JEA Q1 2020
Cybersecurity for EA Professionals and Small EAPs
By Diana Wicker, MSW
You can learn about and implement cybersecurity even as a solo EA professional or if you work for a small EAP. The first step is to simply read. The US Federal government is diligently pushing to update regulations and create guidelines and frameworks that are easily accessible and understandable so everyone can comply.
A great place to start is https://www.itgovernanceusa.com/federal-cybersecurity-and-privacy-laws.
Step 2: Watch
Let’s say you’ve done the reading and some of it is still over your head. Look for videos to understand how these frameworks are intended to be used. Many government agencies are holding webinars and releasing how-to video tutorials.
A great place to start is:
* Privacy, Security & HIPAA: https://www.healthit.gov/topic/privacy-security-and-hipaa.
* Risk Management Framework: https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview
* Cybersecurity Framework: https://www.nist.gov/cyberframework
Step 3: Attend
Cybersecurity is hands on. Not everyone has experience updating settings on computers, smart phones, tablets and other electronic equipment. Many local technical schools, colleges and universities hold continuing education classes in computer skills.
Step 4. Do
Download and use SRA Tool 3.1. https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool This is a free resource from the federal government to help you track:
* HIPAA Security Rule – These regulations were finalized in 2003 and applied to most covered entities in 2006. They apply to electronic protected health information (ePHI) – computer, tablet, smart phone, internet, cloud services, etc.
* HITECH Act – Rolled in with the American Recovery and Reinvestment Act of 2009, these regulations added on to HIPAA privacy and security regulations providing the Breach Notification Rule, Electronic Health Record regulations, and Accounting of Disclosures for TPO (treatment, payment, health care operations).
* NIST Cybersecurity Framework – First released in 2014, the current edition was updated in 2018 providing a self-assessment for businesses to assist in preventing, detecting, and responding to cyberattacks.
Step 5: Vendors
When in doubt, hire out. IT consulting firms abound. Seek one familiar with HIPAA, HITECH and the most up-to-date guidelines and frameworks. They will review your office setup and help ensure that everything is set up properly.
LinkedIn has a helpful resource for finding professionals by specialty: https://www.linkedin.com/profinder/information-security-consulting
Easy things you can do with the equipment you have:
1. Modem/Router – How the Internet Gets to You
* Update the name of the device to something unique.
* Change the device’s default password to something unique.
* Update the firmware on your wireless router to apply the latest security patches. (Firmware is preinstalled software on a device and controlled by the manufacturer. Security updates repair errors in the programming that are often at risk from hackers.)
* Turn off unnecessary ports and services (such as FTP servers) that are not routinely used. (FTP servers or online services are a way to quickly and easily transfer files from one place to another, such as loading documents for display on a website. FTP was not designed to be a secure service and can be open to attack. If you use one, be certain encryption and security protocols are in use.)
* Encryption on your router [WPA2-PSK (AES) or WPA3 (SAE)] are the safest standards. (Wi-Fi Protected Access security standard was released in 2003. Pre-Shared Key personal/home/small network authentication mode originated in 1997. Advanced Encryption Standard implemented in 2001. Simultaneous Authentication of Equals standard implemented in 2018.)
2. Machine – How You Do Your Work
* Encrypt your machines (i.e. computer, laptop, tablet, smart phone) with a password.
* Set a password or PIN for the operating system.
* Turn on anti-virus protection.
* Turn on security updates.
* Do not set programs, apps or websites to auto-fill passwords to login. Use a password keeper app instead.
3. Software – Where Your Data Lives
* Set a password or PIN on all software that might contain personal health information (PHI). (Think of PHI as information that lives in your wallet. If it is something you would carry in your wallet, it is probably PHI.) Here is the official regulated list of 18 PHI Identifiers: https://en.wikipedia.org/wiki/Protected_health_information)
* Encrypt your data at rest and in transmission. This means email, too.
* Know how your software interacts– Be mindful of integrated apps and what they can access. (For example, Microsoft Outlook has a button in the right corner of the ribbon “get add-ins.”) This tab opens the Microsoft Online store to show you apps that complement/work together with Outlook.
As convenient, and tempting, as it is to tie all programs you work with together to quickly and easily share information, be mindful of what programs may have PHI – such as an email message – and what programs might “butt heads” as it were. If another program can interact with PHI, you need a Business Associate Agreement (BAA) with the vendor.
4. The Cloud – 3rd Party Services and Vendors
This is software that lives on the internet that you log into – Get a BAA if it can access PHI. (BAAs are an original requirement of HIPAA since 2002.) The BAA is a written agreement defining the party’s responsibilities concerning PHI.
5. The Internet of Things – Smart Toys
Does it listen? Does it record? Does it respond? If so, it is NOT HIPAA compliant. Turn these devices OFF in your clinical areas! (This applies to any device in your home or office that connects to internet via Wi-Fi, Bluetooth, 3G, 4G, or other service. Examples of devices that apply: smart cars, thermostats, doorbells, locks, appliances, televisions, gaming systems, speakers, watches)
Oh, and heads up. Just in case you missed the announcement – The FAX machine is dead.
The Centers for Medicare & Medicaid have decreed that in 2020 the FAX can no longer be used for health care information. Businesses would be wise to follow the government’s lead. Look for a HIPAA compliant cloud fax/email service.
Diana Wicker is the Director of Compliance and Reporting for First Sun EAP, an employee assistance program based in South Carolina. She has 25 years of experience in social work and the EAP industry. Diana has a master’s degree in social work and started working with regulatory compliance in college, observing residential care inspections completed at a Department of Social Services emergency residential child care facility, Department of Disabilities Community Training Home, Department of Veteran’s Affairs Community Care Home, and a Joint Commissions Hospital Inspection.
Diana has written policy and procedure manuals for Hospital Social Work department, including the Quality Assurance program, based upon the Joint Commissions regulations. Diana maintains the compliance manuals and staff trainings for First Sun EAP, focusing on both federal and state requirements for confidentiality, privacy, security, and health care. Contact Diana at firstname.lastname@example.org
Editor’s note: Diana is filling in this quarter for EAPA Director of Communications Marina London. Marina will return in the 2nd quarter JEA.