How to Effectively Maintain HIPAA Compliance in the Cloud

January 21, 2019 at 8:23 pm by Heidi White

cloud-data-securityIn today’s digital age, the majority of data is stored electronically in internet-based cloud software. Whether for convenience or accessibility, or due to physical hardware storage limitations, using a cloud to store data has become a norm for businesses, organizations, and individuals alike. And while cloud systems offer security measures that physical storage systems cannot, they also come with their own set of risks and security threats.

Moreover, the size and even financial power of an organization doesn’t necessarily equate to better and more secure methods of privacy protection for data stored in its cloud. Recent data breaches at large data centers like Experian, Facebook, and Target have proven that the proper protection of private and otherwise sensitive information is paramount, especially when stored electronically.

For healthcare providers, professionals, and clearinghouses (hereto referred as covered entities), HIPAA has specific regulations for safeguarding Protected Health Information (PHI), especially when it comes to the disposal of such sensitive and private data.

HIPAA Regulations & Best Practices for Data Disposal

HIPAA-privacy-ruleIf you’re a covered entity and need to dispose of data containing PHI, you cannot simply abandon the PHI data or dispose of it using a public container like a dumpster that can be accessed by unauthorized personnel. The only time this is appropriate is if the PHI has already been rendered unreadable, indecipherable and otherwise cannot be reconstructed. In order to fully destroy this data, certain steps must be followed.

The HIPAA Privacy Rule requires the covered entity to implement appropriate physical (e.g., facility access and control; workstation and device security), technical (e.g., access control; audit controls; integrity controls; transmission security), and administrative (e.g., security management process; security personnel; information access management; workforce training; policy and procedure evaluation) safeguards for PHI to avoid prohibited as well as incidental use and disclosure of the PHI data. See 45 CFR 164.530(c).

HIPAA-PHI-ePHIThis Rule holds especially true with the disposal of PHI and requires the covered entity to not only destroy the electronic PHI (ePHI) and the hardware or electronic media it is stored on, but to first properly dispose of the ePHI data on the media before that media is made ready for reuse.

In addition, the HIPAA Security Rule also requires the covered entity to set policies and procedures for the disposal of ePHI. As part of this mandatory safeguard process, covered entities must also train their workforce members on the proper disposal policies and procedures erected and enforce these policies. See 45 CFR 164.310(d)(2)(i).

It is up to the covered entity to determine a method of data destruction and disposal, by assessing their own potential risks to patient privacy as well as the form, type, and amount of PHI collected and stored. For instance, PHI such as name, social security number, driver’s license number, diagnosis, or treatment information are examples of sensitive information that may necessitate more care with regard to disposal. HIPAA does not require one method of data destruction and disposal over another, so long as the Security and Privacy Rules are followed.

HIPAA-degauss
Degaussing is a method of data disposal that completely erases the drive, rendering it unusable

In the case of ePHI, whether on hardware or in an internet cloud system, proper HIPAA disposal methods include overwriting non-sensitive information with software or hardware to clear the data, degaussing the media and rendering the magnetic field permanently unusable, or destroying the media by shredding, melting, pulverization, disintegration, or incineration. You may also opt to maintain a secure area for PHI disposal and/or you are permitted to work with a disposal vendor like SEM to destroy the PHI on your organization’s behalf (so long as there is a written agreement or contract authorized by both parties). There are no set HIPAA rules for how employees or workforce members dispose of PHI; if you have off-site employees who use PHI or ePHI, you can require that they return all PHI to your organization for proper disposal.

Failure to adhere to the HIPAA Security and Privacy Rules could result in unlawful release of PHI, and consequently, the potential for identity theft, employment discrimination or even harm to the individual’s reputation.Moreover, the covered entity can face serious penalties for noncompliance.

Penalties for Noncompliance

HIPAA-compliance-fineIn tandem with the Department of Justice, the Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) are responsible for the administration and enforcement of the HIPAA Security and Privacy Rules for the disposal of PHI.

Failure to comply with the HIPAA Security and Privacy Rules can result in an investigation and audit, and in some circumstances civil and criminal penalties. Factors such as violation date, whether the covered entity was aware of the failure to comply, or whether the failure to comply by the covered entity was willful neglect will determine the end consequence of the violation to either the Privacy or Security Rule.

If found guilty or in violation of either Rule, civil money penalties of $100 up to $50,000 per violation (and not exceeding $1,500,000 per calendar year for multiple violations) can be imposed. A civil penalty may not be imposed under certain circumstances, such as: the failure to comply was not due to willful neglect and was corrected during a 30-day period from the date in which the violation occurred; if the Department of Justice has imposed a criminal penalty; or, if the OCR chooses to reduce the penalty due to reasonable cause in the covered entity’s failure to comply, in that the penalty would be excessive given the nature and extent of the noncompliance.

HIPAA- prisonIn addition, criminal prosecution, in the form of a fine of $50,000 and up to one year of imprisonment, can be mandated for a person who knowingly obtains or discloses PHI and ePHI, which can occur as a result of improper disposal of the PHI. The criminal penalty increases to $100,000 and up to five years of imprisonment if the violation involves false pretenses, and to $250,000 and up to 10 years of imprisonment if the wrongful act involves the intent to sell, transfer or use the PHI for commercial advantage, personal gain, or malicious harm.

