HIPAA Compliance for Medical Practices
60.5K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Four Things MSPs Should Know About HIPAA Compliance and the Cloud

Four Things MSPs Should Know About HIPAA Compliance and the Cloud | HIPAA Compliance for Medical Practices | Scoop.it

While managed service providers (MSPs) are certainly well-versed in the areas of cloud-based file sharing and data storage, it pays to be just as familiar with some of the areas of interest of your clients. As MSPs see more healthcare companies migrating their services to the cloud – whether due to a relaxation of restrictions or a decision to evolve – the need for familiarity in this potentially lucrative market is as important as ever.


When the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, data security and privacy on the internet were not exactly the big concerns of the day. Then again, the MSP business model we know and love today didn’t even exist.


Fast forward about 20 years – and through a couple of generations of computing platforms – and HIPAA compliance has become a hot topic as health care organizations, at long last, begin to crawl out from under mountains of paper and into the digital world.


The 2013 HIPAA Omnibus Rule is the modification to HIPAA that defines the rules governing data security for “covered entities” (healthcare providers, mostly) and their “business associates,” i.e. you, their MSP.


As the rule states, “These modifications [to the original HIPAA law] make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.” Here are the four most important things you need to know to comply with HIPAA regulations:


1. Business Associate Agreements


Law now requires that when you’re doing business with a “covered entity” (CE), you must execute agreements – called Business Associate Agreements (BAAs) – that define the permitted uses and disclosures of “protected health information” (PHI) by the business associate. Don’t start doing business with a healthcare client or other “covered entity” without a Business Associate Agreement in place. The same goes for subcontractors. You’ll want to make sure that anybody touching PHI is covered in the BAA.


2. Providing cloud storage makes you liable for HIPAA privacy


According to the HIPAA Omnibus rule, anything you store in the cloud – even on behalf of a client – that contains protected health information must be compliant with HIPAA privacy protections.  This applies whether you ever view that data or not. If you retain, maintain, or transmit protected health information for a client, then you are bound by their business associate agreement.


3. Less access = lower liability risk


According to an FAQ published by the Center for Democracy and Technology, if you don’t have the capability to access your client’s data and adhere to HHS (Department of Health and Human Services) standards with respect to encryption, you should have little liability risk as a business associate. The FAQ also states that, “if the covered entity controls the decryption keys and the CSP has no ability to access the plain text of the data, it would not be reasonable to expect the CSP to comply with the provisions... that require a BA to ‘make available’ PHI for certain purposes.”


4. Breach thresholds have been lowered


Prior to the enactment of the Omnibus rule, a security breach only had to be reported to the HHS if it posed “significant risk of reputational, financial or other harm” to individuals. Now, all breaches of unsecured PHI – information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons – must be reported. However, if the BAA established between you and your healthcare client includes a multi-factor risk assessment that determines low probability of data compromise, the breach may not need to be reported. It’s probably worthwhile to check out your your legal obligations for notification.

more...
No comment yet.
Scoop.it!

3 Tips for Improving Breach Response

3 Tips for Improving Breach Response | HIPAA Compliance for Medical Practices | Scoop.it

Breaches can happen even when there are strong protections in place. But healthcare organizations can do more to prepare for breaches and respond in the best possible way to protect patient information.

Here are three tips to avoid common pitfalls in healthcare incident response programs.

1. Define Incidents Broadly

HIPAA and state laws require organizations to recognize and properly respond to events that put certain personally identifiable information at risk. Most states today require notification when data that could be used for identity theft is breached. Hence, "incidents" must include negative events affecting a variety of legally protected data, not limited to protected health information, or PHI. For your organization's sake, you should include internal confidential and proprietary data as well.

"Incidents" can include such data in any form, including written, spoken and electronic. Some organizations mistakenly consider security incidents only in technical terms, relating to computers and networks. While incidents and breaches often involve malicious attackers and malware, that's only part of the story.

