Healthcare data access compliance

User security in healthcare is complex, and it’s for this reason that regulations like HIPAA are in place, as guidelines for the safeguarding of patient data. But meeting this regulatory requirements is not simple in itself, and isn’t by any means a guarantee of safety for your organisation.

This guide looks at the requirements of HIPAA, and the key NHS security guidelines in the UK, with regards to internal security. Check if you’re compliant with our Healthcare User Security Checklist.

And using research among healthcare workers in the UK and US, this guide highlights the areas in which organisations could be doing better. The aim is to help you run not only a compliant healthcare organisation, but an all-round more secure organisation.

Firstly, there’s the nature of the kind of information they have access to. This isn’t just financial data that could effect a company’s bottom line, it’s individuals’ health records, sensitive intelligence that could seriously harm people’s personal lives if it were to get into the wrong hands.

In addition to this is the nature of how many healthcare organisations work. More often than not, we’re not talking about traditional office structures here. Doctors, nurses and other hospital staff aren’t likely to be tied to one workstation all day, moving about their place of work.

In data access regulation we often talk about operating on a ‘need to know’ basis. Restrictions based on the level of necessity of each individual to do their job. And when we’re talking about healthcare it’s of utmost importance to get this right, as often ‘need to know’ means literally a question of life or death. Consider the doctor who needs to check her patient’s allergies before administering urgent medication – having that information to hand at the right time and the right place is not just a matter of convenience.

So getting these restrictions right is crucial. On the one hand it is imperative that patient’s sensitive data is safeguarded, but on the other it’s of equal importance that the right people have the access necessary to do their job, when and where they need.

This is why the healthcare industry is among the most regulated with regards to data security. In the US, healthcare providers must adhere to the federal law of the Health Insurance Portability and Accountability Act (HIPAA).

In the UK, private providers that operate in the US will need to adhere to HIPAA too, but in the public sector the National Health Service has security policies for England, Wales and Scotland. While not law, these policies are aimed at safeguarding patient data and ensuring organisations within the NHS adhere to the Data Protection Act (DPA). This has recently taken on greater significance since the Information Commissioner’s Office (ICO), which enforces the DPA, was given greater authority by the UK government earlier this year to audit NHS organisations’ data security.

This guide looks at the some of the key areas of HIPAA and the NHS security policies with relation to internal safeguards. It uses research among healthcare professionals in the US and the UK (250 in each) to identify areas where organisations may or may not be up to scratch, and offering guidance.

However, we know that by the nature of industry or pan-industry wide regulations there must be an element of applicability to the lowest common denominator that makes compliance a minimum, not a high standard. Regulatory sets like the Data Protection Act are purposely wide open to interpretation, but this does not mean that interpretation should be simply be paying lip service.

Quite the opposite – if healthcare organisations truly want to ensure that not only are they complying with regulations, but are sufficiently protecting protecting patient data, they should be striving to do everything in their power. And unfortunately the results of the research uncovered in this guide indicate that for many organisations, that is not the case.

For this reason, we have endeavoured to go a step beyond guidance to simply comply, as any industry wide set of regulations is going to be, by it’s nature, ‘the basics’. They must cover so many types of organisation that they have to be applicable to lowest common denominator within their remit. The DPA in the UK is particularly susceptible to this as it covers various industries, meaning that by it’s nature it cannot be particularly specific in its requirements. So this guide aims to present a guide not only to how to meet compliance, but to reach beyond it by implementing granular security practices that mitigate the risks pertaining to patient data and other sensitive information that healthcare organisations must safeguard.

Many workplaces today are subject either governmental or industry regulation – or both. For some industries, such as healthcare, there are legal obligations that require new employees to be informed about and trained on information security.

HIPAA section 164.308 requires that every organisation in the US healthcare industry implement a security awareness and training program for all members of its workforce, including management. In the UK, similar policies exist separately for England, Scotland and Wales – so it was surprising to see in our research that 29% of healthcare professionals in the US and 48% in the UK did not receive any security training.

To take the standard of security training beyond the base level in on-boarding staff, it is sensible to include adherence to security policies within employee contracts. This ensures a level of responsibility on the part of the employee, providing a line of culpability in the event that they take action to subvert a policy. However, the research showed that only 57% (US) and 50% (UK) of healthcare professionals had formal agreements to security policies in their contracts.

Of course presenting a security policy at all to new starters is another fundamental. About 56% (US) saw a security policy upon starting their job but only 31% (UK) admitted seeing one. Similar numbers said that they were asked to sign it suggesting that if you were shown a security policy, you were expected to formally agree to it. Formal agreement to a policy is a requirement in NHS England and Scotland, as well as for HIPAA.

Another recommended additional step to take with new staff is to perform background checks before employment. When our respondents were asked about whether their employers performed background checks on prospective employees, it seems this practice is more common in the US healthcare organisations, 60% compared to 49% in the UK.