One last note: the HIPAA Privacy Rule does not include requirements for the length of time medical data like PHI should be retained before disposal. Instead, check with your state’s laws for medical record retention rules before disposing of any data.

The Importance of the NIST 800-88 Standard for Media Sanitization in Secure Data Destruction

November 21, 2018 at 4:00 pm by Heidi White

pii-securityTrends in data storage are changing at an exponential rate. The past few years alone have seen the progression of data storage from large servers with magnetic media to cloud-based infrastructure with increasingly dense solid state media. Along with every technological advancement in data storage has come the inexorable advancement of data theft. As a result, the scope and level of responsibility for protecting sensitive and Personally Identifiable Information (PII) has expanded to include not only the originators of data, but also all of the intermediaries involved in the processing, storage, and disposal of data. To address these critical issues and to protect organizations and citizens of the United States, the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) has developed NIST 800-88 “Guidelines for Media Sanitization” to promote information system security for all other applications outside of national security, including industry, government, academia, and healthcare. NIST 800-88 has become the predominant standard for the US Government, being referenced in all federal data privacy laws, and has now been overwhelmingly adopted by the private sector as well.

NIST 800-88 assumes that organizations have already identified the appropriate information categories, confidentiality impact levels, and location of the information at the earliest phase of the system life cycle as per NIST SP 800-64 “Security Considerations in the Systems Development Life Cycle.” Failing to initially identify security considerations as part of the data lifecycle opens up the strong potential that the organization will fail to appropriately maintain control of and protect some media that contains sensitive information.

Confidentiality and Media Types

data-theftConfidentiality is defined by the Title 44 US Code as “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” FIPS 199 — NIST’s Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal Information and Information Systems — adds that “a loss of confidentiality is the unauthorized disclosure of information.” Bearing these definitions in mind, organizations must establish policies and procedures to safeguard data on used media. Common methodologies of illicit data recovery include basic acquisition of clumsily sanitized media either through third party sale or old-fashioned dumpster diving, or the more sophisticated laboratory reconstruction of inadequately sanitized media.

data-securityCurrently, two types of basic media exist: hard copy and electronic. Commonly associated with paper printouts, hard copy actually encompasses a lot more. In fact, all of the materials used in the printing of all types of media, including printer and fax ribbons for paper and foils and ribbons for credit cards, are considered hard copy. Electronic media consists of any devices containing bits and bytes, including but not limited to rotational and solid state hard drives, RAM, boards, thumb drives, cell phones, tablets, office equipment including printer and fax drives, server devices, flash memory, and disks. It is expected that, considering the rate at which technology is progressing, additional media types will be developed. NIST 800-88 was developed in such a way that sanitization and disposal best practices pertain to the information housed on media rather than the media itself, allowing the guideline to more successfully stay current with future innovations.

Media Sanitization – Methodologies, Responsibilities, and Challenges

Three methodologies of media sanitization are defined by NIST 800-88 as follows:

  • Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).
  • Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory
  • Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of

Clear

One of the most commonly used clearing methodologies for data sanitization on magnetic media has traditionally been overwriting using dedicated sanitize commands. Note that basic read/write overwriting is never recommended as it does not address all blocks on the media. Drawbacks to overwriting using sanitize commands are two-fold: 1) it is only effective for magnetic media, not solid state or flash, and 2) this methodology is wide open to operator error and theft, as well as undetected failure.

Purge

SEM’s high security degausser can be used to purge data

A common form of purging used for magnetic media sanitization is electromagnetic degaussing, whereby a dedicated degaussing device produces a build-up of electrical energy to create a magnetic field that removes the data from the device when discharged. Degaussing has long been an acceptable form of media sanitization for top secret government information when used in tandem with a hard drive destruction device such as a crusher or shredder. Degaussing alone poses the same concerns as overwriting in that operator error or deceit remains a possibility. In addition, the strength of the degausser is critical when eliminating sensitive information from magnetic media. Typically, degaussers evaluated and listed by the National Security Agency (NSA) are considered the golden standard.

Destroy

While clearing and purging provide adequate media sanitization involving less sensitive data, destroying is the most effective and permanent solution for secure data applications. Organizations should take into account the classification of information and the medium on which it was recorded, as well as the risk to confidentiality. As the internet continues to expand and the switch from physical to digital document-keeping becomes the industry standard, more and more data holds PII information such as financials, health records, and other personal information such as that collected for databases or human resources. As a result, security-focused organizations are becoming more cognizant of the fact that comprehensive data sanitization — including destruction — must become a top priority.

ssd-2mm
SEM disintegrators shred particles to a nominal 2mm size

Industry-tested and accepted methodologies of secure data destruction include crushing, shredding, and disintegration, but even these secure end-of-life solutions require thoughtful security considerations. For example, shredding rotational hard drives to a 19mm x random shred size provides exceptional security for sensitive information. However, a 19mm shred size would not even be an option for solid state media, which store vast amounts of data on very small chips. Instead, sensitive solid state media should be shredded to a maximum size of only 9.5mm x random, while best practices for the destruction of highly sensitive or secret information is to disintegrate the media to a nominal shred size of 2mm2. In addition, some destruction devices such as disintegrators are capable of destroying not only electronic media, but also hard copy media such as printer ribbons and employee ID cards, providing a cost-effective sanitization method for all of an organization’s media.

