HIPAA Compliance for Medical Practices
64.6K views | +19 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

5 Common HIPAA Mistakes

5 Common HIPAA Mistakes | HIPAA Compliance for Medical Practices | Scoop.it

Now more than ever, HIPAA compliance is a must. It’s hard to believe, but HIPAA violations can soar to over several million dollars and can even include jail time! We know HIPAA can be confusing. The devil’s in the details – there are a lot of rules to follow, which means a lot of mistakes you can make! While we can’t cover them all, this list of 5 common HIPAA mistakes and ways you can prevent them is a smart place to begin.

1. Lost or Stolen Devices

In January 2012, Pennsylvania –based CardioNet reported to HHS’ Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. The outcome? A crippling 2.5 million dollar settlement.¹

Mobile devices like mobile phones and laptops or tablets are particularly vulnerable to theft and loss due to their size and – well – their ease of mobility! When covered entities and business associates don’t implement mobile device security, people’s sensitive health information is put at risk. Ignoring security can result in a serious breach, which affects each individual whose information is left unprotected.

What can you do today to safeguard your devices? Here’s what the U.S. Department of Health and Human Services recommends:

  • Use a password or other user authentication
  • Install and enable encryption
  • Install and activate remote wiping and/or remote disabling
  • Disable and do not install or use file sharing applications
  • Install and enable a firewall
  • Install and enable security software
  • Keep your security software up to date
  • Research mobile applications (apps) before downloading
  • Maintain physical control
  • Use adequate security to send or receive health information over public Wi-Fi networks

2. Hacking

Getting hacked is something we all fear, and for good reason. It seems like a new hacking technique is born every day. You’ve heard of some – phishing, viruses, ransomware – and maybe not of others – Fake WAP, Waterhole attacks. Hacking can happen to anyone, any time, any place, any… Let’s just say it’s serious business.

Check out this statistic on ransomware, specifically: A recent report from a U.S. Government interagency shows that, on average, there have been 4,000 daily ransomware attacks since early 2016. That’s a whopping 300% increase over the 1,000 daily ransomware attacks reported in 2015.²

What to do? Use these high-level tips as first steps:

  • Conduct a full risk assessment to discover all security vulnerabilities
  • Use strong passwords and two-factor authentication.
    • Read our “Creating and Managing Passwords” blog article for more info
  • Install all software patches promptly and ensure databases are up-to-date
  • Keep anti-virus definitions updated
  • Scan for viruses regularly
  • Check out this article for more info on ransomware: “WannaCry Ransomware Protection with HIPAA“

3. Employee Dishonesty

In 2012, the owner of a Long Island Medical Supply company was found guilty of $10.7 million dollars of Medicare fraud and HIPAA Violations. She was sentenced to 12 years in prison and fined $1.3 million dollars.

Employees accessing patient information when they are not authorized is a common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for another person, unauthorized access is illegal and can cost an organization substantial amounts. Also, people that use or sell PHI for personal gain can be subject to fines and even prison time. Staff members that gossip about patients to friends or coworkers is also a HIPAA violation that can result in a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients/clients to private places, and avoid sharing any patient information with anyone else.

Take a look at these ideas for keeping staff compliant:

  • Establish and enforce sanction policies
  • Train and retrain staff on HIPAA
  • Monitor employee compliance:
    • Check work areas for obvious violations
    • Listen for any discussion in the workplace that includes PHI

4. Improper Disposal

In 2009, CVS paid $2.25 million to settle a violation of throwing pill bottles containing patient names, addresses, medications and personal information into open dumpsters.

HIPAA requires that you protect the privacy of PHI in any form when disposing of information (45 CFR 164.530(c)). This not only includes tangible documents like x-ray films or patient charts, but also electronic media like old laptops or external drives.

The U.S. Department of Health and Human Services has defined these proper disposal methods:

  • For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
  • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor who is a business associate to pick up and shred or otherwise destroy the PHI.
  • For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
  • Further, covered entities, business associates and subcontractor BAs must ensure that their workforce members receive training on and follow the disposal policies and procedures of the organization, as necessary and appropriate for each workforce member. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. See 45 CFR 160.103 (definition of “workforce”).⁴

5. Third-Party Disclosure

North Memorial Health Care of Minnesota paid a fine of $1.5 million to settle HIPAA violation charges in 2011 after a business associate was given access to ePHI before a signed copy of a HIPAA-compliant Business Associate Agreement (BAA) was obtained.⁵

Under HIPAA law, covered entities must have a signed BAA from any vendor that provides functions, activities or services for or on behalf of a covered entity that has access to patient ePHI. A signed copy of the BAA must be obtained before access to patient health data is provided. The BAA must outline the responsibilities the business associate has to ensure PHI is protected and is not disclosed to any unauthorized parties.

Remember, your business associates’ HIPAA shortcomings impact you! Period.

Be sure to:

  • Establish who your Business Associates are, considering their subcontractors and your own contractors. (Read our own “Preparing Contractors for HIPAA Compliance” blog)
  • Obtain a Business Associate Agreement before your BA has access to any client/ patient health data
  • Ask for verification of HIPAA compliance for each and every BA, including their subcontractors
  • Read some of the previous articles we’ve written about Business Associates for smart ways on working with them:
    • “Auditing Business Associates”
    • “Business Associates Must Take HIPAA Compliance Seriously“
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Patients suing Fort Wayne medical company over data breach

Patients suing Fort Wayne medical company over data breach | HIPAA Compliance for Medical Practices | Scoop.it

Two lawsuits have been filed in federal court in Fort Wayne seeking class action status on behalf of patients who have had their data compromised by Medical Informatics Engineering.


The Fort Wayne-based medical software company has reported that the private information of 3.9 million people nationwide was exposed when its networks were hacked earlier this year. The compromised information includes patients' names, Social Security numbers, birth dates and addresses, The (Fort Wayne) Journal Gazette (http://bit.ly/1W3PLHO ) reported.


The company contacted the FBI to report the data breach in May and began issuing letters to patients, letting them know which provider's information was hacked and offering them credit monitoring services, in mid-July.


The first lawsuit was filed last week by one patient, while the second lawsuit was filed Tuesday by three other patients.


Both lawsuits are similar and accuse the company of negligence. The plaintiffs argue that the company should've realized the risks associated with collecting and storing patients' personal information, and that the company had a responsibility to protect their data, according to court documents.


The lawsuits allege that Medical Informatics Engineering failed to take steps to prevent and stop the data breach, failed to comply with industry standards for safeguarding such data, and failed to properly implement technical systems or security practices, the documents said.

"Given the risk involved and the amount of data at issue, MIE's breach of its duties was entirely unreasonable," the attorneys wrote in the lawsuit.


In addition to class action status, all four patients also are seeking damages and expenses.


Eric Jones, co-founder and CEO of Medical Informatics Engineering, confirmed to the Associated Press Thursday that the company is aware of the two pending lawsuits.


"Our primary focus at this time is on responding to requests for information to those affected and helping them to enroll in credit monitoring and identity protection services," he said.

more...
No comment yet.
Scoop.it!

Reminders on HIPAA Enforcement: Breaking Down HIPAA Rules

Reminders on HIPAA Enforcement: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA enforcement is an important aspect of The HIPAA Privacy Rule, and also one that no covered entity actually wants to be a part of. However, it is essential that healthcare organizations of all sizes understand the implications of an audit from the Office for Civil Rights (OCR), and how they can best prepare.


This week, HealthITSecurity.com is breaking down the major aspects of OCR HIPAA enforcement, and what healthcare organizations and their business associates need to understand to guarantee that they keep patient data secure. Additionally, we’ll review some recent cases where the OCR fined organizations because of HIPAA violations.


What is the enforcement process?


OCR enforces HIPAA compliance by investigating any filed complaints and will conduct compliance reviews to determine if covered entities are in compliance. Additionally, OCR performs education and outreach to further underline the importance of HIPAA compliance. The Department of Justice (DOJ) also works with OCR in criminal HIPAA violation cases.


“If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it,”according to HHS’ website. “Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.”


Sometimes OCR determines that HIPAA Privacy or Security requirements were not violated. However, when violations are found, OCR will need to obtain voluntary compliance, corrective action, and/or a resolution agreement with the covered entity:


“If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case. Complainants do not receive a portion of CMPs collected from covered entities; the penalties are deposited in the U.S. Treasury.”


During the intake and review process, OCR considers several conditions. For example, the alleged action must have taken place after the dates the Rules took effect. In the case of the Privacy Rule, the alleged incident will need to have taken place after April 14, 2003, whereas compliance with the Security Rule was not required until April 20, 2005.


The complaint must also be filed against a covered entity, and a complaint must allege an activity that, if proven true, would violate the Privacy or Security Rule. Finally, complaints must be filed within 180 days of “when the person submitting the complaint knew or should have known about the alleged violation.”


Recent cases of OCR HIPAA fines


One of the more recent examples of HIPAA enforcement took place in Massachusetts, when the OCR fined St. Elizabeth’s Medical Center (SEMC) $218,400 after potential HIPAA violations stemming from 2012.


The original complaint alleged that SEMC employees had used an internet-based document sharing application to store documents containing ePHI of nearly 500 individuals. OCR claimed that this was done without having analyzed the risks associated with the practice.

“OCR’s investigation determined that SEMC failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome,” OCR explained in its report. “Separately, on August 25, 2014, SEMC submitted notification to HHS OCR regarding a breach of unsecured ePHI stored on a former SEMC workforce member’s personal laptop and USB flash drive, affecting 595 individuals.”


OCR Director Jocelyn Samuels reiterated the importance of all employees ensuring that they maintain HIPAA compliance, regardless of the types of applications they use. Staff at all levels “must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner,” she stated.


In April of 2015, the OCR also agreed to a $125,000 settlement fine with Cornell Prescription Pharmacy (Cornell) after allegations that also took place in 2012. In that case, Cornell was accused of improperly disposing of PHI documents. Papers with information on approximately 1,600 individuals were found in an unlocked, open container on Cornell’s property.


“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” OCR Director Samuels said in a statement, referring to the fact that Cornell is a small, single-location pharmacy in Colorado. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”


However, not all OCR HIPAA settlements stay in the thousand dollar range. In 2014, OCR fined New York and Presbyterian Hospital (NYP) and Columbia University (CU) $4.8 million from a joint breach report that was filed in September 2010.


NYP and CU were found to have violated HIPAA by exposing 6,800 patients’ ePHI when an application developer for the organizations tried to deactivate a personally-owned computer server on the network that held NYP patient ePHI. Once the server was deactivated, ePHI became accessible on internet search engines.


“In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections,” OCR explained in its statement. “Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.”


Regardless of an organization’s size, HIPAA compliance is essential. Regular risk analysis and comprehensive employee training are critical to keeping covered entities up to date and patient data secure. By reviewing federal, state and local laws, healthcare organizations can work on taking the necessary steps to make changes and improve their data security measures.

more...
No comment yet.
Scoop.it!