Both HIPAA's privacy rule and its security rule require incident response and mitigation. Therefore, "incidents" must include both privacy and security events. However, there is considerable overlap between privacy and security incidents, with most, if not all, privacy incidents also being security incidents. It is counterproductive to attempt to segregate privacy and security incidents, and, in fact, the HIPAA breach notification rule does not distinguish between them.

2. Teach Workforce to Report Incidents

Training is a critical component of privacy and security programs. Without it, the best policies and technologies can only go so far. Building on your broad definition of "incidents," ensure your documented workforce training content includes not only the definition but a wide range of examples. It is essential to convey to your staff the full scope of this requirement and the organization's expectations. Also, use current news stories on breaches to inform your workforce. Explain these incidents and discuss whether and how they could happen in your organization, as well as what individuals can do to prevent such breaches.

Training content must also include how to report incidents within the organization; the process should be easy and unambiguous. Here again, the workforce should not need to categorize an incident as involving either privacy or security issues to determine how to report it; most incidents will be both. Yet many organizations require security incidents be reported to IT and privacy incidents to the privacy or compliance officer, or compliance tracking system.

Since the information security officer and the privacy officer should be acting as a team in responding to incidents, it makes sense to have a single reporting stream. In addition, the workforce should not be expected to make the breach determination; that is the responsibility of the information security and privacy officers because it requires expertise in the regulations.

Be sure your training content reinforces the requirement to report all incidents promptly, even if an incident is only suspected. Each organization's information security officer and privacy officer should determine the time limit - such as "the same day" or "within 24 hours" or "within one business day" - and include it in training content.

3. Make Incident Response Plan Comprehensive

Ensure that the scope of your organization's plan is comprehensive, including all incidents, both privacy and security.

Keep in mind that an organization's incident response plan is intended to be a clear guide to actions, particularly during a crisis. A plan that simply states high level commitments to satisfy HIPAA or state regulations is not a real plan. Think of the plan as a cookbook with necessary ingredients and logical steps to follow. Unfortunately, this cookbook will have guidelines instead of precise measures, but a good plan will take an organization to a successful outcome.

The ingredients may include factors to consider in triaging an incident, questions to ask as part of the investigation, and state and federal legal requirements regarding notifications. The latter can be embedded in the plan or provided via direct links to actual regulation details such as at www.eCFR.gov.

The recipe should include, for example: triaging incidents based on criticality; convening primary and secondary response teams; determining if an incident falls under one or more state laws and/or HIPAA; if the incident involves PHI, determining violations versus breaches; mitigation actions depending on the type of incident; carrying out notification steps; and wrapping up.

Following HIPAA violations and breaches, take time to evaluate the effectiveness of your plan, as well as the training of your workforce and your response teams. Update the plan and training as needed.


more...
No comment yet.
Scoop.it!

Health Care Industry To See Phishing, Malware Attacks Intensify in 2015 -

Health Care Industry To See Phishing, Malware Attacks Intensify in 2015 - | HIPAA Compliance for Medical Practices | Scoop.it

That’s the analysis of industry executives who contend the information security threats facing health care institutions will only intensify in 2015. They say attackers believe hospitals and health systems hold a wealth of data, from credit card information to demographic details to insurance beneficiary data. The notion that health care trails other industries in IT security may encourage attempts to seize those data.

But while attacks are on the rise, health care budgets aren’t quite as buoyant.

Phyllis Teater, CIO and associate vice president of health services at the Ohio State University’s Wexner Medical Center, said, “The threats continue to mount … at a time when all of health care is looking to reduce the cost of delivering care.”

Earlier this month, Art Coviello — executive chair of RSA, the security division of EMC — predicted that “well-organized cyber criminals” will ramp up their efforts to steal personal information from health care providers. Coviello, in what has become his annual security outlook letter, described health care information as “very lucrative to monetize” and “largely held by organizations without the means to defend against sophisticated attacks.”