Responsibilities and Verification

IT security officerWhile NIST 800-88 has become the industry standard for secure data sanitization, the guidelines do not provide definitive policies for organizations. Rather, NIST 800-88 leaves the onus of appropriate data sanitization to organizations’ responsible parties including chief information officers, information security officers, system security managers, as well as engineers and system architects who are involved in the acquisition, installation, and disposal of storage media. NIST 800-88 provides a decision flow that asks key stakeholders questions regarding security categorization, media chain of custody including internal and external considerations, and potential for reuse.

Regardless of the sanitization method chosen, verification is considered an essential step in the process of maintaining confidentiality. It should be noted that verification applies not only to equipment and sanitization results, but also to personnel competencies. Sanitization equipment verification includes testing and certification of the equipment, such as NSA evaluation and listing, as well as strict adherence to scheduled maintenance. Organizations should fully train personnel responsible for sanitization processes and continue to train with personnel turnover. Lastly, the sanitization result itself must be verified through third party testing if the media is going to be reused. When media is destroyed, no such verification is necessary, as the pulverized material itself is verification enough. Because third party testing can be impractical, time consuming, and costly, many organizations choose to destroy media to ensure full sanitization of data and in doing so, to greatly mitigate risk.

Conclusion

NIST-800-88NIST 800-88 was developed in an effort to protect the privacy and interests of organizations and individuals in the United States. Adopted by nearly all federal and private organizations, NIST 800-88 provides an outline of appropriate procedures for secure data sanitization that both protects PII and confidential information while reducing organizational liability. Determining proper policies is realized by fully understanding the guidelines, following the sanitization and disposition decision flow, implementing data sanitization best practices, and engaging in ongoing training and scheduled maintenance. Because NIST 800-88 guidelines do not provide a definitive one-size-fits-all solution and are admittedly extensive, working with a knowledgeable data sanitization partner is key to a successful sanitization policy.

Making Sense of HIPAA

December 21, 2010 at 11:30 am by SEM

What is HIPAA?

HIPAA is an acronym for Health Insurance Portability Accountability Act which was enacted in 1996. It requires the Secretary of the U.S. Department of Health and Human Services to develop regulations protecting the privacy and security of certain health information.

The HIPAA law applies to anyone that has visited any health care facility, basically everyone. Before the law was enacted, the fates of our medical records were left in the hands of the health care professionals. Some disposed of them properly but some just threw them into the dumpster. As with our old credit card statements and other mail or personal information, once they are thrown in the dumpster they are community property and anyone can have access to them.

HIPAA Medicine doctor working with computer interface as medical

Your Health Information Is Protected By Federal Law

Most of the population believes that medical and health information is private and should be protected, and want to know who has access to this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.

How Our Information Is Treated and Disposed Of

The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.

Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member. Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.

Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.

In general, examples of proper disposal methods may include, but are not limited to:

    • For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
    • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.

In addition, for practical information on how to handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP 800-88. Guidelines for Media Sanitization

NIST Guidelines

Destruction of media is the ultimate form of sanitization. After media is destroyed, it cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting.

If destruction is decided upon due to the high security categorization of the information or due to environmental factors, any residual medium should be able to withstand a laboratory attack.

Disintegration, incineration, pulverization, and melting: these sanitization methods are designed to completely destroy the media. They are typically carried out at an outsourced metal destruction or incineration facility with the specific capabilities to perform these activities effectively, securely, and safely. End-of-life data destruction machines can also be purchased to destroy the material on site.

Shredding: paper shredders can be used to destroy paper and in some models, flexible media such as diskettes once the media are physically removed from their outer containers. The shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality level that the information cannot be reconstructed.

Optical mass storage media, including compact disks (CD, CD-RW, CD-R, CD-ROM), optical disks (DVD), Blue-ray Discs (BDs) and magneto-optic (MO) disks must be destroyed by pulverizing, crosscut shredding or burning. Destruction of media should be conducted only by trained and authorized personnel. Safety, hazmat, and special disposition needs should be identified and addressed prior to conducting any media destruction.

Enforcement and Penalties for Noncompliance

The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing the standards and may conduct complaint investigations and compliance reviews.

The OCR will seek the cooperation of covered entities and may provide technical assistance to help them comply voluntarily with the Privacy Rule. Covered entities that fail to comply voluntarily with the standards may be subject to civil money penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution.

Civil Money Penalties

OCR may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy Rule. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement. Criminal Penalties A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.

Summary

HIPAA covers a broad area of responsibilities. We are all involved in this as we all have our personal records out of our personal control and in such are subject to having our personal information compromised. To understand HIPAA is to understand the relationship between the importance of our PHI and our health care providers and the realization that somebody could potentially obtain our information if the proper safeguards are not adhered to. HIPAA sets these guidelines to protect everybody.