Hospital Slammed With $218,000 HIPAA Fine

Hospital Slammed With $218,000 HIPAA Fine | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators have slapped a Boston area hospital with a $218,000 HIPAA penalty after an investigation following two security incidents. One involved staff members using an Internet site to share documents containing patient data without first assessing risks. The other involved the theft of a worker's personally owned unencrypted laptop and storage device.


The Department of Health and Human Services' Office for Civil Rights says it has entered a resolution agreement with St. Elizabeth's Medical Center that also includes a "robust" corrective action plan to correct deficiencies in the hospital's HIPAA compliance program.

The Brighton, Mass.-based medical center is part of Steward Health Care System.


Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

Complaint Filed

On Nov. 16, 2012, OCR received a complaint alleging noncompliance with the HIPAA by medical center workforce members. "Specifically, the complaint alleged that workforce members used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice," the OCR statement says.


OCR's subsequent investigation determined that the medical center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome."


"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," says Jocelyn Samuels, OCR director in the statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


Separately, on Aug. 25, 2014, St. Elizabeth's Medical Center submitted notification to OCR regarding abreach involving unencrypted ePHI stored on a former hospital workforce member's personal laptop and USB flash drive, affecting 595 individuals. The OCR "wall of shame" website of health data breaches impacting 500 or more individuals says the incident involved a theft.

Corrective Action Plan

In addition to the financial penalty - which OCR says takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed - the agreement includes a corrective action plan "to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach."

The plan calls for the medical center to:


  • Conduct a "self-assessment" of workforce members' familiarity and compliance with the hospital's policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.
Lessons Learned

Other healthcare organizations and their business associates need to heed some lessons from OCR's latest HIPAA enforcement action, two compliance experts say.


Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The settlement indicates that OCR first learned of alleged noncompliance through complaints by the covered entity's workforce members. Entities should consider whether their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed. Otherwise, the employees' next stop may be complaining to the government."

The settlement also highlights the importance of having a cloud computing strategy, Greene points out. That strategy, he says, should include "policies, training and potential technical safeguards to keep PHI off of unauthorized online file-sharing services."


The enforcement action spotlights the continuing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach, he notes.

The case also sheds light on how OCR evaluates compliance issues, he says. "The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices."


Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement "serves as an important reminder that a covered entity or a business associate must make sure that the organization's risk assessment takes into account any relationship where PHI has been disclosed to a contractor or vendor so as to ensure that appropriate safeguards to protect the data are in place."


The alleged violations involving the document sharing vendor, he says, "involve failure to have a BA agreement in place prior to disclosing PHI to the vendor, as well as failing to have appropriate security management processes in place to evaluate when a BA agreement is needed when bringing on a new contractor that will handle PHI."

St. Elizabeth's Medical Center did not immediately respond to an Information Security Media Group request for comment.

Previous Settlements

The settlement with the Boston-area medical center is the second HIPAA resolution agreement signed by OCR so far this year. In April, the agency OK'd an agreement with Cornell Prescription Pharmacyfor an incident related to unsecure disposal of paper records containing PHI. In that agreement, Cornell was fined $125,000 and also adopted a corrective action plan to correct deficiencies in its HIPAA compliance program.


The settlement with St. Elizabeth is OCR's 25th HIPAA enforcement action involving a financial penalty and/or resolution agreement that OCR has taken since 2008.


But privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says OCR isn't doing enough to crack down on organizations involved in HIPAA privacy breaches.


"Assessing penalties that low - St. Elizabeth will pay $218,400 - guarantees that virtually no organizations will fix their destructive practices," she says. "Industry views low fines as simply a cost of doing business. They'll take their chances and see if they're caught."


The largest HIPAA financial penalty to date issued by OCR was a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for incidents tied to the same 2010 breach that affected about 6,800 patients. The incidents involved unsecured patient data on a network.

more...
No comment yet.
Scoop.it!

4 things to know before next data breach

4 things to know before next data breach | HIPAA Compliance for Medical Practices | Scoop.it

Data breaches are all over the news right now. Here's what you want to know.

Businesses of all kinds have been struck ranging from CVS and Costco — which last week had to take down site features amid investigations into whether consumer data was taken — to local entities like OhioHealth, which this week announced information on some patients was on a flash drive that went missing.

No one is above risk, cyber security professionals say, but what can be done to keep you out of hot water? I asked Dayton-area experts for their advice.

1. Make sure employees have rules


Employees need to know not to open suspicious e-mails and fall for scams via telephone, said Jon Gauder, president of Volo Technologies. Security policies in place often help keep employees from letting information fall into the wrong hands.

Lindsay Johnson, an attorney with Freund, Freeze & Arnold specializing in cyber security, said as employees use personal devices for more work purposes, they open up the company to risk. But it's easy to avoid.

"If you let employees have emails on their iPads and laptops, someones can get a hold of that and extrapolate data," Johnson said. "That data has to be encrypted and that can be done with minimal effort."

2. Keep your tech up to date

To protect internal assets, you want to have routers and firewalls put in place and configured to prevent intrusion attacks, Gauder said.

“Sometimes it’s a matter of having the right equipment in place, antivirus and updated security patches,” Gauder said. “There’s no 100 percent foolproof way, but sometimes it’s more responsive than preventative, but your programs have to be up to date.”

Network security audits help companies test security measures. For a Web site: if you don’t need to have data on the website, don’t store payment information on the site, Gauder said. You want to make sure you host the website with a trusted host that is respected and have a good security policy in place.

A lot of people use open source software to develop Web sites. That code is available to hackers but also means a patch to prevent piracy is going to come quicker.

"Open source software often have quick patches because more companies work off of them," Gauder said. "But people who have access to source code can still find things. Response time can be faster than proprietary software. Make sure software is up to date."

Because of that, he recommended monthly or quarterly updates to software.

3. Know who you need to tell


Reporting requirements can vary by industry, In a regulatory industry like banking and finance, reporting requirements are handled by federal law, Johnson said. For general businesses with no reporting requirements, the first thing is to make sure you know the extent of the breach and what was accessed.

Businesses are hesitant to report to legal authorities, but “it gives you credibility that you reported something to authorities right away, and they can take the efforts the need.”

Experts in law enforcement encourage businesses to report details, but businesses can be hesitant to do so. But if the safeguards are in place, you can save face to clients by having them know you reported the details right away.

Companies have had mixed reactions to breaches. Retailers like P.F. Chang's and Michael's gave the public specifics about potential data breaches, while others did not.

Johnson said it's ultimately a PR decision whether or not to make a breach public. But not doing so can risk your reputation. You should report to your clients right away and let them know the details.

"The more detail you give illustrates you are organized," Johnson said. "You’re able to identify quickly what happened, who was affected, how entry was achieved etc. If you don’t have a plan in place it will take you three times as long"

4. The law will want to know how you responded


If a lawsuit happens, it's going scrutinize what you knew about the breach and how you sought to prevent it.

The most high profile breaches, including Home Depot, have led to costly lawsuits, Johnson said. What makes a data breach potentially harmful — is if you've tried to stop it.

"In the event there was a breach, and a lawsuit, what we have seen is the courts are saying ‘you did not act commercially reasonable. You did not consider the information you let employees have on these devices.'" Johnson said. "You have to assume a data breach will happen. How they use emails, how they send data over email is an encrypted."

If the courts become involved, the big question will be what you know and when, if you acted reasonably.

When companies get sued, litigators make the case that they knew a data breach was a possibility and ignored it, and didn’t have policies and procedures to minimize attacks.

Cyber security insurance is becoming an industry standard. Companies are writing cyber security policies, Johnson said, adding it could soon be considered a standard of care.

more...
No comment yet.
Scoop.it!

Is the Collective Will Present for a Concerted Push on Cybersecurity?

Is the Collective Will Present for a Concerted Push on Cybersecurity? | HIPAA Compliance for Medical Practices | Scoop.it

It was a privilege and a pleasure to moderate the panel “Healthcare Cyber Security Solutions: Concepts and Trends,” at the Denver CHIME Lead Forum on Monday, July 20. The panel I moderated was part of a daylong event held at the Sheraton Downtown Denver, and sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2, a sister organization of Healthcare Informatics under the corporate umbrella of our parent company, the Vendome Group LLC).


I was joined on the panel by Mike Archuleta, director of IT at Mt. San Rafael (Colo.) Hospital; Guy Turner, chief data security officer at Sutter Healthcare (San Francisco); Francisco C. Dominicci, R.N., CIO and director of health IT for the Colorado Springs (Colo.) Military Health System; Ryan Witt, vice president, healthcare industry practice, at Fortinet (Sunnyvale, Calif.); and Steve Shihadeh, senior vice president at the Seattle-based Caradigm.


Our panel’s discussion covered a very wide range of topics under the cybersecurity umbrella, including why that term itself is becoming more used these days.


Numerous statements were made by panelists that I found to be particularly worth recounting. Among those was Turner’s strongly urging attendees to adopt behavioral pattern recognition solutions, as had been recommended earlier in the day by Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm. As McMillan had stressed, so did Turner, the fact that, as Turner put it, “You have to invest in tools for pattern recognition for anomalous behavior.” To not do so essentially leaves one’s entire clinical information system open to hackers once they’ve penetrated the outer defenses of the system.

Importantly, all the panelists agreed that investing in cybersecurity solutions and measures really is exactly that: a form of investment. It can’t be seen purely as a “cost” or set of costs, as can many

purchases, given the risks facing patient care organizations these days.


As for the term “cybersecurity,” there was general consensus around the idea that there is some logic to that term in some cases now eclipsing the terms “data security” and “IT security” in industry usage, since so many of the security issues facing patient care organizations really are online and electronic in nature.


Among the important statements made during the discussion were this one by Dominicci: “Providers need to hold vendors accountable, he stressed, noting that there is an intensifying need on the part of healthcare IT leaders to be able to hold vendors accountable for their ability to help ensure the security of information systems in a more thorough way than was ever needed until recently.


How will the accelerating consolidation of patient care organizations through mergers and acquisitions affect the broader dynamics around investing in cybersecurity? In fact, said Shihadeh, with consolidation proceeding apace, this is in fact a good time for investment in cybersecurity tools and processes. “There is a good opportunity now to invest,” he said, “because of the bigger patient care organizations involved. Large integrated delivery networks are being created, and those larger organizations will have the capital to be able to fund these initiatives” in beefing up cybersecurity/IT security, in his view.


Of course, there are people-based issues as well. What about a question from the audience around whether the leaders of patient care organizations should focus their efforts on grooming or recruiting individuals with healthcare industry-specific data security experience, versus bringing talented individuals in from other industries, and teaching them the ins and outs of healthcare IT security, versus IT security in other industries? Turner was very blunt in stating his perspective: “It’s easier to teach someone the healthcare business than it is to teach someone with a healthcare background all the technical aspects of IT security,” he said. “I would very willingly seek people outside healthcare,” he opined, as patient care organizations are finding themselves trying to fill such important positions as chief information security officer (CISO) in an environment in which the number of potential candidates is dwarfed by the need for qualified individuals these days.