As with most IT security compliance programmes, technology only forms part of the solution in healthcare. IT security is a tripod between processes, people and technology — and not a monolith. We’ve discussed security training at the point of employee entry, but what about the on-going elements?

Processes and procedures are paramount to compliance. HIPAA states that organisations must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

However, while healthcare organisations may have such procedures in place, they aren’t communicating these procedures to employees effectively. Just 72% of US and 53% of UK healthcare professionals say they are aware of a documented healthcare policy within their organisation.

When it comes to user authentication procedures, many organisations are at serious risk from not having a simple password policy, where users must change their login details on a regular basis. Only 71% in US and 53% in UK say their organisation enforces use of secure passwords — a worrying statistic especially after the famous Anthem hack, which occurred as a result of compromised credentials.

Another procedural requirement for any organisation operating under HIPAA or within the NHS are regular security audits. Just 34% in US and 26% in UK are aware their organisation does regular security audits. Though it is possible that these may be conducted without the employees’ knowledge, transparency with regards to auditing is recommended as it reminds employees to be vigilant, and may even deter any potentially malicious activity.

To address the people side of security, an engaging training programme helps improve security awareness and can significantly improve compliance.

Indeed, in the UK, NHS security policies specifically state that information governance training is mandatory, and all staff are required to complete annual online information governance training. HIPAA in the US provides more granular detail on what healthcare organisations need to do:

• Train employees to use and apply appropriate data protection protocols, which may include document shredding procedures, or lock or password security protocols

• Train new employees immediately when they’re hired

• Provide regular refresher sessions for existing employees

• Sanction employees who violate policies and procedures

However, many healthcare organisations are not paying enough attention to general IT security training once employees have settled into their jobs. Just 55% of healthcare companies in the US and 41% in the UK extend training to existing and established employees.

Further to this, a minority of healthcare organisations have successfully made the penalties for leaking or stealing sensitive information clear to their employees – 43% in the US and 31% in the UK.

And the UK’s Information Commissioner, for one, takes a dim view of the NHS’ approach to security training. He said in February 2015: “The NHS is one of the worst performers. This is a major cause for concern. Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough.”

The Information Commissioner’s comments are hardly surprising since just 30% of US and 23% of UK IT professionals believe senior management take any responsibility for security — something that must change to remain compliant.

We’ve covered training, and some of the people related processes that are requirements of healthcare industry compliance as well as being good security practice. The other side to this however, is technology.

As humans are (unfortunately) fallible, they cannot be relied upon fully. Meaning it is technology’s place to fill the gaps wherever possible, minimising the risks and decreasing the surface area vulnerable to attack.

A bare basic requirement for all security policies, and one that is stipulated in the terms of HIPAA as well as across the NHS, is that user actions must be identifiable to an individual.

There are multiple levels at which this must, or should, be implemented.

The first is user logins – if users are not even required to login to the network, then there is no hope of them being identifiable. Quite aside from the issue of user identification, this obviously leaves access wide open to attackers. And alarmingly, this is the case among 22% of US healthcare organisations, and more than a third (36%) in the UK.

Beyond this most basic of requirements is a (still very basic) further requirement, in that each user on the network should have a unique ID. Sharing logins naturally obfuscates user identification, meaning you cannot possibly confirm who has access to what files or folders, not to mention when or where from. Nearly a third of US healthcare workers (30%), and 44% in the UK, do not have a unique ID to log on to their employer’s network.

We’ve mentioned human fallibility and how we tend to make mistakes, especially when we’re in a hurry – say to get out the door and go home at the end of the day, or to get to our next meeting. Which is why logoff procedure should not be left to the user. This is an ‘addressable’ requirement of HIPAA, and a stipulation of NHS Scotland’s security policy, however 48% of US and just 28% of UK healthcare wokers are automatically logged off their network after a set period of inactivity.

To take this a step further, identification continues to be obfuscated if the user can login from multiple devices or locations. Disabling concurrent logins strengthens the affirmation that it is the designated employee using their unique ID, and not an intruder or someone they have shared their password with. Just 37% of US and 13% of UK are restricted from logging in on multiple machines simultaneously. This also of course relates to remote access, with 24% in US and 17% in UK allowing employees to use the same login to access the network remotely.

On the topic of password sharing, obviously this is a practice which goes against the requirement of being able to identify specific users. Some users may engage in it against the guidance of their organisation’s security policy, but shockingly there are a number of healthcare organisations that willingly permit it. In fact 12% in the UK and 6% in the US allow their employees to share logins.

A method of taking identifiability a step further than unique user logins and automatic logoffs, as well as reducing vulnerable surface for attack, is by implementing access restrictions for set times and locations. By limiting access to a network not just to individual users, but by workstation, device or department, this reduces risk and makes identifiabilty stronger. Restrictions on time of access, limited to business hours for example, take this even further.

