blog-header.jpg

IT and Copier Talk Your Business Can Rely On

Assessing Network Risk for a HIPAA-covered Entity

Posted by Monique Phalen | Nov 6, 2017 10:32:27 AM

risk-assessment-for-hippa-covered-businesses.jpgEvery company is concerned with network and data security.

If your business needs to comply with HIPAA (Health Insurance Portability and Accountability Act) you have an additional level of concern – you must meet strict compliance requirements for protected health information.

Many companies have no idea how exposed they are to risk. That's why our first step in our IT managed services engagements is to assess the risk exposure of our clients.

We have to know where your network stands so that we can make the right recommendations based on what your business needs.

Because many potential customers kept asking us, “OK, what's that?”, I wrote “What Is a Network Risk Assessment?” last year. 

Recently, we've spoken to many companies in the healthcare industry, all HIPAA-covered entities.

How important is a risk assessment to HIPAA-covered entities?

A risk assessment is mandatory when it comes to assessing risk. The HIPAA Security Rule states, “Organizations must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI.”

 

What’s a HIPAA risk analysis looks like?

The score range is from 0 to 100, with a higher score equated to higher risk. I've included the relevant HIPAA Security Rule for each element of risk.

As you can see, it's a thorough process – though it's better than having to pay a penalty for non-compliance or for a data breach because you ignored how at risk you were.

Unsupported Operating Systems (97 pts)

  • 164.308(a)(5)(ii)(B): Security Awareness and Training - Procedures for guarding against, detecting, and reporting malicious software.

Issue: 2 computers were found using an operating system that is no longer supported. Unsupported operating systems no longer receive vital security patches and present an inherent risk.

Recommendation: Upgrade or replace computers with operating systems that are no longer supported.

Terminated vendor account enabled (96 pts)

  • 164.308(a)(3)(ii)(C): - Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b).

Issue: One or more accounts are still enabled for terminated vendors. This poses a risk of unauthorized access.

Recommendation: Disable accounts for all terminated vendors.

Terminated employee account enabled (96 pts)

  • 164.308(a)(3)(ii)(C): - Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b). HIPAA Risk Analysis HIPAA ASSESSMENT PROPRIETARY & CONFIDENTIAL PAGE 6 of 9

Issue: One or more accounts are still enabled for terminated employees. This poses a risk of unauthorized access.

Recommendation: Disable accounts for all terminated employees.

Company WiFi open or using insecure security (i.e., WEP) (94 pts)

  • 164.308(a)(4): Implement policies and procedures for granting access to electronic protected health information; for example, through access to a workstation, transaction, program, process, or other mechanism.

Issue: Open or insecure WiFi protocols may allow an attacker access to the company’s network and resources.

Recommendation: Enabled WiFi security and use a more secure protocols such as WPA2.

Anti-spyware not installed (94 pts)

  • 164.308(a)(5)(ii)(B): Security Awareness and Training - Procedures for guarding against, detecting, and reporting malicious software.

Issue: Malware protection is required but not identified as being installed on computers in the network.

Recommendation: Install a commercial grade anti-spyware program on the computers indicated in the Endpoint Security section of the Evidence of HIPAA Compliance report.

Automatic screen lock not turned on. (94 pts)

  • 164.312(a)(1) Access Control - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

Issue: Automatic screen lock prevents unauthorized access when users leave their computers. Having no screen lock enable allows authorized access to network resources.

Recommendation: Enable automatic screen lock on the following computers: BO-SANDBOX, CONFERENCE_ROOM, DC03, DEVKASEYA, DEVTFS, DEV_2012-CORE, Ehammond-WIN7, FILE2012-1, HV01, HV02, HV03, jacob-WIN8, KjacobsASUSPC, MARKETING-1, Mmayhemon-HP, Mwest-WIN864, PITmarcus-PC, Psimpson-PC, Psimpson-WIN764, REX, SQL2012-01, Thayden-DT

Anti-virus not installed (94 pts)

  • 164.308(a)(5)(ii)(B): Security Awareness and Training - Procedures for guarding against, detecting, and reporting malicious software.

Issue: Malware protection is required but not identified as being installed on computers in the network.

Recommendation: Install a commercial grade anti-virus program on the computers indicated in the Endpoint Security section of the Evidence of HIPAA Compliance report.

Potential free hosted Web-based email solution in use (93 pts)

  • 164.308(b)(1): Business Associate Contracts and Other Arrangements - Covered entities must enter into a contract or other arrangement with persons that meet the definition of business associate in $160.103. The covered entity must obtain satisfactory assurance from the business associate that it will appropriately safeguard the information in accordance with §164.314(a)(1) standards.

Issue: The use of free hosted web-based email may allow transmission of ePHI outside of the company through entities that you may not have a signed Business Associate agreement.

Recommendation: Identify the necessity of using the free hosted email services and discontinue their use.

Anti-spyware not turned on (92 pts)

  • 164.308(a)(5)(ii)(B): Security Awareness and Training - Procedures for guarding against, detecting, and reporting malicious software.

Issue: Malware protection is required but not identified as being enabled on computers in the network.

Recommendation: Enable anti-spyware program on the computers indicated in the Endpoint Security section of the Evidence of HIPAA Compliance report.

Anti-virus not turned on (92 pts)

  • 164.308(a)(5)(ii)(B): Security Awareness and Training - Procedures for guarding against, detecting, and reporting malicious software.

Issue: Malware protection is required but not identified as being enabled on computers in the network.

Recommendation: Enable anti-virus program on the computers indicated in the Endpoint Security section of the Evidence of HIPAA Compliance report.