And what of the next couple to few years in this whole arena? There was a broad consensus on the panel that things will get worse before they get better, across range of issues in the IT/cybersecurity arena. The panelists agreed that the ongoing series of announced data breaches will inevitably intensify, growing in number and frequency, before a very broad collective consensus emerges in the U.S. healthcare industry around what to do about all of this, and industry leaders will band together in very broad, concerted efforts.


It was very clear to me from this panel discussion with these industry leaders, that it will indeed require a huge, collective commitment, at a policy, industry, strategic, and business level, for the leaders of healthcare IT industry-wide, to move forward together to address the issues facing us. Several references were made to the recent disclosure on the part of the leaders of the UCLA Health System of a massive data breach there, which may have exposed 4.5 million people to being data-compromised; and the consensus on the panel was that such disclosures are being seen as “wake up calls”—in a patient care delivery setting, they might be referred to as “sentinel events”—that will eventually compel collective action, on the industry and policy levels.


It was also agreed that the headlong rush into accountable care organization development, population health management innovation, and health information exchange, all of which are extremely worthwhile, valuable areas of pursuit, will inevitably ratchet up the risks for patient care organizations around cybersecurity/IT security.


In short, the immediate future is one fraught  with danger and challenge, everyone agreed. And yet one did not leave that session with a sense of despair, but rather with a sense of “let’s-roll-up-our-sleeves” commitment to action, at a time when there is no time to waste, and there are many, many extremely tasks ahead—and that there is indeed both a collective intelligence, as well as a collective will, to move forward industry-wide in this incredibly crucial area for all the stakeholder groups in U.S. healthcare.

more...
No comment yet.
Scoop.it!

The Cloud is Good, But Know Where Data Go

The Cloud is Good, But Know Where Data Go | HIPAA Compliance for Medical Practices | Scoop.it
A recent settlement announcement from the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) highlights the need to evaluate web-based applications and storage solutions. Web-based or cloud solutions are viable options and tools for healthcare entities to utilize, but those tools need to evaluated for compliance with HIPAA security requirements.

Saint Elizabeth’s Medical Center (“SEMC”), located outside of Boston, MA, learned this lesson the hard way. On November 16, 2012, certain workforce members at SEMC reported suspected non-compliance with HIPAA to OCR. The report focused upon use of an internet-based document sharing and storage application. The specific site is not identified in the OCR Resolution Agreement, but Dropbox is an example of an online storage site that does not meet HIPAA security requirements. OCR notified SEMC of the results of its investigation on February 14, 2013. Fast forward a year and SEMC then reported a breach regarding a workforce member’s unsecured laptop and USB storage device. The combination of events led OCR to conclude that SEMC failed to implement sufficient security measures required by HIPAA and SEMC did not timely identify or mitigate harmful effects from identified deficiencies.

As a result of the two reported incidents, SEMC is now paying $218,400 to OCR in settlement funds. The settlement continues to trend of not being able to accurately guess the amount of a fine that will be levied. As stated in the announcement, OCR “takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed.” This statement potentially gives some insight, which can be interpreted to mean that entities with bigger pockets will be hit with larger fines because such entities can absorb larger fines.

The other consideration raised by the SEMC settlement is what to do about cloud based storage and sharing solutions. Should all such tools be locked away from use healthcare organizations? This is not necessarily the answer because some tools do follow HIPAA security requirements. For example, some cloud storage services were built specifically for healthcare, and as such are more cognizant of applicable regulatory requirements. More general sites, such as Box, noted HIPAA requirements and claim to meet required standards. As such, it is possible for organizations to utilize cloud based options.

However, it is not necessarily the choices of an organization as a whole that are troublesome. In SEMC’s case, it is not clear whether the workforce members acted under SEMC’s direction or utilized the cloud sites without SEMC’s direct knowledge. The unsupervised actions of workforce members are what can cause an organization a lot of concern. Organization’s need to train and educate workforce members, but cannot always control their actions. Despite the inability to constantly track what a workforce member is doing, certain steps could be taken to alleviate concerns. One measure would be to block access to websites that could lead to a potential breach or other non-compliance. Such a measure may not make all workforce members happy, but an organization should assess its risks and take appropriate measures. Additionally, an organization can suggest sites that are compliant be used.

Regardless of the approach taken, organizations need to be cognizant of the risks posed by cloud based storage, especially on the individual level. OCR’s settlement with SEMC is only the most recent action to highlight the concern. As has been stated before, once OCR releases a settlement addressing an issue, subsequent organizations with the same issue can expect greater focus on the identified issue and less leniency when it comes to a violation.
more...
No comment yet.
Scoop.it!

UCLA Health Cyber-Attack Affects Millions

UCLA Health Cyber-Attack Affects Millions | HIPAA Compliance for Medical Practices | Scoop.it

The FBI is investigating the latest in a string of major cyber-attacks in the healthcare sector. UCLA Health confirms that information on 4.5 million individuals may have been exposed when hackers breached its network in an attack that appears to have begun last September.


UCLA Health says in a July 17 statement that it appears that "criminal hackers" accessed parts of the organization's computer network that contain personal and medical information. "UCLA Health has no evidence at this time that the cyber-attacker actually accessed or acquired any individual's personal or medical information," the statement notes.


UCLA Health includes four hospitals on two campuses - Ronald Reagan UCLA Medical Center; UCLA Medical Center, Santa Monica; Mattel Children's Hospital UCLA; and Resnick Neuropsychiatric Hospital at UCLA - and more than 150 primary and specialty offices throughout Southern California.

Other Cyber-Attacks

The attack on UCLA Health is the latest of several massive hacker assaults on healthcare sector organizations in recent months. Most of the largest attacks so far this year have been on health insurers. Those include attacks against: Anthem Inc., which resulted in a breach impacting more than 79 million individuals; Premera Blue Cross, which affected about 11 million; and CareFirst Blue Cross Blue Shield, which impacted 1.1 million.


The largest recent hacker attack against a provider organization was last August, when Community Health Systems reported a breach affecting 4.5 million individuals. "Forensic investigators have said that an advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company's systems," according to Community Health System's 8-K filing to the U.S. Securities and Exchange Commission last year.

FBI Investigating

UCLA Health is working with investigators from the FBI, and has hired private computer forensic experts to further secure information on network servers, its statement says.


"We take this attack on our systems extremely seriously," says James Atkinson, the interim associate vice chancellor and president of the UCLA Hospital System. "We have taken significant steps to further protect data and strengthen our network against another cyber-attack."


UCLA Health says it detected suspicious activity in its network in October 2014, and began an investigation with assistance from the FBI. At that time, it did not appear that the attackers had gained access to the parts of the network that contain personal and medical information. "As part of that ongoing investigation, on May 5, 2015, UCLA Health determined that the attackers had accessed parts of the network that contain personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information.

Based on the continuing investigation, it appears that the attackers may have had access to these parts of the network as early as September 2014. We continue to investigate this matter."


The organization says there is no evidence yet that the hackers actually accessed or acquired individuals' personal or medical information. But because the organization cannot conclusively rule out the possibility that the attackers may have accessed the information, UCLA Health is offering all potentially affected individuals 12 months of free identity theft recovery and restoration services as well as additional healthcare identity protection tools.


In addition, individuals whose Social Security number or Medicare identification number was stored on the affected parts of the network will receive 12 months of free credit monitoring.

Healthcare as a Target

Privacy and security attorney Kirk Nahra of the law firm Wiley Rein says this latest breach affecting UCLA Health is just another sign "that clearly, the healthcare sector is under cyber-attack."


"People can no longer say, 'this won't happen to me.' It will happen to you," he says. Organizations not only need to beef up their security controls, but they also need to be on the lookout for fraud that involves stolen IDs, he says. "If UCLA Health's patients' records are stolen, then other healthcare providers down the street should be watching out" for fraudsters using the compromised data to obtain medical services or to commit other fraud, he warns.


Privacy and security attorney Ron Raether of the law firm Faruki Ireland & Cox P.L.L. says healthcare organizations are following financial institutions, data aggregators and retailers in becoming prime targets for hackers in search of valuable data that can be used to commit fraud.


"Hackers look for the most data for the least effort. Hospitals have a lot of information both current and historical without any real limits," he says. "The character of the data is of high value - not just treatment and the usual identifiers but also payment information and family history and other data which could be used in security questions."

Hospitals need to learn from lessons of other business sectors and invest in sound data governance practices, he adds.

more...
No comment yet.
Scoop.it!

Hospital to pay $218,400 for HIPAA violations

Hospital to pay $218,400 for HIPAA violations | HIPAA Compliance for Medical Practices | Scoop.it

St. Elizabeth's Medical Center must pay $218,400 for HIPAA violations through an agreement with the Department of Health and Human Services' Office for Civil Rights.


In 2012, the OCR received a complaint alleging that the Brighton, Massachusetts-based health center did not analyze the risks of an Internet-based document sharing app, which stored protected health information for almost 500 individuals, according to anannouncement from OCR.


During its investigation, OCR found that the health center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome." In addition, St. Elizabeth's in 2014 submitted notification to OCR that a laptop and USB drive had been breached, putting unsecured protected health information for 595 consumers at risk.

OCR also is requiring that St. Elizabeth's adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.


"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," OCR Director Jocelyn Samuels said in an announcement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


A recent report from application security vendor Veracode found that the healthcare industry fares poorly compared to other industries in reducing application security risk.


Healthcare also is near the bottom of the pack when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated.


While Phase II of the federal HIPAA audit program remains "under development,"Samuels reiterated in March that OCR is "committed to implementing a robust audit program," FierceHealthIT previously reported.

more...
No comment yet.
Scoop.it!

Potential HIPAA Violations Found in LA County DPH Audit

Potential HIPAA Violations Found in LA County DPH Audit | HIPAA Compliance for Medical Practices | Scoop.it

An IT security audit at the L.A. County Department of Health (DPH) revealed potential HIPAA violations, and that there are several areas of improvement for DPH.


There need to be better system access controls, IT equipment control, and computer encryption, according to a report by the County of Los Angeles Department of Auditor-Controller. The review included testing system access to five systems DPH identified as mission critical, including systems containing sensitive health information. Physical security over IT equipment was also reviewed, along with computer encryption, antivirus software, equipment disposition, and IT security awareness training.


“DPH needs to restrict unneeded access to sensitive/confidential information in their systems, and determine whether unneeded access resulted in a HIPAA/HITECH violation,” the report stated.


In terms of inappropriate systems access, the Auditor-Controller explained that DPH did not remove systems access for 13 users after they were terminated from DPH employment. One of those employee accounts was used for three years after they were terminated to view PHI and to order laboratory tests for approximately 100 DPH clients, according to the report.


