This is the third post in our series on HIPAA. Make sure you read part 1 and part 2 first. In this post we cover more technical topics, such as patches, unique logins and why you might need a server.
Legal Stuff Our Lawyer Makes Us Say
Please understand that we are not lawyers, nor are we offering legal advice. Take nothing we say in these blog posts as legal advice. If you have any questions about lawyerly-type things, we strongly recommend you ask your lawyer. If you don’t have a lawyer, we’re more than happy to point you in the direction of one that can help.
Not Everyone Needs Access to Everything
In small businesses, we often find that everyone in the business has access to everything in the business, if it is all stored on a central server. This is actually not a good idea for a variety of reasons. One of the reasons you would want to restrict access is to help limit the spread of things like ransomware, which will encrypt everything that it can find. Another reason is to limit the damage that a malicious employee can do by limiting the data to which they have access. It is a best practice, and HIPAA requirement, to only grant people access to what they need in order to do their job, and very few people need access to everything in a company.Now in a sufficiently small practice it is actually likely that everyone that deals with patients will need access to all the ePHI, and that is ok as long as you can justify it. However, if you have someone that doesn’t need access to ePHI they should not have it. Basically, you need to determine who needs access to what in order to do their jobs, and then only grant them that access. In a larger company, this assignment might be by department or role as you might have more than one person per job type.Not only do you need to lock down access, you need to have procedures in place to determine who can authorize a change to permissions. This doesn’t have to be anything elaborate, but someone has to have the authority to authorize any change. You should also, of course, have policies about documenting these changes.Lastly you need to have procedures on what to do for employee termination. You have to be able to ensure the now former employee no longer has access to your systems. Once again, this is something we recommend you have in place, even if you don’t have to deal with HIPAA, as it makes your life a lot easier when employees do separate from the company.
Protecting Yourself Against Malicious Software
Malicious software, aka Malware, is everywhere these days. It comes in all sort of shapes, sizes and purposes. Malware is something we cover quite often on our blog because it is ever changing and never ending. It is also something to be taken seriously regardless of what kind of business you are in. Exactly what you should be doing to protect yourself from malware is one area where (our favorite word) “reasonable” definitely comes in to play because it is possible to spend huge sums of money on this, and it may make sense to—if you are someone like Blue Cross/Blue Shield. For a small practice, your “reasonable” is going to be something different. Regardless of your size though, the following items should be considered the bare minimum.
Be Running a Supported Operating System and Supported Programs
Operating systems and programs get out of date and stop being supported by their vendors. Before this happens, you need to plan on updating or replacing your systems with newer ones in order to maintain compliance. This means that any Windows XP machines you still have hanging around have to go! You’ll also want to start planning on your replacement and migration for Windows 7 and Windows Server 2008 as they are currently set to reach their end-of-life on January 14, 2020. That may seem far away but you need to have your upgrade and replacement cycle FINISHED by then, not started.Also remember that you need to make sure the programs you are using are still being supported by their vendors so you can get those all-important security updates.
Keeping Your Operating Systems and Programs Up to Date
The reason you need to be running supported programs and operating systems is because you have to keep them updated, or patched. Patching is something we’ve discussed before on our blog and spend a lot of time talking about in person. Now you don’t, necessarily, have to have every patch updated to your system as soon as it comes out, but you do have to update your systems regularly. If you aren’t updating your systems they are vulnerable.
Active Anti-Virus(AV)
We’ve already written a nice little blog post on AV, so we aren’t going to spend a lot of time on it here. You just need to make sure that every computer is running one, and only one, high quality (i.e. NOT free) anti-virus program. This includes Macs as well as PCs. Phones and tablets are a little trickier as there are fewer anti-virus options available for them than there are for computers and the anti-virus functions differently.
Secure Your Mobile Devices
Mobile devices are something that every business should be concerned about. They are portable, can contain a lot of information, have a tendency to disappear, and are still relatively new to this arena. If you are using mobile devices on your network at all, you need to take some precautions. First, you should make sure that none of the devices are jail-broken as this opens them up to more infection vectors. Additionally, you may want to consider some sort of mobile device management and tracking so that you can locate them and hopefully wipe them in the event of loss or theft. Last, we would strongly recommend against letting people use their own devices for access to any system that contains ePHI and mandate the use of only company owned devices.
