The recent situation at NY Presbyterian Hospital/Columbia University Medical Center that resulted in the largest-to-date HIPAA settlement of $4.8 Million, highlighted that security leadership wasn’t aware of all of the applications running on their system. Reading between the lines, we get the picture of an out of control environment where physicians are installing personally owned servers on the network. This is BYOD (Bring Your Own Device) on steroids. The facts of the case are that a physician researcher attached his personally owned server to the network and exposed the PHI of 6,800 patients to the Internet.
Large health care organizations including academic medical academic centers and other organizations, operate a wide array of systems that process PHI. These may include one or more EHR systems, biomed systems, multiple billing systems, multiple PACS, laboratory/pharmacy systems, coding optimizers, point of service charge estimators, electronic claims processing software, a proliferating array of clinical applications and others.
Our earlier blog post highlights that HHS OCR expects organizations to maintain an application inventory.
While there is no set format for completing such an inventory, when Eagle performs a HIPAA risk assessment inventory we combine a basic inventory elements (system name, physical location, etc.) with a screening of major control elements (e.g. use of encryption and backup details) and risk factors (e.g. size of database). These details can be tracked in a spreadsheet.
At a minimum, Eagle’s assessment of each application records the following details:
- System Name
- Device Name
- Description
- Physical Location
- Physical Server and Virtual Server Name
- # of Records in system and nature of data
- # of authorized System Users
- Whether the application requires unique User IDs
- Authentication details
- Whether role-based access controls are implemented
- Whether this system is accessed by end-users remotely
- Whether audit logging capability exists, is configured, and is used
- Whether access rights are disabled upon employee termination, and the approximate timeframe involved
- The date of the most recent review of user access credentials
- Whether data at rest is encrypted, and a description of the key management procedures
- Whether the application provides the end-user the ability to export multiple records to a file, USB flash drive, or email
- A description of the backup
- A description of the recovery testing, including the date of the most recent test
- Technical details regarding vendor remote access (e.g. VPN or other method)
Any inventory conducted by Eagle will always applications running on biomed equipment. Since these applications are increasingly connected to the main network, numerous new risks and vulnerabilities are arising.
While creating this PHI application inventory is a significant project in itself, it is just the starting point in a risk assessment that will identify items needing further scrutiny. For example, the more data in a system and the more users, the greater the risk. These major systems will receive more scrutiny. Any system with weak controls will also be explored further.