DPH’s attached response indicated they determined that a current employee used the terminated employee’s account in performing her job duties. The current employee failed to obtain her own system account, which violated County policy. However, she wa authorized to view PHI and no reportable HIPAA/HITECH violation occurred. DPH indicates it has reminded IT managers to promptly remove terminated employee access. DPH is also developing a procedure to notify managers of personnel changes so they can immediately updates systems access.


Device encryption is another area that needs improvement, according to the audit report. DPH needs to ensure that portable computers are encrypted because it is a Board Policy requirement. However, DPH did not have encryption documentation for 18 percent of its 1,773 portable computers. DPH also did not have enough detailed documentation, the report found, as the remaining items’ tag or serial numbers could not be matched to any of the computers in inventory.


“DPH’s response indicates they will recall all portable computers to validate and document that each device is encrypted,” the audit stated. “DPH also worked with the Chief Information Office to acquire software that will allow them to monitor the encryption status of all portable and desktop computers.”


One aspect of the audit that was especially disturbing is that DPH reportedly is lacking in its computer incident response. Specifically, the report stated that DPH managers/staff failed to report 131 missing or stolen IT equipment items to the Department’s Information Security Office (DISO) between 2011 and 2013.


Not only is this another Board Policy requirement, the oversight did not allow DISO to assess the impact of any of the data or software loss. Furthermore, DISO  could not make required notifications to the Chief Information Office, the Auditor-Controller HIPAA Privacy Officer or the Auditor-Controller Office of County Investigations.


DPH’s response indicates they have reminded all employees to immediately report missing or stolen IT resources to their supervisor. DPH management also told us that subsequent to our review, they investigated and accounted for 100 (76%) of the 131 missing IT equipment items. Of the 31 that remain unaccounted for, DPH indicated that three could have contained PHI, but DPH indicated they believe the risk of a breach is low.


Following this audit, and a less than ideal audit at the L.A. County Probation Department, Supervisor Mark Ridley-Thomas requested that county staff report back on how feasible it would be to conduct annual IT and security review audits on all county departments. The Board of Supervisors unanimously approved the request, according to The Los Angeles Daily News.


“We want to foster accountability and transparency in the county, that’s the move we’re making,” Ridley-Thomas told the news source. “Our security, quality, safeguards and monitoring efforts need to keep up. We need to improve what we’re doing ... We need to step up our game.”

more...
No comment yet.
Scoop.it!

Bill That Changes HIPAA Passes House

Bill That Changes HIPAA Passes House | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. House of Representatives on July 10 passed a bill aimed at accelerating the advancement of medical innovation that contains a controversial provision calling for significant changes to the HIPAAPrivacy Rule.


The House approved the 21st Century Cures bill by a vote of 344 to 77. Among the 309-page bill's many provisions is a proposal that the Secretary of Health and Human Services "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.


Under HIPAA, PHI is allowed to be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If the proposed legislation is eventually signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if only covered entities or business associates, as defined under HIPAA, are involved in exchanging and using the data.


That provision - as well as many others in the bill - aim to help fuel more speedy research and development of promising medical treatments and devices.


"The act says ... if you're sharing [patient PHI] with a covered entity [or a BA], you don't necessarily need the individual's consent prior to sharing - and that's something our members have been receptive too," notes Leslie Krigstein, interim vice president of public policy at the College of Healthcare Information Management Executives, an organization that represents 1,600 CIOs and CISOs.


"The complexity of consent has been a barrier [to health information sharing] ... and the language [contained in the bill] will hopefully move the conversation forward," she says.


Some privacy advocates, however, have opposed the bill's HIPAA-altering provision.


Allowing the use of PHI by researchers without individuals' consent or knowledge only makes the privacy and security of that data less certain, says Deborah Peel, M.D., founder of Patient Privacy Rights, an advocacy group,.


"Researchers and all those that take our data magnify the risks of data breach, data theft, data sale and harms," she says. "Researchers are simply more weak links in the U.S. healthcare system which already has 100s of millions of weak links."

Changes Ahead?

If the legislation is signed into law in its current form, healthcare entities and business associateswould need to change their policies related to how they handle PHI.


"If the bill is enacted, it will not place additional responsibilities on covered entities and business associates. Rather, it will provide them with greater flexibility to use and disclose protected health information for research," says privacy attorney Adam Greene, partner at law firm Davis Wright Tremaine. "Covered entities and business associates who seek to take advantage of these changes would need to revise their policies and procedures accordingly." For instance, some covered entities also may need to revise their notices of privacy practices if their notices get into great detail on research, Greene notes.

Other Provisions

In addition to the privacy provisions, the bill also calls for penalizing vendors of electronic health records and other health IT systems that fail to meet standards for interoperable and secureinformation exchange.


The bill calls for HHS to develop methods to measure whether EHRs and other health information technology are interoperable, and authorizes HHS to penalize EHR vendors with decertification of their products if their software fails to meet interoperability requirements.


In addition, the bill also contains provisions for "patient empowerment," allowing individuals to have the right to "the entirety" of their health information, including data contained in an EHR, whether structured and unstructured. An example of unstructured data might include physician notes, for instance, although that is not specifically named in the legislation.


"Healthcare providers should not have the ability to deny a patient's request for access to the entirety of such health information," the bill says.


A House source tells Information Security Media Group that the Senate has been working on an "Innovation Agenda" for the past few months calling for policies similar to those contained in the 21st Century Cures bill. House leaders say it's their goal to have a bill sent to the president's desk by the end of the year, the source says.

more...
No comment yet.
Scoop.it!

State AGs clash with Congress over data breach laws

State AGs clash with Congress over data breach laws | HIPAA Compliance for Medical Practices | Scoop.it

Attorneys general from all 47 states with data breach notification laws are urging Congress not to preempt local rules with a federal standard.

“Any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft,” they wrote in a letter sent to congressional leaders on Tuesday.

Lawmakers have been weighing a number of measures that would create nationwide guidelines for notifying customers in the wake of a hack that exposes sensitive information. Industry groups have argued that complying with the patchwork set of rules in each state is burdensome and costly.


The rapidly rising number of breaches at retailers, banks and government agencies has only raised pressure on Congress to pass legislation.

While the concept of a federal standard has bipartisan appeal, the two parties have split over whether to totally preempt state laws.

Democrats fear a nationwide rubric that preempts state law could weaken standards in states that have moved aggressively on data breach laws. Republicans fear that an overly strict federal standard could empower overzealous government regulators.

Lawmakers also disagree on what type of breaches should trigger a notification.

The differing views have spawned a cavalcade of bills on Capitol Hill, many of which would preempt state laws.

“Given the almost constant stream of data security breaches, state attorneys general must be able to continue our robust enforcement of data breach laws,” said Virginia Attorney General William Sorrell, who oversees a law that requires companies to notify officials within 14 days of discovering a breach, in a statement. “A federal law is desirable, but only if it maintains the strong consumer protection provisions in place in many states.”

Many state attorneys general, including Sorrell, favor a Senate data breach offering from Sen. Patrick Leahy (D-Vt.) and co-sponsored by five other Democrats.

Notably the bill does not preempt state laws that are stricter than the standard delineated in Leahy’s bill.

It also provides a broad definition of what type of information would constitute a notification-worthy breach. It includes photos and videos in addition to more traditional sensitive data such as Social Security numbers or financial account information.

But most important for states is retaining their ability to set their own standards.

“States should also be assured continued flexibility to adapt their state laws to respond to changes in technology and data collection,” the letter said. “As we have seen over the past decade, states are better equipped to quickly adjust to the challenges presented by a data-driven economy.”

more...
No comment yet.
Scoop.it!

Data Breaches on Record Pace for 2015

Data Breaches on Record Pace for 2015 | HIPAA Compliance for Medical Practices | Scoop.it

Data breaches in 2015 are on pace to break records both in the number of breaches and records exposed, the San Diego-based Identity Theft Resource Center said.


In 2014, the number of U.S. data breaches tracked by ITRC hit a record high of 783, with 85,611,528 confirmed records exposed.

So far this year, as of June 30, the number of breaches captured on the ITRC report totaled 400 data incidents, one more than on June 30, 2014. Additionally, 117,576,693 records had been confirmed to be at risk.


That is significant given the finding of IBM Cost of Data Breach Study conducted by Ponemon Institute, which reported the cost incurred for each lost or stolen record containing sensitive averaged $154.

ITRC reported a significant jump of about 85% in the number of breaches in the banking sector over the same period last year. The biggest credit union breach so far this year took place at the $308 million Winston-Salem, N.C.-based Piedmont Advantage Credit Union, which notified its entire 46,000 membership in early March that one of its laptops containing personal information, including Social Security numbers, was missing.


Affected institutions are encouraged to participate in public comment on the assessment tool.


Year-to-date, the five industry sectors broken down by ITRC based on the percentage of breaches were business with 40.3%,

medical/healthcare at 34.8%, banking/credit/financial representing 10%, educational with 7.8% and government/military reporting 7.3%.

Based on the number of confirmed records, the medical/healthcare sector reported 100,926,229 records breached, government/military reported 15,391,057, educational had 724,318, banking/credit/financial reported 408,377 and business had 126,712.


The ITRC 2015 Breach Report was compiled using data breachesconfirmed by various media sources and/or notification lists from state governmental agencies.


Some breaches were not included in the report because they do not yet have reported statistics or remain unconfirmed, the firm said. 

more...
No comment yet.
Scoop.it!

Data Breaches Expose Nearly 140 Million Records

Data Breaches Expose Nearly 140 Million Records | HIPAA Compliance for Medical Practices | Scoop.it

The latest report from the Identity Theft Resource Center (ITRC) reveals that there has been a total of 472 data breaches recorded through August 11, 2015, and more than 139 million records have been exposed. The annual total includes 21.5 million records exposed in the attack on the U.S. Office of Personnel Management in June and 78.8 million health care customer records exposed at Anthem in February.

A June report by cybersecurity firm Trustwave said that of the 574 hacking incidents and data breaches the company was asked to investigate in 2014, 43% came in the retail industry, 13% came from the food and beverage industry and 12% from the hospitality industry. More striking, perhaps: 81% of victims did not discover on their own that they had been hacked. In cases where a company discovers the attack on its own, it takes about two weeks to stop it. When companies do not run their own security programs, it takes more than five months to contain the breach.


E-commerce sites were compromised in 42% of attacks and point-of-sales systems were hit in 40%. The totals were up 7% and 13%, respectively, from 2013.


The total number of data breaches increased by six in the week, according to the ITRC. The business sector accounts for about 645,000 exposed records in 184 incidents so far in 2015. That represents 39% of the incidents, but just 0.5% of the exposed records.


The medical/health care sector posted the second-largest percentage of the total breaches so far this year, 35.6% (168) out of the total of 472. The number of records exposed in these breaches totaled 109.5 million, or 78.6% of the total so far in 2015.


