Part 4 - Healthcare Security Pain Points: HIPAA & EPCS Compliance
In this blog series, we’ve focused on the pain that is experienced with security solutions in the healthcare industry around poor user experience, admin & help desk burdens, and device visibility and BYOD. These are all elements that need to be balanced while adhering to regulatory compliance controls that are enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR) and the Drug Enforcement Agency (DEA).
In this post, we will focus on the pain points that are associated with the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule and the Drug Enforcement Administration (DEA) requirements around Electronic Prescriptions for Controlled Substances (EPCS).
If you are unfamiliar with it, the HIPAA Omnibus rule encompasses the requirements defined under the HIPAA Security and Privacy Rules as well as the provisions under the Health Information Technology for Economic and Clinical Health Act (HITECH). Unsurprisingly, there are a lot of different elements required to ensure the security of electronic personal health information (ePHI).
Feeling the Pain
Healthcare organizations advancing into the digital world are moving away from paper records and prescriptions for patients which, while improving productivity and record-keeping, also introduces new requirements of cybersecurity that that healthcare organizations must meet in order to comply with HIPAA and EPCS regulatory controls.
The HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. Without proper security controls in place, the organization can be fined if ePHI is lost or stolen or accessed by unauthorized third-parties, and any breach or access by unauthorized parties must be reported under HITECH rules.
DEA guidelines have only been passed into legislation in a handful of states, with more coming by 2020, but currently, any state that permits the use of e-prescribing will follow the DEA guidelines for EPCS regardless if there is state legislation in place. DEA guidelines around the electronic prescription of controlled substances require identity proofing at Level of Assurance 3 (LOA3), meaning a high level of confidence in the user’s identity. Further, the guidelines stipulate that the tokens being used for authentication must meet Federal Information Processing Standard (FIPS) 140-2 Security Level 1.
Under the administrative and technical safeguards, the Privacy Rule limits use and disclosures of ePHI to the "minimum necessary." The Security Rule requires a covered entity to implement policies and procedures for authorizing access to ePHI only when such access is appropriate based on the user or recipient's role.
Under the physical safeguards defined for workstation and device security, a covered entity must implement policies and procedures to specify the proper use of and access to workstations and electronic media. Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to ePHI and detect security incidents.
Easing the Pain
Balancing regulatory compliance with minimizing the impact to clinician workflows goes beyond implementing multi-factor authentication (MFA) and can become a complex task at all levels of a healthcare organization. Duo provides modern security for healthcare organizations by enabling them to defend patient data, streamline workflows and help ease some of the pain felt by the requirements for EPCS and the HIPAA Omnibus Rule by providing:
Multi-factor authentication as an additional layer of verification to user identities to ensure that only authorized individuals can gain access to systems containing ePHI, as stated in the HIPAA Security Rule §164.308(a)(4)(ii)(B).
Duo provides a one-click authentication and remote identity-proofing solution allowing clinicians to meet EPCS requirements easily. A DEA-accredited auditor, Drummond Group, LLC, have confirmed that Duo Push satisfies EPCS requirements for two-factor authentication which state that the authenticator used must be a cryptographic device or a one-time passcode device that meets Federal Information Processing Standard (FIPS) 140-2 Security Level 1T.
Role-based policies to meet access control requirements for electronic information systems that maintain ePHI by only allowing authorized individuals to access applications containing patient information, as required by HIPAA Security Rule § 164.312.
By establishing Trusted Endpoints with Duo, admins can ensure managed and unmanaged devices are encrypted and passcode-protected. This helps with the assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI on those devices. Establishing and validating that device-level encryption is in place is a good way to show data wasn’t compromised even when a device is lost or stolen, as required by HIPAA Security Rule §164.308(a)(1)(ii)(A).
Learn more about Duo for Healthcare, and check out An Enterprise Healthcare CISO's Journey to Zero Trust to see how one of the largest healthcare systems in the nation deployed Duo Beyond.
Join us at HIMSS to learn more about Duo’s trusted security solutions that help companies maintain compliance with regulations while keeping patient care simple.