HIPAA Compliance for Medical Practices
60.5K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Threat Info Sharing: Time for Leadership

Threat Info Sharing: Time for Leadership | HIPAA Compliance for Medical Practices | Scoop.it

The healthcare sector has a big problem. There's a great deal of information security immaturity and a lack of resources among smaller clinics, rural hospitals and other organizations. In the push to exchange electronic patient data nationwide, those entities are potential weak links in the security chain.

More has to be done to ensure these smaller organizations are aware of emerging cyberthreats and vulnerabilities - and are prepared to mitigate them. That potentially requires more handholding from federal agencies - such as by issuing timely cyber-alerts and guidance. But it also means broader outreach and more affordable membership fees for information sharing organizations, such as the National Health Information Sharing and Analysis Center and others, so that the little guys are also in the cybersecurity intelligence loop.

 More has to be done to ensure smaller organizations are aware of emerging cyberthreats and vulnerabilities - and are also prepared to mitigate them. 


Last week, the Department of Health and Human Services took an important initial step toward addressing the issue of improving cyberthreat information sharing. HHS announced it would investigate various options to ensure important cyber-intelligence gets to all healthcare organizations, regardless of size. It's weighing whether to establish another ISAC for the healthcare sector or bolster the capabilities of an existing organization.

It's good to see that HHS is focusing attention on an important issue, although the move is long overdue. Now, it's time for the agency to take prompt leadership action, because improving accessibility to cyberthreat intelligence for organizations of all sizes is urgent, in light of growing evidence that the healthcare sector is increasingly being targeted by hackers.

For example, Boston Children's Hospital was hit by a distributed-denial-of-service attack earlier this year. And Community Health Systems fell victim to a hack attack, perhaps involving the Chinese, that exposed millions of records.

The old adage says that you're only as strong as your weakest link. At a time when healthcare providers are being urged by the federal government to exchange electronic patient records to improve the quality of care - and consumers want to share health data they collect on their own wearable gadgets - we must eliminate weak spots. That means we must make sure, for instance, that providers of all sizes and types have timely access to information about new malware, software flaws or cyberthreats - and the steps they need to take to mitigate those issues.



more...
No comment yet.
Scoop.it!

Failure to Follow HIPAA Policies Results in $150,000 Liability and Corrective Action Plan | JD Supra

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR) has recently released information about another HIPAA settlement, emphasizing yet again the government's focus on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement underscores that organizations cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice.

On December 8, 2014, HHS-OCR issued a bulletin stating that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services in Anchorage, Alaska, agreed to settle potential violations of the HIPAA Security Rule. HHS-OCR opened an investigation upon receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI). The breach was the result of a malware that compromised the security of ACMHS' information technology (IT) resources and affected 2,743 individuals. During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed. Significantly, ACMHS may have avoided the breach (and would not be subject to the HHS-OCR settlement agreement) if it had followed the policies and procedures it adopted and regularly updated its IT resources with available patches.

The settlement agreement requires ACMHS to pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years. The Resolution Agreement can be found on the OCR website.

The settlement with ACMHS is just one of a handful of recent settlements arising from an HHS-OCR investigation prompted by an organization self-reporting a breach of unsecured ePHI; however, HHS-OCR may also examine an organization's HIPAA compliance program after receiving a complaint or as part of its annual audit protocol. In every instance, HHS-OCR will expect an organization to have fully implemented its HIPAA compliance program and/or policies and procedures.

According to HHS-OCR, compliance with the HIPAA Security Rule requires organizations (among other things) to address risks to ePHI on a regular basis and to review systems for vulnerabilities and unsupported software. Organizations cannot simply adopt HIPAA policies and procedures and then place those documents on a shelf. HIPAA compliance programs must be dynamic and reviewed and updated on a regular basis to reflect changes within the organization, including discovered vulnerabilities and ever-evolving external threats. Threats to ePHI are real and can have a devastating impact on a business – and patients' privacy. All organizations subject to HIPAA, regardless of size, must devote the necessary resources to protect the organization's data from these threats.



more...
No comment yet.