Highlights from the 2018 HIPAA Security Conference: Audit Processes, Cyberattacks and Ransomware Responses, and Breach Posting

by ih-coc admin

by Jay Hodes, President - Colington Consulting

At the HIPAA Security Conference in DC that took place on October 18 & 19, 2018, one of the most valued speakers, Serena Mosley-Day, Acting Senior Advisor Compliance and Enforcement, HHS Office for Civil Rights, presented updates on Audits Processes, Cyberattack and Ransomware Policies, and Breach Posting.  Her presentation provided some of the latest stats regarding breach causes and types. 

Mosley-Day opened with reports on OCR's Audit Program processing time, stating that desk audits of both Covered Entities (CE) and Business Associates (BA) cases up to September 2017 have been completed, and that website updates with summary findings will be published in 2018.  

166 Covered Entities were audited along with 41 Business Associates.  The CE focus included risk analysis and risk management; content and timeliness notifications, per the Breach Notification Rule; Privacy Rule requirements for the Notice of Privacy Practices, and an individual’s access right.  The BA focus looked at risk analysis and risk management; as well as timely reporting to CE, per the Breach Notification Rule. 

Mosley-Day also provided a detailed guide to auditee protocol, including questions asked during the desk audit, the related document request list, and applicable auditee FAQs that can be found on the HHS website. 

Based on my extensive experience in regulatory compliance, I cannot overstate the usefulness of this auditee protocol guide, as it removes the element of uncertainty and fear from the process, especially for an organization experiencing its first audit of this type. Voluntary and timely self-disclosure is a positive hallmark of any CE or BA compliance program. 

The 2017 WannaCry Ransomware attack caused HHS to remind CEs and BAs that adherence to the OCR Ransomware Guidance Protocol is "part of strong cyber hygiene" (Mosley-Day, 2018). This adherence is made more significant by the fact that OCR always presumes a breach in the case of a ransomware attack, leaving the onus on the organization to demonstrate that a breach *did not* take place, which requires a fully documented, in-depth risk assessment that must be triggered once the initial response and reporting to federal entities is completed. 

One of the most sobering parts of her presentation was a look at the most recent numbers.  The one that really stood out to me was that as of April 2018, 262,262,738 individuals have been affected by a HIPAA breach.  That is an astonishing and alarming number.

 Hacking and/or IT incidents now make up 41% of breach types.  Lost and theft of devices has come down and now is at 16% as compared to 24% for the last three years.  One number that stays unchanged is unauthorized access or disclosure which still makes up 41% of breach types. 

It is now well-established industry knowledge that both HIPAA security and privacy violations, as well as their associated fines are increasing. OCR Director Roger Severino, who provided opening remarks at the conference, stated total HIPAA Enforcement actions from January 1, 2017 to October 15, 2018, resulted in $45,360,383 in settlements or imposed penalties. 

As Serena Mosley-Day concluded her presentation, she pointed out non-compliance issues OCR is still seeing. These areas included the lack of proper business associate agreements not being in place; not conducting a risk analysis; failure to manage identified risk; lack of transmission security; no patching of software; insider threats; improper disposal (of PHI & ePHI); and insufficient data backup and contingency planning. 

As a HIPAA compliance consultant, I always recommend that clients review the most commonly recurring compliance issues when setting up and managing their risk management and risk assessment programs as Mosley-Day confirmed. 

The Risk Management provision of the Security Rule requires organizations to implement adequate security measures that sufficiently reduce risks and vulnerabilities to a reasonable and appropriate level. To that end, and given that ransomware attacks and cybersecurity threats are on the rise, it is often not a question of if a breach or violation may take place, but when. Suffice to say, a regular review of your organization's risk response, coupled with ongoing training and updates is what your organization, whether as a CE or a BA, needs to have in place.  Do not be the next enforcement case example OCR uses to make a point like they did with Anthem and the ABC network.