Covered Entities and Business Associates in Healthcare Shouldn’t Overlook “Human Error.”

One of the top priorities today in healthcare IT is safeguarding patients’ medical data—often called electronic protected health information, or ePHI.

That’s understandable, considering that cyber attacks are now the top cause of healthcare data breaches, and given that in 2015 alone cyber criminals were able to gain access to more than 112 million patient records.

But with a laser-like focus on protecting their networks against outside intrusion, healthcare IT organizations might be overlooking an equally significant risk to the ePHI under their protection: human error.

Moreover, this oversight can leave healthcare providers, health plans and other HIPAA-regulated “covered entities” at particular risk today — as HIPAA enforcers begin their Phase 2 audits.

Phase what?

Phase 2 Audits Begin in 2016:
Is Your Organization Prepared?

A quick background to explain how we got here. In 2011, the Department of Health and Human Services’ enforcement arm, the Office of Civil Rights, began what it called an audit pilot program. A private HHS contractor randomly audited more than 100 covered entities — healthcare providers, plans and clearinghouses — to assess their HIPAA compliance.

When these “Phase 1” audits concluded in 2013, the OCR released its disturbing findings, which found that most covered entities had at least some vulnerabilities or gaps in their data protection processes.

Some highlights:

     •  58 out of 59 healthcare providers had at least 1 negative finding relating to the HIPAA Security Rule.

     •  The most common cause of all weaknesses identified was that the covered entity was unaware of the HIPAA requirement.

     •  44% of HIPAA’s Privacy Rule deficiencies involved unintended or accidental disclosures of ePHI.


Obviously, HHS and its HIPAA regulators were concerned to find so many compliance deficiencies — concerned enough that they decided on a more robust “Phase 2” series of audits, beginning in early this year.

The new Phase 2 audits will focus on covered entities’ HIPAA compliance in several areas — privacy, security and breach-notification processes. And unlike Phase 1, which outsourced the audits to a private firm, this time HIPAA’s regulators will conduct the audits themselves — and will select several times more covered entities than were audited in Phase 1.

Although a covered entity should be preparing its own internal Security Risk Analysis and review of its Policies and Procedures in anticipation of the audits, we want to call your attention to a potential vulnerability that’s easy to overlook as your IT team devotes so much attention to fending off hacking attempts.

The Often Overlooked Gap in ePHI Security: The Negligent Insider

As we noted in a previous blog post, Four Tips for Defending Against Cyber Attacks, a Healthcare Information and Management Systems Society (HIMSS) survey found that the leading cause of data security incidents was a “negligent insider.”

HIMSS, in a recent survey, also found that these healthcare IT pros were most worried about malicious cyber tactics such as phishing, because their companies’ negligent insiders might be vulnerable to them.

And, according to a 2015 article in Federal Times, “Every survey of IT professionals and assessment of cybersecurity posture shows at least 50% of breaches and leaks are directly attributable to user error or failure to practice proper cyber hygiene.”

Finally, as a recent CSO feature explained, the major healthcare data breach of 2015 —Anthem; 80 million medical records compromised — was likely the result of cyber criminals accessing the password of a database administrator who fell for a phishing scheme.

All of which suggests at least two New Year’s Resolutions that will be valuable for any healthcare IT organization:

     1)  Take some time to assess your company’s HIPAA compliance levels and tune-up your ePHI security protocols.

     2)  Devote additional time to staff training and education, to turn your negligent insiders into ePHI protection warriors.

Upgrade Your Fax Infrastructure to a Secure Cloud Fax Solution
And if we may offer a third resolution: Upgrade your organization’s fax infrastructure from aging and vulnerable onsite fax hardware to a highly secure cloud fax solution designed specifically for healthcare firms like yours.

A smart approach to protecting the security and confidentiality of ePHI that you transmit by fax, the eFax Corporate network is entrusted every day to transmit millions of pages of business-critical information, including sensitive ePHI, by some of the nation’s largest Covered Entities and Business Associates.