Although the HHS has long stressed the importance of ePHI security, with the influx of healthcare breaches, it is clear that many organizations have not heeded the warning. With an increase in breaches across all industries, cybersecurity has become the focus of many government agencies including the HHS. Earlier this month the HHS published its “Summer 2021 Cybersecurity Newsletter” further emphasizing the importance of information access management and access controls.
ePHI Security and Information Access Management
The HHS requires organizations to, “implement policies and procedures for authorizing access to [ePHI] that are consistent with the applicable requirements of [the HIPAA Privacy Rule].”
The Information Access Management standard requires the implementation of two specifications that apply to healthcare providers:
Access Authorization: focuses on the policies for granting access to ePHI. The HHS states in their newsletter, “this may include how access to each information system containing ePHI is requested, authorized, and granted, who is responsible for authorizing access requests, and the criteria for granting access. These policies typically govern the parameters for which individuals in particular workforce roles may be granted access to particular systems, applications, and data. Those parameters would reflect what information access is necessary for a workforce member to do their job.”
Access Establishment and Modification: focuses on the procedural aspects about how access is established, documented, reviewed, and modified. The HHS provides examples of situations that should be covered in these policies and procedures, such as increasing ePHI access levels for workers who are promoted, decreasing access levels for other workers, and emergency access procedures.
Establishing Access Controls
Establishing access controls is a requirement under the HIPAA Security Rule, the cybersecurity newsletter states, “The flexible, scalable, and technology-neutral nature of the Security Rule permits organizations to consider various access control mechanisms to prevent unauthorized access to ePHI. Such access controls could include role-based access, user-based access, attribute-based access, or any other access control mechanisms the organization deems appropriate. Further, access controls need not be limited to computer systems. Firewalls, network segmentation, and network access control (NAC) solutions can also be effective means of limiting access to electronic information systems containing ePHI. Properly implemented, network-based solutions can limit the ability of a hacker to gain access to an organization’s network or impede the ability of a hacker already in the network from accessing other information systems – especially systems containing sensitive data.”
The Access Control standard requires four implementation specifications for limiting ePHI access:
Unique User Identification: each employee must have their own unique username and password to access ePHI. For instance, should an employee access ePHI outside of their job duties, and multiple employees use the same login credentials to access ePHI, it can be impossible to determine who is the culprit. This should be of particular concern as a recent study conducted by Verizon determined that 39% of healthcare breaches are caused by insider breaches.
Emergency Access Procedure: there are certain instances in which ePHI access may not be available, or can be limited. The HHS provides the following example, “due to the recent COVID-19 public health emergency, many organizations quickly implemented mass telework policies. How workforce members can securely access ePHI during periods of increased teleworking should be part of an organization’s Emergency Access Procedures.”
Automatic Logoff: logs users out of systems after a period of inactivity, preventing unauthorized user access to ePHI. The HHS states, “Failure to implement automatic logoff not only increases the risk of unauthorized access and potential alteration or destruction of ePHI, it also impedes an organization’s ability to properly investigate such unauthorized access because it would appear to originate from an authorized user.”
Encryption and Decryption: reduces the risk of unauthorized access to ePHI. The HHS recommends that encryption should follow NIST 800 specifications, stating that ePHI encrypted in this manner is “not considered unsecured PHI and therefore is not subject to the Breach Notification Rule. Encrypting ePHI in this manner is an excellent example of how implementing an effective encryption solution may not only fulfill an organization’s encryption obligation under the Access Control standard, but also provides a means to leverage the Breach Notification Rule’s safe-harbor provision.”