Anti-spyware not up to date (90 pts)

  • 164.308(a)(5)(ii)(B): Security Awareness and Training - Procedures for guarding against, detecting, and reporting malicious software.

Issue: Out-of-date definitions may not properly protect a computer from attacks by malicious software.

Recommendation: Ensure anti-spyware programs on the computers indicated in the Endpoint Security section of the Evidence of HIPAA Compliance report are up-to-date.

LOTS of Security patches missing on computers with ePHI (90 pts)

  • 164.308(a)(5)(ii)(B): Security Awareness and Training - Procedures for guarding against, detecting, and reporting malicious software.

Issue: Security patches are missing on computers designated as having ePHI. Maintaining proper security patch levels is required by HIPAA to prevent unauthorized access and the spread of malicious software. Lots is defined as missing 3 or more patches and may be an indicator of issues with the patching system.  

Recommendation: Address patching on computers with missing security patches.

Non-administrative generic logons have access to Network Share on system with ePHI (85 pts)

  • 164.308(a)(3) Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

Issue: Generic accounts which could be in use by multiple people cannot be properly restricted and should not have access to network shares with ePHI.

Recommendation: Remove access to Network Shares on systems with ePHI.

User password set to never expire (80 pts)

  • 164.308(a)(5)(ii)(d): Security Awareness and Training - Procedures for creating, changing, and safeguarding passwords.

Issue: User accounts with passwords set to never expire present a risk of use by authorized users. They are more easily compromised than passwords that are routinely changed.

Recommendation: Investigate all accounts with passwords set to never expire and configure them to expire regularly.

Think you won't be hacked just because you're a small business? Think again.

Unrestricted network share with ePHI (80 pts)

  • 164.308(a)(4) Information Access Management - Implement policies and procedures for authorizing access to electronic protected health information.

Issue: Network shares containing ePHI were found as completely unrestricted (granting access to 'Everyone').

Recommendation: Investigate the network shares containing ePHI with unrestricted access. Limit access to the minimum necessary.

Workstations with ePHI not backed up (78 pts)

  • 164.308(a)(7)(ii)(A) - Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. Contingency Plan §164.308(a)(7)(ii)(b) - Establish (and implement as needed) procedures to restore any loss of data.

Issue: Security Center reports that computers identified as having ePHI are not backed up.

Recommendation: Ensure that data is properly backed up on computers with ePHI. See the Endpoint Security section of the Evidence of HIPAA Compliance for a list of computers.

Passwords less than 6 characters allowed (75 pts)

  • 164.308(a)(5)(ii)(d): Security Awareness and Training - Procedures for creating, changing, and safeguarding passwords.

Issue: Passwords are not required to be 6 or more characters, allowing users to pick extremely short passwords which are vulnerable to brute force attacks.

Recommendation: Enable enforcement of password length to 6 more characters.

USB drives detected in use (unencrypted) (75 pts)

  • 164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information.

Issue: Theft is the most common form of data breach. Unencrypted USB drives in an environment with ePHI may allow data loss through theft.

Recommendation: Eliminate the use of unencrypted USB drives.

Inconsistent password policy / Exceptions to password policy (68 pts)

  • 164.308(a)(5)(ii)(d): Security Awareness and Training - Procedures for creating, changing, and safeguarding passwords.

Issue: Password policies are not consistently applied from one computer to the next. A consistent password policy ensure adherence to password best practices.

Recommendation: Eliminate inconsistencies and exceptions to the password policy.

USB drives detected in use (50 pts)

  • 164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information.

Issue: The use of USB drives increase the change of data loss through theft and should be discouraged to the extent possible.

Recommendation: Reduce or eliminate the use of USB drives in the environment.

Audit user login in not turned on (30 pts)

  • 164.308(a)(1)(ii)(D): Security Management Process - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Issue: Login auditing is required for proper identification of access to computers and resources. In the event of a breach, audit logs can be used to identify unauthorized access and the severity of the breach.

Recommendation: Enable user login auditing.

User not logged in in 90 days (not terminated) (25 pts)

  • 164.308(a)(3)(ii)(C): - Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b).

Issue: Inactive user accounts were found that could potentially indicate terminated employees or vendors.

Recommendation: Investigate all inactive accounts and disable accounts from terminated employees and vendors.

User has not logged in in 30 days (13 pts)

  • 164.308(a)(3)(ii)(C): - Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b).

Issue: Users that have not logged in in 30 days could be from a former employee or vendor and should be disabled or removed.

Recommendation: Disable or remove user accounts for users that have not logged in in 30 days.

Computer with ePHI does not have object level auditing on (11 pts)

  • 164.312(b) Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Issue: Object level auditing helps identify users who have accessed files and other system resources. Object level auditing may impose an unacceptable performance impact and should be considered for use on high risk computers or environments.

Recommendation: Evaluate the pros and cons of enabling object level access or ensure alternative methods for breach identification are in place.

If you think your business might be exposed by not having electronic protected health information protected well enough, consider contacting us for a HIPAA risk assessment.Think IT Managed Services will be a good fit for you? Click here for a free, no-obligation IT assessment.

Topics: Managed IT Services, compliance, IT Managed Services, Hipaa compliance, HIPAA risk assessment

Written by Monique Phalen

Mo is the resident IT go-to lady at AIS. She has traveled the world, run a marathon, is a self proclaimed crossword champion, and can do ventriloquism. She has an uncanny memory ....down to the detail. She has completed 4 half marathons and hates running. In her free time, she likes to spend time with her 7 siblings and 20 nieces and nephews.

Leave a Comment