The number of banking/credit/financial breaches totals 45 for the year to date and involves more than 411,000 records, some 9.7% of the total number of breaches and 0.3% of the records exposed. These numbers are unchanged from the prior week.


The government/military sector has suffered 36 data breaches so far this year, just 7.7% of the total, but about 20% of the total number of records exposed. These numbers were also unchanged from the prior week.


The educational sector has seen 39 data breaches in 2015, accounting for 8.3% of all breaches for the year. Nearly 740,000 records have been exposed, about 0.5% of the total so far in 2015.

In all of 2014, ITRC tracked an annual record number of 783 data breaches, up 27.5% year over year. The previous high was 662 breaches in 2010. Since beginning to track data breaches in 2005, ITRC had counted 5,497 breaches through August 11, 2015, involving more than 818 million records. Compared with 2014, the number of data breaches is about 2.3% lower to date in 2015.

more...
No comment yet.
Scoop.it!

How Do HIPAA Regulations Affect Judicial Proceedings?

How Do HIPAA Regulations Affect Judicial Proceedings? | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA regulations are designed to keep healthcare organizations compliant, ensuring that sensitive data - such as patient PHI - stays secure. Should a healthcare data breach occur, covered entities or their business associates will be held accountable, and will likely need to make adjustments to their data security approach to prevent the same type of incident from happening again.


However, there are often questions and concerns in how HIPAA regulations tie into certain judicial or administrative proceedings. For example, if there is a subpoena or search warrant issued to a hospital, is that organization obligated to supply the information? What if the information being sought qualifies as PHI? Can covered entities be held accountable if they release certain information, and then that data falls into unauthorized individuals’ control?


This week, HealthITSecurity.com will break down how judicial proceedings, and other types of legal action, could potentially be impacted by HIPAA regulations. We will discuss how PHI could possibly be disclosed, and review cases where search warrants and similar issues were affected by HIPAA.


What does HIPAA say about searches and legal inquiries?

The HIPAA Privacy Rule states that there are several permitted uses and disclosures of PHI. This does not mean that covered entities are required to disclose PHI without an individual’s permission, but healthcare organizations are permitted to do so under certain circumstances.


“Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make,” the Privacy Rule explains.


The six examples of permitted uses and disclosures are the following:

  • To the Individual (unless required for access or accounting of disclosures)
  • Treatment, Payment, and Health Care Operations
  • Opportunity to Agree or Object
  • Incident to an otherwise permitted use and disclosure
  • Public Interest and Benefit Activities
  • Limited Data Set for the purposes of research, public health or health care operations.


Under the public interest and benefit activities, the Privacy Rule dictates that there are “important uses made of health information outside of the healthcare context.” Moreover, a balance must be found between individual privacy and the interest of the public.

There are several examples that relate to disclosing PHI due to types of legal action:


  • Required by law
  • Judicial and administrative proceedings
  • Law enforcement purposes


Covered entities and their business associates are permitted to disclose PHI as required by statute, regulation or court orders.

“Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided,” according to the HHS website.


For “law enforcement purposes” HIPAA regulations state that PHI can also be disclosed to help identify or locate a suspect, fugitive, material witness, or missing person. Law enforcement can also make requests for information if they are trying to learn more information about a victim - or suspected victim. Another important aspect to understand is that a covered entity can can disclose sensitive information if it believes that PHI is evidence of a crime that took place on the premises. Even if the organization does not think that a crime took place on its property, HIPAA regulations state that PHI can disclosed “when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.”


Essentially, covered entities and business associates must use their own judgement when determining if it is an appropriate situation to release PHI without an individual’s knowledge. For example, if local law enforcement want more information from a hospital about a former patient whom they believe is dangerous, it is up to the hospital to weigh the options of releasing the information.

How have HIPAA regulations affected court rulings?

There have been several court rulings in the last year discussing HIPAA regulations and how covered entities are allowed to release PHI.


Connecticut: The Connecticut Supreme Court ruled in November 2014 that patients can sue a medical office for HIPAA negligence if it violates regulations that dictate how healthcare organizations must maintain patient confidentiality. In that case, a patient found out that she was pregnant in 2004 and asked her medical facility to not release the medical information to the child’s father. However, the organization released the patient’s information when it received a subpoena. The case claimed that the medical office was negligent in releasing the information, and that the child’s father used the information  for “a campaign of harm, ridicule, embarrassment and extortion” against the patient.


Florida: Just one month earlier, a Florida federal appeals court ruled that it is not a HIPAA violationfor physician defendants to have equal access to plaintiffs’ health information. In this case, a patient sued his doctor for medical negligence. Florida law states that the plaintiff must provide a health history, including copies of all medical records the plaintiff’s experts relied upon in forming their opinions and an “executed authorization form” permitting the release of medical information. However, the plaintiff claimed the move would violate his privacy. The appeals court ruled that two instances applied in this case where HIPAA regulations state that covered entities are permitted to release PHI.


As demonstrated in these two court cases, it is not always easy for covered entities to necessarily determine on their own when they are compromising patient privacy and when they are adhering to a court order. However, by seeking appropriate counsel, healthcare organizations can work on finding a solution that meets the needs of all parties involved.

more...
No comment yet.
Scoop.it!

Pentagon Data Breach Shows Growing Sophistication Of Phishing Attacks

Pentagon Data Breach Shows Growing Sophistication Of Phishing Attacks | HIPAA Compliance for Medical Practices | Scoop.it

U.S. officials confirmed this week that the Pentagon was hit by a spearphishing cyberattack last month, most likely from Russian hackers, which compromised an unclassified email system.


The attack compromised the information of around 4,000 military and civilian personnel who work for the Joint Chiefs of Staff, a U.S. official confirmed to NBC News. Officials said no classified information was taken, but didn't specify in the report how much or what kind of non-classified information was involved.


The attack occurred around July 25 and used what officials called a "sophisticated cyberattack." The suspected Russian hackers, which may or may not be connected with the Russian government, used automated social engineering tactics to gain information from employee social media accounts and then used that information to conduct a spearphishing attack, according to CNN, which first reported the attack.


The news of the breach comes on the heels of the massive Office of Personnel Management (OPM) breachthat occurred earlier this year, compromising the personal information of more than 21.5 million federal employeesand contractors. While this latest breach was significantly smaller in number of records compromised, it speaks to the growing sophistication of phishing attacks as an entrance to move laterally across the network, Unisys Vice President of Security Solutions Tom Patterson said.


"Phishing attacks like this one aimed at the Pentagon’s joint staff are not new. What makes them more effective is the amount of advance knowledge the attackers have in order to trick the recipient into clicking on the link," Patterson said. "With so much personal information now in the wild, attackers are able to create a ‘pattern of life’ on targets which makes phishing attacks such as this one aimed at the Pentagon’s joint staff much more effective."


Patterson said the sophistication in this attack was not the phishing itself, which is fairly common, but in the hacker's "clever exfiltration of data."


"The days of the typo-ridden silly emails are long gone. Today’s phishing attack looks as real as an authentic message, and are only going to get better," Patterson said.


While it is important for a business to focus on phishing prevention through user education, Patterson said it is becoming clear that enterprises need to put more emphasis on mitigation once the hacker enters the network, as the "standard pattern of attack" is to gain access through phishing then escalate privileges and spread laterally. One way to do that, he said, is employing micro-segmentation of data, he said, which divides the data center into smaller zones for easier security enforcement.


"Enterprises in both government and private sector have begun to shift their defenses inward, understanding that it only takes one of these types of phishing attacks to be successful," Patterson said. "With this new drive toward mitigation, enterprises can use micro-segmentation to survive and manage these inevitable types of attacks."

more...
No comment yet.
Scoop.it!

Mega-Mergers: The Security, Privacy Concerns

Mega-Mergers: The Security, Privacy Concerns | HIPAA Compliance for Medical Practices | Scoop.it

Mergers and acquisitions, such as two pending mega-deals in the health insurance sector, pose security and privacy risks that need to be addressed before the transactions are completed, during the integration process and over the long haul.


In recent weeks, Anthem Inc. announced plans to buy rival Cigna for $48 billion, and Aetna unveiled a proposed $37 billion purchase of Humana.


"I can't speak specifically to these mergers, but in general they share the same challenges as others going through M&As," says Mac McMillan, CEO of the security consulting firm CynergisTek. Interoperability of systems, consolidation or merging of databases, differing architectures, disparate platforms, consolidation of accounts and accesses conversion of users are among the potential hurdles these companies face, he notes.


"For organizations this large, there is nothing trivial about integrating their networks, systems or controls," McMillan says. "The biggest issues are always disparate systems, controls and interoperability and the privacy and security issues those challenges can create."


When it comes to mergers, privacy and security attorney Stephen Wu of the law firm Silicon Valley Law Group notes, "I'm most worried about companies not doing enough diligence about security when these acquisitions are being considered. ... It's becoming increasingly complex to integrate two companies IT infrastructures, and those transitions create new vulnerabilities."


Concerning Anthem's proposed purchase of Cigna, Wu says Anthem's recent hacker attack, which affected nearly 80 million individuals, "shouldn't be downplayed, but I'd be more concerned about Cigna and whether that company also potentially had a breach that perhaps hasn't been discovered yet."


Privacy attorney Kirk Nahra of the law firm Wiley Rein LLP notes that the transition period after two companies merge presents new risks. "Because of the tremendous concerns about data security and cybersecurity breaches, integration of overall security is a particular challenge," he says. "It is easier to attack a hybrid, half-integrated company than two separate companies."


Anthem's proposed acquisition of Cigna comes "at a time where Anthem is under a lot of pressure with respect to its information security, [and] the acquisition of another large insurer represents a lot more to add to its plate," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"It will need to integrate its information security processes into a host of new systems, with each new, potentially unfamiliar system bringing new risks if not properly integrated," he says.

Critical Decisions

When mergers and acquisition are completed, a big challenge is picking and choosing whoseinformation security program will dominate after the transaction is completed.


"Often times, the information security program of the larger entity takes over the smaller," Greene notes. "In good situations, each entity learns from the other and the overall information security is improved, after a painful integration process. But sometimes the reverse happens, and good information security practices are abandoned because they are not practiced by the larger entity."


McMillan says merging organizations should "take an inventory of which set of controls, processes,technologies, etc. are either the most mature or the best overall." Then they can consider merging the programs, "the same way they merge organizations - capitalizing on the best of both."


While that best-of-breed-themed approach might work well in some mergers and acquisitions, typically things don't end up going that smoothly, Nahra contends.


"There are two kinds of challenges - inconsistencies in practices, either involving data security or privacy, and then operational implications of these inconsistencies, where one of the entities tries to apply its process or practices to the differing practices or operations of the other," Nahra says. "These challenges are exacerbated when there hasn't been a lot of due diligence on privacy/data security issues."

Access Control

One issue that's frequently overlooked during the blending IT networks of merging companies is access control, says Rebecca Herold, partner and co-founder of SIMBUS Security and Privacy Services.