Perhaps unsurprisingly, a minority of healthcare organisations have taken these extra steps, with 28% having implemented location based restrictions and just 13% basing limitations on time.

Ultimately, all of these restriction levels are aimed at ensuring that user actions are identifiable, and a minority of 46% US or 33% UK healthcare workers feel that their actions on the employer’s network can be attributed to them. While a majority of employees may not be planning to take any malicious actions on the network, they are still less likely to be conscientious if they don’t think they will be culpable. On the same note, those that may be looking to steal data are unlikely to feel there’s anything stopping them!

There also isn’t much point in ensuring user actions are identifiable unless someone is monitoring those actions. We found that only 50% of US and 34% of UK healthcare workers are aware of their organizations monitoring network access. It is possible that organizations will be monitoring without employee knowledge, but transparency in this regard will encourage good behavior.

Access to personal data can be life-dependent when it comes to the healthcare industry. Doctors and nurses need to access medical files promptly without complicated processes in order to ensure proper delivery of care. However, at the same time, maintaining confidentiality of data records is of prime importance.

Both HIPAA and the DPA require that individuals handling patient data have access to the degree that is necessary for them to perform their role – no more, no less. Now firstly it’s going to be very difficult to meet this requirement without the unique user identification controls we went through in the last section, but there are further levels of access control.

As part of the healthcare industry, it was no surprise to see that the majority of healthcare workers with 82% (US) and 69% (UK) have access to patient data. In the UK, under section 7 of the Data Protection Act 1998, responsibility for access control lies with the ‘data controller’ who essentially is the authorised entity that determines the purpose where and how the personal data will be processed. This means that each organisation should have policies and procedures in place for access control.

Although the majority, with 84% (US) and 86% (UK), thinks that the data they have access to is necessary for their role, it was concerning to see that 18% (US) 13% (UK), thinks that the level of access they had was greater than necessary. HIPAA guidelines state that authorised uses should only have access the minimum necessary information needed to perform job functions.

When asked more directly, 57% (US) and 42% (UK) said that they can only access the files and folders they need to do their job. The research also showed that 41% (US) and 30% (UK) have a specific level of user access that restricts their access to certain files and folders. So while overall they feel the level of access they have, if asked more specifically it sounds like organisations are not defining this on a granular level. HIPAA outlines that organisations should have an emergency access procedure in place so that employees can obtain necessary electronic protected health information during an emergency.

To take the issue of necessity a step further, in order to prove to regulators that employees are only accessing the files they need to to perform their role, comprehensive monitoring of that access must take place. We found that 50% of US and 34% of UK healthcare workers are aware of their organisations monitoring network access. Monitoring of specific files and folders is lower (38% US and 20% UK) and actions (copying, moving, deleting) slightly higher than that (41% US and 19% UK). Once again, it is possible that organisations will be monitoring without employee knowledge, but transparency in this regard will encourage good behaviour.

We’ve covered process when employees join a healthcare organisation, and processes during their on-going employment, but what about when they move roles or leave the organisation?

UK and US compliance requirements provide clear stipulations on what organisations must do when employees change job roles or leave.

We mentioned security training earlier in this report, but HIPAA also states that organisations must tailor training sessions to different job roles, so if an employee moves to a new position, they should be treated as a new employee and given immediate training.

We’ve also mentioned that HIPAA states that “access controls should enable authorised users to access the minimum necessary information needed to perform job functions."

So when employees move roles, healthcare companies should review rights for employees — something that nearly half of all US healthcare organisations are overlooking. Just 51% of US healthcare employees say their company reviews access or admin rights when they’ve changed roles within the organisation.

While reviewing access rights in the UK isn’t necessarily a compliance issue, it is certainly good practice. But UK organisations are even worse than their US counterparts. Just 29% of healthcare employees say their company reviews access or admin rights when they’ve moved roles.

NHS Scotland’s security policy highlights the importance of an employee-exit process: “When an employee terminates employment with the employing health board, all property must be returned.”

However, just 40% of UK healthcare employees overall say that their organisation switches off network access for ex-employees. The picture is only slightly better for the US at 68%, meaning that nearly a third of US healthcare organisations don’t address outgoing employees.

Asking those who have left a job in the same sector within the last 5 years, a worrying 37% in US and 27% in UK say they continued to have access to the previous employer’s network. Only 34% (US) and 39% (UK) said their user account underwent a formal de-registration process. Naturally, if organisations do not have unique user IDs as described in previous sections, it is very difficult to enforce a deregistration process of them. But if this basic requirement is met, a formal exit process should be simple, and is an extremely important measure in ensuring ex-employees (who are more likely to have motivation to take malicious action) don’t continue to have access to your sensitive data.