HIPAA issues: A recurring nightmare for feds, industry stakeholders

Marla Hirsch

Last week's annual meeting on HIPAA and cybersecurity co-hosted by the Health and Human Services Department's Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) was chock full of information regarding the state of affairs for electronic health and other records.

For instance, a session on ransomware provided great insight from government experts who discussed the increasing sophistication of this type of malware and what to do to fend off such attacks. They recommended, among other things, that employees be trained to be suspicious of all emails, that providers have responsible backup plans for their data, that they limit access, that they use up-to-date antivirus software and that they prepare for the possibility of attack.

A session on medical devices also was informative. Panelists addressed the increased use of connected devices, the unique difficulties of protecting medical devices and the importance of knowing what devices are connected to one’s network.

An update from OCR Deputy Director for Health Information Privacy Deven McGraw likewise brought attendees up to speed regarding the HIPAA audits, which are underway. She explained that the audits are designed to be educational, to identify best practices and get OCR in front of HIPAA problems before they result in breaches. She also said to expect more guidance on patients' rights to access their records.

Meanwhile, a session on HIPAA enforcement presented by Iliana Peters recounted how investigations work, what HIPAA violations OCR is seeing frequently, that theft/loss account for the highest percentage of reported breaches and that the settlement agreements OCR is entering into are meant to be instructive to the industry.

Does anyone else see the recurring theme?

We’ve all been here before. A very quick look at my own past coverage found the same exact topics being covered at this and other conferences year after year, sometimes even by the same presenter

Yes, there was some new information this year, building on prior years. For instance, McGraw informed us that the long anticipated audits of business associates will begin this November.  We learned that the most cutting edge ransomware is being hidden in “malvertizing.” OCR has resolved more alleged HIPAA violations in 2016 than in prior years, and for the largest amounts ever recorded.

But why is it that every year the same issues are being addressed? Here are a few reasons:

  • Business associate agreements are still missing or out of date
  • Risk analyses are still incomplete
  • Networks are still unpatched
  • Data is still unencrypted and being disposed of improperly

Why is the industry unable to get past this? Why are the same mistakes being made, the same problems befalling providers? It’s like they’re not reading the memo.

I’m not always in agreement with the government, but I can just imagine the frustration here. The presenters are compelled to cover the same ground, time after time. It’s like a teacher having to repeat the lesson over and over. Agency staffers must be hitting their heads against a wall.

It can’t possibly be because so many conference attendees are newbies to HIPAA and cybersecurity.

One of the speakers, referring to cyberthieves, said that it was a “cat-and-mouse” game between the hackers and those trying to keep up with the latest malware.

But there shouldn’t be a cat-and-mouse game between the government and entities that continue to stymie government efforts to bring them in line--which is to say, to do a better job of protecting our data--by imparting knowledge, using enforcement actions as messages and the like.

The government only has so many tools in its arsenal, and we’re making it shoot, time and again, at the same targets. It would be so much better for them to be able to devote their limited resources to newer problems. - Marla (@MarlaHirsch and @FierceHealthIT)