When an organization is undergoing a merger, some employees typically lose their jobs because their role duplicates another's role, Herold says. "But the company keeps them on for a certain amount of time because they are training another person or finishing up on a project," she says. "However, during this time, I've seen disgruntled insiders who have access to information or administrative controls and have tried to sabotage the company that fired them."


Often executives don't have insight into all the risks that are involved with blending computer networks, says Herold, who's served as an adviser to merged organizations.


"They want to join or connect the networks in some way, but there are huge risks. When you start connecting one huge network with another one, and start sharing data without proper planning, there are new vulnerabilities and risks that emerge," she says.


If the companies involved in the latest wave of healthcare sector mergers and acquisitions get the regulatory and shareholder approval needed to complete their transactions, they need to keep a few security tips in mind, McMillan says.


"The biggest tip is common sense: Don't undo anything that is currently in place to ensure continuity until what's new is in place and backed up," he says.

more...
No comment yet.
Scoop.it!

Healthcare Hacker Attacks: The Impact

Healthcare Hacker Attacks: The Impact | HIPAA Compliance for Medical Practices | Scoop.it

he recent string of major hacker attacks in the healthcare sector, including the cyber-attack on UCLA Health, calls attention to the urgent need for organizations to step up their security programs.


Security experts say healthcare organizations need to carefully reassess their risks and then take appropriate security measures, which, in many cases, will include implementing multifactor authentication; improving breach monitoring and detection; and ramping up staff security education, among other steps.

The sophistication of cyber-attackers is making defending against threats in the healthcare sector more challenging, says John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston.


"Five years ago, external attacks on healthcare were most often from single actors or curious students. Today they are from organized crime, state-sponsored cyberterrorism and hacktivism," he says.

Healthcare is becoming a bigger target for hackers and other cybercriminals for three main reasons, Halamka contends. "One, healthcare has traditionally under-invested in IT compared to other industries, leaving it more vulnerable. Two, healthcare tends to aggregate a large amount of personally identified information in one place, making it easy to breach a large number of records in a single attack. Three, medical identity theft - fraudulently receiving healthcare services - can be more profitable than financial identity theft."

Insufficient Efforts

Even some well-meaning healthcare organizations are also realizing that the diligent efforts they've been putting into information security aren't enough, notes privacy and security attorney Kirk Nahra, a partner at the law firm Wiley Rein.


"Many healthcare industry organizations thought they had pretty good information security. But these attacks have been eye-opening to many companies, that 'we really need to beef up' in terms of protection against these external risks," he says.


Christopher Paidhrin, who recently became information security manager for the city of Portland, Ore., after 15 years as an information security leader at West Coast healthcare provider PeaceHealth, offers a similar assessment. "If CISOs are not now assessing their cybersecurity posture - and exposure - they soon will," he says.

"The scope of vulnerabilities is increasing, and the 'defensive' security program model is failing to meet the challenge of the threats," he says. "Surveys over the past few years indicate that more than 90 percent of organizations sampled have already been hacked. That is a startling number that requires a national emergency-level response."


The attacks on the healthcare sector will only worsen, Paidhrin predicts. "Cybercriminals are motivated by money, easy money. Healthcare offers one of the greatest return on investment efforts with the lowest level of detection and risk. Medical information is data rich, and durable. Credit card data lasts for a month or two, before a bank disables an account. Health information is much more durable, with much of it unchangeable for the life of the affected individual."

UCLA Health Breach

In the latest headline-grabbing hack attack in the healthcare sector, UCLA Health estimates that data on as many as 4.5 million individuals potentially may have been impacted by a cyber-attack that is thought to have begun last September and is "believed to be the work of criminal hackers." UCLA Health says it is working with FBI investigators and has also hired private computer forensic experts to further secure information on network servers.


"In today's information security environment, large, high-profile organizations such as UCLA Health are under near-constant attack," the organization said. "UCLA Health identifies and blocks millions of known hacker attempts each year."


As for who was responsible for the UCLA Health breach, and how the hackers gained access to the systems, "the cyber-attack on UCLA Health is still under investigation, we are unable to discuss particulars or provide further information regarding the attack," a spokesman for UCLA Health tells Information Security Media Group.


With the exception of UCLA Health, most of the largest hacker attacks so far this year targeted insurers, including Anthem Inc., which was hit by a breach affecting nearly 80 million inidividuals; Premera Blue Cross and CareFirst Blue Cross Blue Shield.

Will Spending More Help?

Some observers say all the recent headlines about hacker attacks could make it easier for CISOs and CIOs to win support from senior leaders for funding to ramp up information security efforts. But will increased spending make a difference?


"The argument for funding will be easier, because the frequency and size of healthcare sector attacks provide CISOs with mounting evidence to justify increased funding, but it will not guarantee action," Paidhrin says. "Funding generally occurs when the 'what, specifically, can be done?' question can be answered with a price tag less than the perceived cost of assuming the risk. ...Healthcare is struggling, as are all other sectors, to find affordable and effective technologies, skilled cybersecurity personnel and process maturity."


But technology investments won't necessarily stop hackers who rely on social engineering to scam users into providing their network credentials through phishing attacks. "Although spending increases on healthcare IT and cybersecurity will help, the most effective risk mitigator is education," Halamka says. "We are as vulnerable is our most gullible authorized user."


Paidhrin sees a "disturbing trend" toward advanced persistent threats and social engineering, which both largely bypass network perimeter defenses. "APTs are stealthy, very effective at exploiting under-the-radar vulnerabilities that do not trigger the alert thresholds of many security systems," he notes. "Social engineering, basically tricking an authorized user to assist an attacker into an action that exploits a vulnerability, is much simpler than a frontal assault on a network. Why break a lock when you can ask for the keys, and get them?"

Wake-Up Call

The most significant impact the recent hacker attacks will have on the healthcare sector is "information security will need to be considered as an integral part of the security and operations processes of healthcare organizations," says Mitch Parker, CISO of Temple University Health System. "They will need to become more proactive and consider risk as equally as utility."


The hacker attacks should serve as a wake-up call for some organizations that have skimped on their information security risk management practices. "Organizations are supposed to re-assess their information security programs, processes, and technologies on a regular basis to continually improve," Parker says. "That is the purpose of risk management. Incidents such as these should be used to evaluate your organization's current practices and make changes or improvements beneficial to your organization."


Paidhrin says many organizations need to take four "not-so-easy steps" to bolster their security. Those include:


  • Two-factor authentication. "Weak passwords, seldom if ever changed, are the bane of information security. Requiring a token, something other than a username and password - both things you know - is the cheapest big step up the security ladder," he says.
  • Data segmentation. "Valuable, sensitive information needs to be segmented from general user access, not all accessible from one network or one level of user account."
  • Proactive monitoring for unauthorized use. "When 90 percent or more of organizations are potentially compromised, real-time detection of threat actors is essential."
  • Rapid response. "The meme of today is 'It's not if, but when we will be breached.' If an organization cannot respond to an attack and penetration, with effective countermeasures, all of the other information security measures, funding, planning and effort will be undone."


Organizations in all sectors, not just healthcare, need to up their game, says Nahra, the attorney. "It's a real challenge. The healthcare sector isn't alone in terms of facing weaknesses and threats."

more...
No comment yet.
Scoop.it!

Three Steps to Preventing Data Breaches in Your Practice

Three Steps to Preventing Data Breaches in Your Practice | HIPAA Compliance for Medical Practices | Scoop.it

Every few weeks, there’s a headline about a healthcare organization that’s been victimized by a hacker or a disgruntled employee. What is your practice doing to protect its data against theft? It can be a balancing act for physician practices that want to provide access to patient information in the EHR and elsewhere, while preventing data breaches. Here are a few steps that can help practices avoid those unfortunate headlines:


Know where your data is


First, you have to know where your data is, said Jim Kelton, managing principal at Costa Mesa, Calif,-based Altius Information Technologies. If you don’t know where your data is transmitted or where it’s stored, you can’t provide the layers of protection that are needed.


 "You have to know where [your data is] transmitted and where it’s stored," he said. Part of this exercise includes determining the practice’s EHR and other clinical information systems—and whether that software is hosted on the cloud. It can also be as mundane as making sure that printed e-mails from patients aren’t sitting around the office.


"There are 18 forms of protected health information, even an e-mail address can identify someone and needs to be protected,” he said.


Know what assets provide access to your data


Once this is done, you need to determine the assets that provide access to the practice’s data. This could be in the doctor’s office, within computer systems, on a server, or in the EHR and other clinical applications themselves. There are often multiple threats to consider, said Kelton. For example, the threat with a laptop is it’s portable and it’s vulnerable because it contains protected patient information.


Having a BYODT – or Bring Your Own Device and Technology – policy is very important, he said. This requires surveying your staff and doing an inventory of the types of technology you’re using to run the practice. It’s during this step that you should determine whether your employees are using smart phones and tablets, cloud storage, flash drives, or external hard drives. It’s also important to keep in mind any data sharing with external contractors doing software development for the practice. "For smaller practices that outsource a lot of services, they need to make sure their business agreements [with vendors and consultants] are solid,” said Kelton.


Identify threats to those assets and build in controls


Those threats could be physical, such as someone entering the practice and stealing a laptop. They could also mean your practice is the intended victim of hackers or viruses, which can infiltrate the EHR and other clinical systems. Some practices even need to be prepared for the actions of a disgruntled employee who sends your client list to their future employer, an action that puts your practice at risk, Kelton said.


Password protection for laptops is a pretty simple solution that works. Also to consider is encrypting the laptop’s hard drive. This action will mean that the hacker won’t be able to access protected patient data on the EHR and other information about your practice, Kelton said

HIPAA requires that each practice identify a security official to develop and implement security policies, implement procedures, and oversee and protect protected health information. According to Kelton, putting together a plan in advance is the most cost-effective way to ensure that data breaches don’t occur.

more...
No comment yet.
Scoop.it!

Cybersecurity: Things Are Getting Worse, But Need to Get Better

Cybersecurity: Things Are Getting Worse, But Need to Get Better | HIPAA Compliance for Medical Practices | Scoop.it

In his opening keynote address at the CHIME Lead Forum at iHT2-Denver, sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and by the Institute for Health Technology Transformation (iHT2—a sister organization of Healthcare Informatics through our parent company, the Vendome Group LLC), being held at the Sheraton Downtown Denver, Mac McMillan laid out in the clearest possible terms for his audience of IT executives the growing cybersecurity dangers threatening patient care organizations these days.


Under the heading, “What Is Cyber Security and Why Is It Crucial to Your Organization?” McMillan, the CEO of the Austin, Tex.-based CynergisTek consulting firm, used his opening keynote address to challenge his audience to think strategically and proactively about the growing cyber-threats hitting patient care organizations across the U.S.