Firewalls
Every business needs a hardware firewall. Luckily for you (sarcasm), your internet service provider (ISP) is more than happy to provide you with one. Now, they may not change the default passwords, or it may be riddled with security flaws and backdoors, but hey, it’s cheap or free, and surely that is good enough, right (sarcasm again)? Something else to consider is that, if you are in HIPAA land, you very well might need to sign a business associate agreement (BAA) with any company that has access to your firewall, since that gives them access to your network as well. I’m not aware of an ISP that will sign a BAA. So, you need to have a firewall that is NOT provided by your ISP, and we strongly recommend a next-generation model.While there is no requirement in HIPAA stating that you have to have a next-gen device, the price points on these devices are not very high these days. If you don’t have one and are breached or audited, it is quite possible you will have to try and defend this lack of what might easily be called a “reasonable” precaution.
Wireless and Network Security
You need to ensure that no unauthorized entity, or person, has access to your internal network where you ePHI resides. This means that any patient, guest, drug rep, etc. must use a guest network, regardless of how they are connecting (wireless or wired). It also means any phone or tablet that is not owned by the business, and does not need access to ePHI, should also be on a separate network, either the guest or a separate “employee guest” network. This kind of set up can be accomplished with separate physical networking equipment, or through a virtual separation inside more advanced networking equipment.For larger offices, you might even need to split your internal network out such that one network has access to ePHI and one doesn’t. Both networks would still be internal and separated from guests as well.Every device on your network is a potential security hole and a potential threat vector, so you want to reduce the number of devices as much as possible.If you implement a wireless solution for your office it needs safeguards, such as appropriate encryption. There are more advanced connection and authentication methods available that you might want to consider as well. Some of these methods rely upon virtual private networks (VPN) or server authentication.
Unique User Access and Passwords
Every user needs to have a uniquely identifiable login to any system that contains ePHI. There also needs to be a way to ensure that the person using the system is who they say they are. This is so that events can be tied back to a specific person, for auditing purposes. The easiest way to accomplish this task is with usernames and passwords. Since we have to be able to tie back logins to actions, this means that you CAN NOT share logins with each other or have group or generic logins for any system that has access to ePHI. If you are used to having shared logins then yes, this will likely “slow you down,” but unfortunately that is life these days and the regulations are VERY clear on this point.If you are constantly switching computers then there are some things you can look into that might help. You could consider biometric (typically fingerprint) access or RFID access cards. It might also be easier to invest in some tablets to take around with you so you just use a single device all day. Exactly how you implement this would depend on your set up and requirements from your software vendors.You also have to have policies and procedures in place to help safeguard your passwords. This needs to be things like the aforementioned, “don’t share them,” as well as don’t write them down (especially not on a sticky note on your computer monitor or on the bottom of your keyboard). You also need to make sure that the passwords are strong, so 8+ characters that contain letters, numbers and symbols. If you want to have a fun read on the math behind secure passwords we have a post about that too. Finally, you need to have policies for how often passwords should be changed. You will still hear a lot of people saying every 60-90 days, but the thinking is finally catching up to common sense, which is more like once a year, or even just when needed. Regardless of what you choose, make sure your reasoning is documented with the policies!
Unique Log-In Caveat
There are practices out there that have an automated check-in system, where a patient will come in and punch in their patient number to an unmanned terminal, which will then notify whomever that they are there. No patient information is ever visible to anyone on this kind of system. For a system such as this, you would need to ensure it is locked down and locked out of EVERYTHING else except the check-in function. Then you could consider having either no login or a generic login, for JUST this machine. Everything about this configuration needs to be documented, including the steps you took to secure access from the device, as well as regular reviews to ensure it is still locked down appropriately.
Why You Need Servers and a Windows Domain
For the very smallest practices it is possible for you to meet the unique user access, passwords, and log requirements without having a central authentication system. This means that each computer contains the login information of anyone that needs to log on to it, and if that person needs to log in to two, or more computers, each computer has a completely separate identity for that person. So, if someone leaves, or you just need to change the password for someone, you have to do it on every single system they have access to.For an organization with ten users, or even fewer, local logins quickly become unwieldy and your likelihood of falling out of compliance goes up. A Windows Domain, or some other form of centralized authentication, is the solution to this problem. These allow you to log in with the same credentials to any computer connected to the system. If you need to change a password or revoke access you only have to do it in one place. You also only have one place to gather or review login logs and can set up polices to do things such as automatically lock an account if someone tries to log in incorrectly 5 times in a row.A Windows Domain will involve things like software licensing, server level backup and extra hardware, so there is definitely cost involved in the setup and maintenance. However, the extra benefits you gain from it should definitely be taken into account before a decision is made either way. Once again, this is something that would hinge upon what would be “reasonable” for a company of your size.
Conclusion
So, this wraps up part three. Part four will thrill you with information about business continuity and disaster recovery, encryption and data integrity!If you have questions or concerns, feel free to contact us. If you need help with your HIPAA compliance then we are more than happy to provide it.