HHS Urges Orgs to Develop Data Security Policies, Procedures Around Electronic Devices
The U.S. Department of Health and Human Services' Office for Civil Rights recently detailed steps organizations should take to secure protected health information (PHI) on electronic media and devices.
The Office for Civil Rights (OCR) reiterated recently that regardless of where sensitive data - namely PHI - is kept or processed, it needs to be safeguarded.
The office, a division of the U.S. Department of Health and Human Services, stressed in its most recent cybersecurity newsletter (.PDF) that covered entities under HIPAA need to ensure that any devices used to either process, transmit, or store PHI need ensure safeguards are in place to "ensure that the information they handle is secure and their functionality is not impaired."
The memo underscores the susceptibility of electronic and mobile devices, like smartphones, laptops, USB thumb drives, and so on, to malfeasance, theft, and loss.
“Many electronic devices and media are used to process or directly store PHI,” the OCR wrote, “Anyone with physical access to such devices and media, including malicious actors, potentially has the ability to change configurations, install malicious programs, change information, or access sensitive information – any of these actions has the potential to adversely affect the confidentiality, integrity, or availability of PHI.”
Like much of OCR's guidance, the advice offered by the office isn't iron clad, nor is it legally enforceable, hence the name of the memo: “Considerations for Securing Electronic Media and Devices.”
Where OCR's advice is warranted - and should be viewed as a requirement - is when it refers to HIPAA and the legislation's stipulations around limiting physical access to electronic information systems, and the implementation of policies around devices that contain healthcare data. Specifically covered entities need to implement policies or procedures to "govern the receipt and removal of hardware and electronic media containing electronic PHI (ePHI) into and out of an organization's facility and their movement within a facility."
OCR went on, encouraging that organizations ask themselves:
• Is there a record that tracks the location, movement, modifications or repairs, and disposition of devices and media throughout their lifecycles?
• Does the organization’s record of device and media movement include the person(s) responsible for such devices and media?
• Are workforce members (including management) trained on the proper use and handling of devices and media to safeguard ePHI?
• Are appropriate technical controls, for example, access controls, audit controls, and encryption, in use?
The OCR elaborated on some of the ways an organization can track the movement of devices and media but ultimately said that a corporation's own risk analysis and risk management processes should help it determine the right path for deploying device and media controls.
The guidance follows up advice from OCR in July (.PDF) when the office offered suggestions on disposing electronic devices and media that could contain sensitive data like financial information or PHI.
According to OCR's data breach reporting tool there have been roughly 50 healthcare breaches impacting 481,149 individuals this year that have affected either a desktop, laptop, or portable electronic device. It's not a surprise that a large chunk of those breaches were caused by what OCR refers to as "Unauthorized Access/Disclosure." According to Verizon’s 2018 Protected Health Information Data Breach Report (PHIDBR) 58 percent of healthcare breaches looked at involved insiders, the only industry that Verizon looked at in which an organization's own employees are the biggest threat.
Having the ability to track, discover, monitor, and control sensitive healthcare data like PHI is an essential building block of any healthcare data protection program, not to mention an important step to satisfying HIPAA compliance.