McMillan elaborated on what he sees as 11 key areas of concern going forward right now for healthcare IT leaders: “increased reliance”; “insider abuse”; “questionable supply chains”; “device-facilitated threats”; “malware”; “mobility”: “identity theft and fraud”; “theft and losses”; “hacking and cyber-criminality”; “challenges emerging out of intensified compliance demands”; and a shortage of chief information security officers, or CISOs.


In fact, McMillan said, cybersecurity threats are accelerating and intensifying, and are coming through such a broad range of threat vehicles—hacking by criminal organizations and foreign governments, penetration of information networks via the deliberate infiltration via medical devices, and a crazed proliferation of all types of malware across the cyber universe, that the leaders of patient care organizations must take action, and take it now, he urged.


As for “increased reliance,” the reality, McMillan noted, is that “We live in a world today that is hyper-connected. When I left the government and came back into healthcare in 2000,” he noted, “probably the total number of people who looked at any patient record, was about 50, and all were hospital employees. Today, that average is more like 150, and half of those individuals are not hospital employees. And our systems are interconnected. Digitizing the patient record, under meaningful use, coincided with the rise in breaches. Not that any of that is bad,” he emphasized. “But it did become easier for bad people to do bad things; it also increased the number of mistakes that could be made. If I wanted to carry out paper medical records” in the paper-based world, he noted, “I was limited to the number I could put into a basket. Now, I can download thousands at a time onto a flash drive.”


With regard to “insider abuse,” McMillan made a big pitch for the use of behavior pattern recognition strategies and tools. “We have to actively monitor what’ going on,” he urged. “It doesn’t mean running random audits. You have to actively monitor activity, and you can’t do that manually, and we have to recognize that. Also, a lot of activity, particularly identity theft, is not captured by monitoring compliance rules, but rather, by capturing activity patterns. The fact that someone looks at information four times the frequency that their neighbor does—the fact that an individual is looking at four times as many records, is absolutely a flag. They’re either working four times as hard/fast, or are snooping, or are engaged in nefarious activities. But fewer than 10 percent of hospitals are actively monitoring behavior patterns.”


McMillan was totally blunt when it came to discussing “questionable supply chains.” “I’ll just come out and say it: vendors are a threat,” he told his audience. “We’ve had cases where vendors have been hacked or have had incidents, and the vendor didn’t have a good procedure for restoration or what have you. We need to do a better job of vetting our vendors, of holding them to a higher standard for performance. And this industry needs to create a better baseline—basic requirements—if you connect my network, this is how you have to connect, this is the basic level of encryption required, that kind of thing. This is about creating and adhering to minimal requirements, not creating a new framework,” he said. “We’re already got a million frameworks out there.”


What about medical devices? The threats there are absolutely exploding, McMillan said. He noted that successful hacks have now been documented via such devices as insulin pumps and blood pumps, all of which are relatively recent, as most medical devices weren’t networkable until at least 2006.


Meanwhile, the malware explosion dwarfs just about all other issues, at least in terms of volume. At the beginning of last year, McMillan reported, there were 100 million instances of malware floating around; by the end of the year, there were 370 million. Importantly, he noted, “Malware is no longer produced by smart people in dark rooms writing code. It’s now being produced by bots morphing old malware. And this is putting more pressure on people in terms of the integrity of the environment.” He warned his audience that “The anti-virus products we have today are antiquated products. Less than half of the malware out there is recognized by anti-virus anymore; if you’re relying on antivirus, you’ve already lost the battle. In the next decade,” he predicted, “we’ll move from a speed of computing of 10 to the 8th power, to one of 10 to the 26th power—that’s how fast we’ll be computing. That’s phenomenal. So decisions will be made by computers so fast that any technology relying on signatures to be looked up, will be blown by. It will never keep up. So our security vendors have got to get ahead of this curve, have got to recognize that this whole paradigm we’re dealing with is changing, and we’ve got to change the way we act around this.”


With regard to the rest of the 11 key areas he cited, McMillan made a number of important comments. Among them, with regard to mobility and data, he said, “We’ve got to quit chasing the device. I’ve said this for the better part of five years now. If we chase the device, we’ll never catch up. We’ve got to focus on how the devices connect the environment and how we register and protect those devices.” Meanwhile, he emphasized that while hacking and cyber-criminality represented only 10 percent of data breaches only two years ago, breaches created by hacking and cyber-criminality are now surging.


A lot of these challenges really require a level of IT security management and governance that remains lacking in U.S. healthcare, McMillan said. “I absolutely believe that we need more CISOs in healthcare. I think we need to improve the education of our CISOs and need to help professionalize them. We need to find ways for CIOs to collaborate. That’s the way we help everyone benefit and get ahead.”

more...
No comment yet.
Scoop.it!

Before a Medical Data Breach, Begin Your Response Plan

Before a Medical Data Breach, Begin Your Response Plan | HIPAA Compliance for Medical Practices | Scoop.it

In the last 18 months, there have been three massive data breaches involving the healthcare industry, scores of smaller breaches, and a growing trend of insider threats posed by employees who have sold protected health information (PHI) for their own personal gain. Unlike stolen credit card numbers that can be deactivated, the personal identifying information needed to commit identity-theft type crimes, such as name, address, Social Security number, and date of birth, cannot be changed easily, if at all. Because of the permanent nature of the information that they contain, health records are approximately 10 times more valuable than stolen credit card numbers on Internet black markets where they can be bought and sold in bulk.


Now more than ever, because of new threats posed by such cybercriminals, any organization that collects, uses, discloses, or stores PHI is a potential breach victim. Covered Entities and their Business Associates subject to HIPAA who suffer a data breach must act quickly and correctly in assessing the situation. They must thoroughly investigate and mitigate risks caused by the breach, attempt recovery of the lost information, and provide required notifications to affected individuals and others. Throughout this process, organizations experiencing a breach should strive to demonstrate publicly that the data loss is being handled responsibly and appropriately.


Defining a "Breach"


HIPAA defines a breach as the acquisition, access, use, or disclosure of PHI in a manner inconsistent with the Privacy Rule that compromises its security or privacy.  In most cases, a breach is presumed to have occurred unless it can be demonstrated that there is a "low probability" that the PHI has been compromised. When performing this initial inquiry, an organization must consider:


1. The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification;


2. The unauthorized person who used the PHI or to whom the disclosure was made;


3. Whether the PHI was actually acquired or viewed; and


4. The extent to which the risk to the PHI has been mitigated.


Plan Ahead for Breach Notification



Leonardo M. Tamburello
Every Covered Entity and Business Associate that handles PHI should develop its own unique breach response plan, built upon its most recent Security Risk Assessment (SRA), itself a fundamental step in the development of a comprehensive HIPAA security program. This security program should include a complete inventory of all devices containing sensitive data and policies and procedures requiring the immediate reporting of any lost, stolen, or compromised devices or media.


Using the most critical vulnerabilities identified in the SRA as a blueprint, the "worst case" scenario should be used to develop a detailed response plan. This discussion and handling of the "crisis" in a benign environment should be memorialized and refined into a formal breach response plan that identifies clear lines of communication and responsibility, including what gets done, who does it, and when they are supposed to do it.  


Merely having a breach response plan on paper is not enough. Individuals who are expected to implement the plan must understand and be equipped to execute their responsibilities.  


Whether through a medical practice's in-house counsel or an outside law firm, there are important reasons to integrate counsel into a breach response plan. Privacy counsel with breach response experience can bring valuable insight and steadying presence to an unfamiliar and sometimes chaotic situation. In the event of a follow-up investigation by HHS' Office for Civil Rights (OCR) (which is mandated in breaches affecting 500 or more individuals) or civil litigation, an organization's deliberative processes and internal communications and/or actions involving their counsel regarding breach response may be kept confidential through these doctrines. Without the involvement of counsel, the entirety of an organization's actions and communications would be potentially discoverable in the now familiar class-action lawsuits that inevitably follow data breaches.


Activating the Breach Response Plan


If it is determined that a breach has occurred, an organization should immediately take all possible steps to minimize or limit the impact of the breach while documenting its efforts to do so. Mitigation often occurs parallel with an investigation, and its own document trail, into the cause of the breach. In some cases, such as when a device is physically lost or stolen, mitigation may be impossible unless there is a way to remotely wipe the data contained on it. If the breach involves media or paper that can be tracked or retrieved, every effort should be made to recover it.  Law enforcement should be contacted if criminal activity such as theft or intrusion is suspected.  


Like other aspects of breach response, a medical practice's internal investigation into a breach should be thoroughly documented. The Privacy Officer, in consultation with privacy counsel for the organization, should collect and preserve evidence in accordance with established policies and procedures. This information may include interviews, e-mails, chat logs, voicemails, cellular calling records, computer logs, and any other information regarding the data loss.


If the breach involves cyber intrusion, the Privacy Officer will likely require the assistance of IT vendors or others such as specially-trained law enforcement divisions. Expert forensic assistance from these individuals can be invaluable when investigating a possible breach or determining the scope of known breach.


Formal Notification to Individuals, HHS, and Others


Once a breach has been internally confirmed, HIPAA requires official notification to all affected individuals and the OCR. If the breach involves 500 or more individuals, media organizations in the area where the affected individuals live must also be notified. Most times, these notifications must occur within 60 days of when the breach actually was, or should have been, discovered.


This does not necessarily mean that the breach will remain private until further disclosure. In many instances, breaches become public knowledge long before formal notification is made. To prevent such situations from spiraling out of control, it is imperative that an organization's breach response team be prepared to make public limited information in which there is a high degree of confidence, while stressing that the investigation is ongoing and this information may evolve. Scrambling to figure out a breach response strategy while trying to investigate and mitigate the possible harm can easily lend to inaccurate and/or harmful information being disseminated. Responding with silence will only intensify the scrutiny in such situations. A breach response plan will help a practice follow a "script" through an otherwise unfamiliar and potentially high-stakes crisis.


Poor breach notifications can take many shapes. Some fail to acknowledge the seriousness of the situation. Others provide incomplete or incorrect information. Another poor "response strategy" is complete silence or other tone-deaf actions which demonstrate organizational discord or a misunderstanding of the severity of the situation. Any of these missteps can be severely damaging, not only from a reputational point of view, but also during later phases if there is a formal investigation by OCR.  


After the required notifications have been made, the organization should update its current risk management plan to reflect lessons learned and vulnerabilities addressed as a result of the breach.


Conclusion


Most cyber intrusions are not brutish acts of virtual "smash and grab" thuggery, but well-planned and strategic, with the hallmarks of stealth and patience. As data collection and information sharing among healthcare providers and their affiliates grows in the future, the threats to the security and integrity of this information will continue to increase.

Failing to prepare for a breach is the same as preparing to fail at responding to one. As electronic health information continues to multiply along with data sharing among multiple providers and affiliates, preparing for this threat must become an organizational priority for everyone.

more...
No comment yet.
Scoop.it!

Avoid this little-known but costly HIPAA trap

Avoid this little-known but costly HIPAA trap | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare providers who call patients or send automated calls or text messages may be running afoul of federal law.


