Takeaways: The latest OCR resolution makes specific points on what OCR considers reasonable and appropriate technical safeguards of the Security Rule. If you aren’t up to date with all of your software, it does matter very much once malware finds you.
There are points in this latest OCR resolution that have been mentioned time and again. It is important to be reminded of them. But, there is more than just the normal details that have been coming out each time.
- ACMHS is a non-profit who has been fined $150,000 by OCR along with a 2 year Corrective Action Plan. According to their 2013 Annual Report they had $19.7 million in revenues with $19 million in expenses. That makes the fine over 20% of their profit. Of course, in a non-profit that money would have gone into further services for the community instead of dividends or owner equity.
- They failed to do a Risk Analysis. This is something I have discussed several times before. No matter how many times we can show people how important that requirement really is, many just ignore it and will apparently continue to do so until they end up in a resolution themselves.
The techie in me is happy to see specific points in a resolution about what OCR considered reasonable and appropriate technical safeguards in this case, though. Finally, something very specific to point to besides just a tech person’s opinion.The resolution agreement specifically states they had adopted “sample” policies and procedures in 2005 but never followed them. I know plenty of folks that did that in 2005 and still aren’t really following them no matter how many times we implore them to take action. Many people see the templates as a quick fix for their HIPAA requirements. Security policies and procedures actually have to be adapted to your environment to be effective.
The specific language “Vulnerability of Unpatched and Unsupported Software” in the bulletin should end the debate for believing that using Windows XP will be considered reasonable and appropriate by OCR. If the software you are using is no longer supported that means it does not receive updates when a problem is found. The END. I know, I know, many people will continue that debate but have much less ground to stand on when considering OCRs intention.
Effective patch management is considered reasonable and appropriate under this resolution language and most people aren’t aware of what that really means. It isn’t just turning on Windows auto-update. There are vulnerabilities found in many applications that are commonly used such as Adobe Acrobat. The idea that you will quarterly go around to all your PCs and make sure they are up to date is just not reasonable in this day and age. Even worse is to just leave your policy at simply run on auto-update.
A firewall that monitors inbound and outbound communications is what is mentioned as reasonable and appropriate protections. A real firewall is one that you pay a subscription to keep it up to date with software and analytics tools. It isn’t something you buy off the shelf in the nearest office supply store. At one point in time a small office could have gotten by without a business class firewall but those days are long gone.
The firewall also must be configured properly to monitor inbound and outbound traffic. That is not something that can just be done on the fly by someone who is “good with computers”. Professional IT services are needed. Configuring these devices is complex and technical. If someone in the office has a husband who “works in IT“ that comes by to take care of things, it won’t cut it. Lots of people work in IT but that doesn’t mean they understand security settings on a business class firewall. Plus, is the husband signing a BAA?
The points about the Security Rule requirements needing professional, HIPAA compliant technology support is what it really takes to meet many of those standards. Large organizations with an internal IT staff may even need help but handling it with no IT staff on contract isn’t reasonable and appropriate, in my opinion. Granted, there aren’t specific details about the type of IT support ACMHS had been using but my money is on it NOT being a professional, HIPAA compliant team.
No, I am not selling my technology support business. No, I don’t believe having professional IT support will solve all problems and prevent all breaches. I believe you should have A technology support contract with a HIPAA compliant, reliable technology company because problems will be fewer with a lower likelihood of breaches. Running a HIPAA business without proper technology management is like running a multi-million dollar company without any accounting professionals on staff or under contract. Don’t worry though, the CEO is “good with numbers”.