Regulator Offers Asset Management, Mobile App AdviceOCR Provides Guidance as Well as Enhanced Portal
Federal regulators are reminding healthcare organizations about the importance of accurate and timely IT asset inventory management to help reduce breach risk. In addition, regulators have beefed up a HIPAA guidance portal for mobile app developers.
The new asset management guidance from the Department of Health and Human Service' Office for Civil Rights comes as the risks to connected devices grow. And the agency's enhanced portal for mobile app developers comes as the federal government pushes for the use of standards-based application programming interfaces to allow patients to access their electronic health records using smartphones and other mobile devices (see HHS Releases Final Data Sharing Rules).
In a cybersecurity newsletter, OCR notes that its HIPAA breach investigations "frequently find that organizations lack sufficient understanding of where all of the electronic health information is located."
Although the HIPAA Security Rule does not require it, creating and maintaining an up-to-date, information technology asset inventory serves is an important step toward enhancing security, OCR notes.
A complete and timely IT asset inventory can also assist "in the development of a comprehensive, enterprisewide risk analysis to help organizations understand all of the places that ePHI may be stored within their environment and improve their HIPAA compliance," OCR writes.
While creating and maintaining an IT asset inventory can aid in identifying risks to ePHI, it's also important to track IT assets that may not store or process ePHI, OCR stresses.
"Assets within an organization that do not directly store or process ePHI may still present a method for intrusion into the IT system that could lead to risks to the confidentiality, integrity and availability of an organization's ePHI," OCR writes.
"For example, consider an internet of things or a smart, connected device that provides access to facilities for maintenance personnel for control and monitoring of an organization's heating, ventilation and air conditioning. ... Although it does not store or process ePHI, such a device can present serious risks to sensitive patient data in an organization's network."
Unpatched IoT devices with known vulnerabilities, such as weak or unchanged default passwords installed in a network without firewalls, network segmentation or other techniques to deny or impede an intruder's lateral movement, can provide an intruder with a foothold into an organization's IT network, OCR notes. "The intruder may then leverage this foothold to conduct reconnaissance and further penetrate an organization's network and potentially compromise ePHI."
Real-world examples of IoT devices used for malicious activities include "incidents reported by Microsoft in which malicious actors were able to compromise a VOIP phone, printer and video decoder to gain access to corporate networks," OCR points out.
"The hackers were able to exploit unchanged default passwords and unpatched security vulnerabilities to compromise these devices. Once inside the network, the hackers were able to conduct reconnaissance and access other devices on the corporate network in search of additional privileges and high-value data."
In a 2016 breach affecting more than 3 million individuals that did not involve systems containing ePHI, hackers compromised payment card processing systems at some Banner Health food and beverage outlets.
Mobile App Portal
"Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected," OCR notes on the updated portal site.
Among materials contained in the portal are frequently asked questions about how the HIPAA rules apply to apps and application programming interfaces.
The enhanced portal also includes previous OCR guidance on what federal laws and regulations might apply to app developers.
Concerns About Emerging Risks
The privacy and security of mobile health apps and APIs is becoming a hot topic in the healthcare sector. HHS' Office of the National Coordinator for Health IT in March issued a final rule - as called for under the 21st Century Cures Act - setting requirements for certified health IT developers to establish a secure, standards-based API for use by providers and to support a patient's access to core data in their electronic health record.
Some privacy and security experts note that giving patients easier access to their electronic health information through smartphones and other mobile applications creates potential risks.
"The push to openly provide access via these applications to healthcare records is a bit concerning from a security perspective," says Jarrett Kolthoff, CEO of SpearTip, a cyber counterintelligence firm.