The law in question, the Telephone Consumer Protection Act (TCPA), was enacted in the 1990s to protect consumers against unwanted automated calls sent to residences or cellphones. The Federal Communications Commission recently established an exemption for healthcare messages that are regulated through HIPAA.


The problem? According to Christine Reilly, co-chair of the TCPA Compliance and Class Action Defense group at the law firm of Manatt, Phelps & Philips, HIPAA doesn't specifically define a "healthcare message."


"There really is not a lot there about those requirements," she told mHealth News. "It is not exactly a model of clarity."


The TCPA, Reilly says, was designed primarily to eliminate unwanted solicitations, and gave birth to the more-well-known Do Not Call Registry in 2003. But how does that translate to a healthcare message that may or may not be selling the provider's services – such as reminders for screenings or appointments, prescription refills and general health and wellness information?


"Those are a little bit more hybrid," Reilly said. "TCPA might consider it marketing, but with a healthcare message it likely falls under HIPAA."

Healthcare providers risk falling into the "TCPA trap," Reilly says, if they enable these types of messages without examining the legal implications. And those are costly – fines of between $500 and $1,500 per message.


Reilly, who will be presenting a webinar in July 30 on the TCPA, suggests healthcare providers check with legal counsel on whether their messaging protocols conform to TCPA or fall under HIPAA.

"Providers want to know what, in fact, qualifies as a healthcare message and what qualifies as an exemption," Reilly says. "A lot of the questions we're getting are about how this works in practical terms."

more...
Gerard Dab's curator insight, July 16, 2015 8:03 PM

Technology still meets resistance!

Scoop.it!

Hospital with repeat security failures hit with $218K HIPAA fine

Hospital with repeat security failures hit with $218K HIPAA fine | HIPAA Compliance for Medical Practices | Scoop.it

Does your hospital permit employees to use a file-sharing app to store patients' protected health information? Better think again. A Massachusetts hospital is paying up and reevaluating its privacy and security policies after a file-sharing complaint and following a HIPAA breach. 


St. Elizabeth's Medical Center in Brighton, Mass. – a member hospital of Steward Health Care system – will pay $218,400 to the Office for Civil Rights for alleged HIPAA violations. The settlement resulted from a 2012 complaint filed by hospital employees, stating that the medical center was using a Web-based document-sharing application to store data containing protected health information. Without adequately analyzing the security risks of this application, it put the PHI of nearly 500 patients at risk.


"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," said Jocelyn Samuels, OCR director, in a July 10 statement announcing the settlement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


It wasn't just the complaint that got St. Elizabeth's in hot water, however. A HIPAA breach reported by the medical center in 2014 also called attention to the lack of adequate security policies. The hospital notified OCR in August of last year of a breach involving unsecured PHI stored on the personal laptop and USB drive of a former hospital employee. The breach ultimately impacted 595 patients, according to a July 10 OCR bulletin.


As part of the settlement, St. Elizabeth's will also be required to "cure the gaps in the organization's HIPAA compliance program," OCR officials wrote in the bulletin. More specifically, this includes conducting a self-assessment of its employees' awareness and compliance with hospital privacy and security policies. Part of this assessment will involve "unannounced visits" to various hospital departments to assess policy implementations. Officials will also interview a total of 15 "randomly selected" employees with access to PHI. Additionally, at least three portable devices across each department with access to PHI will be inspected.


Then there's the policies and training piece part of the settlement. With this, St. Elizabeth's based on the assessment, will submit revised policies and training to HHS for approval.


In addition to the filed complaint and the 2014 breach, the medical center also reported an earlier HIPAA breach in 2012when paper records containing billing data, credit card numbers and security codes of nearly 7,000 patients were not properly shredded by the hospital. Some of the files containing the data were reportedly found blowing in a field nearby.


To date, OCR has levied nearly $26.4 million from covered entities and business associates found to have violated HIPAA privacy, security and breach notification rules.


The largest settlement to date was the whopping $4.8 million fine paid by New York Presbyterian Hospital and Columbia University Medical Center after a single physician accidentally deactivated an entire computer server, resulting in ePHI being posted on Internet search engines. 

more...
Gerard Dab's curator insight, July 16, 2015 8:05 PM

Security! Security! Security!

#medicoolhc #medicoollifeprotector

Scoop.it!

Hospital Slammed With $218,000 HIPAA Fine

Hospital Slammed With $218,000 HIPAA Fine | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators have slapped a Boston area hospital with a $218,000 HIPAA penalty after an investigation following two security incidents. One involved staff members using an Internet site to share documents containing patient data without first assessing risks. The other involved the theft of a worker's personally owned unencrypted laptop and storage device.


The Department of Health and Human Services' Office for Civil Rights says it has entered a resolution agreement with St. Elizabeth's Medical Center that also includes a "robust" corrective action plan to correct deficiencies in the hospital's HIPAA compliance program.

The Brighton, Mass.-based medical center is part of Steward Health Care System.


Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

Complaint Filed

On Nov. 16, 2012, OCR received a complaint alleging noncompliance with the HIPAA by medical center workforce members. "Specifically, the complaint alleged that workforce members used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice," the OCR statement says.


OCR's subsequent investigation determined that the medical center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome."


"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," says Jocelyn Samuels, OCR director in the statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


Separately, on Aug. 25, 2014, St. Elizabeth's Medical Center submitted notification to OCR regarding a breach involving unencrypted ePHI stored on a former hospital workforce member's personal laptop and USB flash drive, affecting 595 individuals. The OCR "wall of shame" website of health data breaches impacting 500 or more individuals says the incident involved a theft.

Corrective Action Plan

In addition to the financial penalty - which OCR says takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed - the agreement includes a corrective action plan "to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach."

The plan calls for the medical center to:


  • Conduct a "self-assessment" of workforce members' familiarity and compliance with the hospital's policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.


Lessons Learned

Other healthcare organizations and their business associates need to heed some lessons from OCR's latest HIPAA enforcement action, two compliance experts say.


Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The settlement indicates that OCR first learned of alleged noncompliance through complaints by the covered entity's workforce members. Entities should consider whether their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed. Otherwise, the employees' next stop may be complaining to the government."

The settlement also highlights the importance of having a cloud computing strategy, Greene points out. That strategy, he says, should include "policies, training and potential technical safeguards to keep PHI off of unauthorized online file-sharing services."


The enforcement action spotlights the continuing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach, he notes.


The case also sheds light on how OCR evaluates compliance issues, he says. "The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices."


Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement "serves as an important reminder that a covered entity or a business associate must make sure that the organization's risk assessment takes into account any relationship where PHI has been disclosed to a contractor or vendor so as to ensure that appropriate safeguards to protect the data are in place."


The alleged violations involving the document sharing vendor, he says, "involve failure to have a BA agreement in place prior to disclosing PHI to the vendor, as well as failing to have appropriate security management processes in place to evaluate when a BA agreement is needed when bringing on a new contractor that will handle PHI."

St. Elizabeth's Medical Center did not immediately respond to an Information Security Media Group request for comment.

Previous Settlements

The settlement with the Boston-area medical center is the second HIPAA resolution agreement signed by OCR so far this year. In April, the agency OK'd an agreement with Cornell Prescription Pharmacyfor an incident related to unsecure disposal of paper records containing PHI. In that agreement, Cornell was fined $125,000 and also adopted a corrective action plan to correct deficiencies in its HIPAA compliance program.


The settlement with St. Elizabeth is OCR's 25th HIPAA enforcement action involving a financial penalty and/or resolution agreement that OCR has taken since 2008.


But privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says OCR isn't doing enough to crack down on organizations involved in HIPAA privacy breaches.


"Assessing penalties that low - St. Elizabeth will pay $218,400 - guarantees that virtually no organizations will fix their destructive practices," she says. "Industry views low fines as simply a cost of doing business. They'll take their chances and see if they're caught."

The largest HIPAA financial penalty to date issued by OCR was a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for incidents tied to the same 2010 breach that affected about 6,800 patients. The incidents involved unsecured patient data on a network.

more...
No comment yet.
Scoop.it!

Florida Hospital faces two data breach lawsuits

Florida Hospital faces two data breach lawsuits | HIPAA Compliance for Medical Practices | Scoop.it

Florida Hospital is facing two possible class action lawsuits regarding two separate data breaches of patient information over the past four years.


The hospital is battling both suits, and has recently submitted motions to toss them both out.


The first data breach, revealed in August 2011, involved Florida Hospital employees Dale Munroe and Katrina Munroe combing through thousands of patient records and selling data to lawyers and chiropractors. Both employees were fired and charged criminally.



The second breach, discovered in May 2014, involved two employees printing portions of medical records for at least 9,000 patients for over two years. Those employees were also fired but not named in the lawsuits. That breach was allegedly discovered by state investigators of a criminal case.



The first lawsuit is handled by a Chicago-based law firm Edelson, and local attorney Edmund Normand. The named plaintiffs in that case are Richard Faircloth, who was a patient at Florida Hospital's Apopka campus, and Consuelo Armesto, a former patient at Florida Hospital's Altamonte Campus. A new hearing is coming up soon regarding Florida Hospital’s motion to dismiss the Faircloth case.


Attorney John Yanchunis of Orlando law firm Morgan & Morgan is handling a case tied to the May 2014 breach. The named plaintiffs in that case are Heather and Sebastian Peralta of Altamonte, and their daughter Janson Peralta.


The Peralta case, filed more recently, cites the previous case as evidence that the hospital has known about data breaches for a while now.


“Hospital are good about delivering medical services. Other kinds of things, like this, they are not so good at, because it’s not their business,” Yanchunis said. “But that must change now, and there’s a movement now to install systems to better detect access to information.”


Florida Hospital and its attorneys did not immediately respond to phone calls and emails about the lawsuits, which are both pending in Orange County Circuit Court.


But the hospital has argued that the lawsuits are missing an important fact: the plaintiffs haven’t suffered any identity theft, at least not yet.

Both lawsuits rely on allegations that the patients involved had “expected and paid for" data security at the hospital.


But Florida Hospital’s attorneys argue that no Florida court has recognized a fiduciary duty between a hospital and a patient. The hospital also argues that the plaintiffs can’t enforce federal HIPAA laws through private civil action, that they can’t sue based on “increased risk of identity theft.”


The hospital also argues that their employees were willfully violating the policies regarding HIPAA compliance and patient data security.

Data stolen from medical records is a common method used by identity thieves, especially for filing fake tax returns seeking bogus tax refunds.


There’s an additional wrinkle in the Peralta case. Yanchunis noted that the Peralta’s daughter isn’t even eligible for credit protection services yet, but that her data could be used in an identity theft years from now.

According to the court record, the Munroes were paid $10,000 by local chiropractor Sergei Kusyakov to pull out information on victims of motor vehicle accidents – some of whom then received calls from Kusyakov’s office with offers of chiropractic care. The Munroes and Kusyakov all pleaded guilty to the crimes.

more...
No comment yet.