challenges at once: policies, procedures, systems, and training that protect ePHI data and also lay the groundwork for more effective responses to breach incidents and audits. Weaving a tighter web around sensitive data protects more than patient privacy — it protects the quality of patient care, builds trust in healthcare providers, enhances business reputation, and contributes to the bottom line.

Building a more effective data governance, risk management, and compliance program defends against data loss, system downtime, fines, public exposure, and lawsuits. It saves the time and panic often associated with being audited. You need to do your homework before you have mere days to complete the big assignment (OCR desk audit or post-breach investigation). If nine out of ten healthcare organizations reported a recent breach, an OCR desk audit or a post-breach investigation might be right around the corner. The key is to move beyond siloed data collection and manual processes by systematizing the interconnection of people, processes, assessments, and documentation on a comprehensive technology platform, ensuring that serious incidents and critical requirements don’t fall through the cracks.

Systematizing the process by capturing, correlating and triaging security data for efficient review and integrating the security policy lifecycle helps to effectively communicate the depth of your organization’s security and information governance programs. The ability to retrieve reports and visualize data means that progress and priorities can be shared more readily across the organization, fostering a culture of accountability. Knowing that the reports are developed from verifiable, common data builds trust and eases decision-making processes. Those tasked with governance, risk management, and compliance (GRC) activities can get more done, take on more responsibility, and be more proactive in shaping the business — with the same amount of staff. This is especially vital in healthcare organizations, which are typically short on cyber security expertise and overburdened with compliance-related activities.

Per the OCR, you must prove your practices constitute a “permanent and robust program” — policies, procedures, training and review processes in place, and functioning as intended regarding security, privacy, operations risk management and information governance. BAs and their subcontractors also have to have these programs in place, and the primary Covered Entity (CE) has to monitor and assess their compliance with BA Agreements (BAAs). The OCR also requires documentation of all related activities in order to prove that policies and procedures have been communicated to relevant employees and BAs. And you need to have all this data, and more, at your fingertips when it comes time for an audit.

When it comes to security and compliance, covering the basics can be a challenge.

• Conduct risk assessments and risk management programs that correlate to the HIPAA Security Rule. Review policies and procedures related to PHI privacy and security: identify all systems that involve PHI and thoroughly assess vulnerabilities, access restrictions, encryption, and physical security. Ensure systems and software in place to defend against malware and ransomware.
• Review breach reporting requirements and procedures. Train employees to recognize and report social engineering attacks and follow HIPAA privacy requirements. Evaluate and document privacy notice policies and procedures. Ensure that sanctions policy is in place and enforced.
• Make sure you have policies and procedures for encryption, password management, mobile devices controls, continuous monitoring, and backup and disaster recovery. Send out frequent reminders and conduct regular reviews.

All these policies and procedures require documentation of dissemination and training, review and testing, remediation, changes and updates, corresponding controls, and reporting. Many healthcare organizations have discovered that using office suites to manage risk and compliance is costly and cannot provide the 'architecture' required by the OCR. Comprehensive governance, risk management and compliance (GRC) platforms are purpose-built to manage these efforts in a manner consistent with the OCR architecture vision. GRC platforms provide functionality to perform assessments, to put workflows in place, and to consume, correlate and report on data. Metrics can be captured and communicated through data visualization tools, and big-picture dashboards and audit-ready reports generated without coding or manual data collection. Bringing data from all security, risk, and compliance activities into a unified view means fewer surprises at audit time, heightened accountability across the organization, and faster breach detection and response. BAA documents and related assessment activity are likewise streamlined and centralized for more effective third party risk management and audit preparation.

An insightful Lexology review of OCR’s recent HIPAA enforcement activities highlights that healthcare organizations are struggling with the same core issues: failing to conduct adequate risk analyses, failing to make and maintain BA agreements, and lacking follow-through on policies and procedures. The OCR is conducting enforcement actions across the industry, from large healthcare systems to private practices to research institutes. BAs, like cloud service providers, have been specifically warned to assess their compliance with HIPAA rules for processing and transmitting PHI. OCR regional offices have been directed to investigate breaches affecting fewer than 500 individuals. In the first half of 2016, OCR initiated 885 compliance reviews, and 5,000 cases remain open. The nine resolutions reached in that period total over $20 million, an average of $2.2 million per settlement. This is comparable to the $28 million in settlements negotiated from 2003-2015.

In other words, the hot seat is getting hotter. Any healthcare organization that doesn’t take this seriously is vulnerable to a rude awakening, in the form of a cyber-attack, data breach, investigatory audit, or all of the above. Modern medicine and privacy standards require modern risk management. Manual processes using office suites are not up to the task, and will lead to case-by-case problem solving, undetected gaps in security coverage, disorganized documentation, and stressed out staff. Prepare for disruptive incidents — cyber-attacks, natural disasters, mergers, lawsuits, legislative reforms, and yes, audits — with integrated, systematized GRC programs that build operational efficiency and organizational resilience. Done right, GRC instills healthcare organizations with the strength and resilience they need to deliver their life-saving services — not to mention competing in a complex, dynamic market.

About The Author
Sam Abadir is the Director of Product Management at LockPath, a leading provider of governance, risk management and compliance (GRC) solutions.