The EHR Security Breach, Case Study Example

Regarding remote access security breach identified within the EHR system calls for important changes in the organization’s policy and security procedures.

Protection when healthcare documents are transferred between institutions and individuals is also required by HIPAA. The Symantec evaluation guide (2012, p. 8) recommends the use of the following remote intrusion prevention methods: antivirus, antispyware and firewall systems, intrusion prevention, application control software.

Organizational Policy Statement 1

The application of HIPAA security in the internal policies of the health care provider to maintain the integrity of Protected Health Information (PHI).The remote access policy of HIPAA states that a firewall preventing unauthorized access to the system should be in place and never disabled. In the above scenario, either the firewall system was not active when the remote accounts were created, or they were not effective enough.

The proposed policy statement is:

The <organization> will ensure that firewall, antivirus, antispyware and firewall systems are in place, constantly checked, updated and monitored to prevent unauthorized remote access. As

Related Standards Policy Statement 1

The ISO 27001 recommends “using a risk based approach to determine the most effective information security controls for the organisation”. (Panacea Infotech, n.d.)

Organizational Policy Statement 2

According to the Remote Access Policy of the HIPAA Cow Group (2013), security breaches could have been prevented monitoring. According to the HITECH Act, (Access Authorization [45 CFR §164.308(a)(4)(ii)(B-C)]),  privileged access controls and restriction mechanisms related to remote access need to be in place. Further, the recommendation states that “all users granted remote access privileges must sign and comply with the “Information Access & Confidentiality Agreement” (refer to the HIPAA COW System Access Policy) kept on file with the Human Resources Department or other department”. This indicates that the creation of the account should have been supervised, documented and monitored by the relevant department.

The proposed policy statement is:

The organization constantly monitors and documents the creation, use and access log of remote users. Any accounts created without relevant authorization documents would be identified in a timely manner and investigated.

Related Standards Policy Statement 2

The goal of the ISO 2701 is to “develop a strategic resolution to identify information security issues and concerns”. Further, ASTM E 1869 regulates standards for the confidentiality, remote access and privileged user creation. (HHS, n.d.) Further, the policy states that “remote access users are automatically disconnected from the <ORGANIZATION>’s network when there is no recognized activity for [insert organizational criteria, such as 15 minutes]”, which could also have prevented the breach.

Organizational Policy Statement 3

The organization should have constantly monitored remote access, rights and accounts. The fact that the logs are overwritten in two weeks’ time indicates that either this time period should be extended or the monitoring of account access, creation should be more vigilant.

The proposed policy statement is:

The organization monitors access, account activities and uses an approved VPN connection that logs and encrypts data.

Related Standards Policy Statement 3

HIPAA’s Remote Access Policy (2013, p. 6) states that in order to monitor remote access the organization “maintains logs of all activities performed by remote access users while connected to <ORGANIZATION>’s network. System administrators review this documentation and/or use automated intrusion detection systems to detect suspicious activity. Accounts that have shown no activity for [insert organizational criteria, such as 30 days] will be disabled.”

Conclusion

It is essential that the organization’s leadership does everything in its power to ensure that the integrity of patient records is maintained. In the age of technology, this security extends to internet and computer security because many privacy breaches are related to the widespread use of electronic health records and storage on computers. This makes it easier for unauthorized individuals to access a large quantity of health records and steal this information for illegal purposes. The organization needs to comply with not only ISO 2701 standards, but other data security regulations as well, such as SOX, GLBA, and HIPAA, PCI DSS.

References

HHS. (n.d.). Health information privacy. Retrieved from http://www.hhs.gov/ocr/privacy/

HIPAA Cow Security Networking Group (2013) Remote access policy. Retrieved from: http://compliance.med.nyu.edu/hipaa-policies-and-forms

ISO 27799:2008 (2008)  Health informatics — Information security management in health using ISO/IEC 27002  Retrieved from: http://www.iso27001security.com/html/27799.html

Panacea Infotech (n.d.)Data security and privacy. Retrieved from: http://www.panaceainfosec.com/data-security-privacy.html

Symantec Corporation (2012) Security and privacy for healthcare providers. Retrieved from: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-security_and_privacy_for_healthcare_WP_20934020.en-us.pdf