Some health care providers, however, plan to strengthen their defenses. Health care organizations’ expected security priorities for 2015 include:

  • Encryption and mobile device security;
  • Two-factor authentication;
  • Security risk analysis;
  • Advanced email gateway software;
  • Incident response management;
  • Expansion of IT security staff; and
  • Data loss prevention (DLP) tools.
Uptick in Attacks

Lynn Sessions, a partner with the law firm BakerHostetler, cited an uptick in cyber-attacks targeting health care. Sessions, who specializes in health care data security and breach response, said much of her firm’s activity once focused on unencrypted devices that were lost or stolen, unencrypted backup tapes and email delivered to the wrong recipient. Those incidents were typical of the years immediately following the passage of the HITECH Act, which in 2009 established a breach notification duty for HIPAA-covered entities. But since the beginning of 2014, the rise of hacking and malware attacks has become “very noticeable,” Sessions said.

That trend seems likely to carry over into 2015.

Scott Koller, a lawyer at BakerHostetler who focuses on data security, data breach response and compliance issues, said he believes two types of attacks will see increased prevalence next year:

  • Phishing; and
  • Ransomware.

Phishing attempts to convince users to give out information such as usernames and passwords or credit card numbers. In settings such as health care, phishing may also provide a stepping stone for more advanced attacks, Koller noted. For example, a user could open an attachment in a phishing email that installs malware on the user’s device. From that foothold, an attacker could then infiltrate the enterprise network.

“Phishing emails often provide the entry point,” Koller said.

Attackers, he added, have become adept at disguising their phishing emails.

“They are much more sophisticated in terms of crafting them and targeting them to users and making them more difficult to detect,” Koller explained.

Phishing emails can also serve as a vehicle for ransomware attacks, which encrypt the data on a computer’s hard drive. Cyber criminals demand payment from users before they will provide the means to unlock the data.

CryptoLocker and CryptoWall are examples of ransomware. In August, the Dell SecureWorks Counter Threat Unit research team reported that nearly 625,000 systems were infected with CryptoWall between mid-March and late August 2014. The researchers called CryptoWall “the largest and most destructive ransomware threat on the Internet” and one they expect will continue expanding.

To further complicate matters, ransom may be demanded in the form of bitcoin, a digital currency. The use of bitcoin makes the perpetrators a lot harder for law enforcement to track down, Koller said. He said he anticipates that ransomware will see greater prevalence and use in the future.

Tightening Security

Against the backdrop of increasing attacks, health care organizations are taking steps to boost their IT security.

Ohio State’s Wexner Medical Center, for example, plans to make staffing a focal point of next year’s IT security investment. It expects to fill three openings over the next few months.

“Much of our investment is in recruiting top talent and growing the team by adding” full-time employees, Teater said.

Technology adoption is also in the works.

“We are deploying a new mobile security tool that has better capabilities,” she said. “We are also starting down the road to deploy data loss prevention” in conjunction with the Ohio State University.

In addition, Ohio State’s medical center is looking at how to enable two-factor authentication for use cases such as remote/mobile access and e-prescribing, Teater noted.

Koller said two-factor authentication will rank among the top IT security measures health care organizations take on in 2015. Two-factor authentication typically involves a traditional credential, such as user name/password and adds a second component such as a security token or biometric identifier.

Two-factor authentication does a good job of counteracting phishing emails, Koller said. If an attacker obtains an employee’s username/password via phishing, it will still lack the additional authentication factor, he noted.

Koller also cited encryption as another security measure health care providers should look to deploy next year. He said that larger institutions already recognize encryption as an issue but that smaller practices still struggle to find ways to implement encryption for laptops and mobile devices.

“Encryption very much needs to be on everybody’s radar,” he said.

To date, it hasn’t been. Forrester Research in September reported that “only about half” of health care organizations secure endpoint data through technology such as full-disk encryption or file-level encryption.

Health care providers next year may also invest in incident response management, as well as prevention.

Mahmood Sher-Jan, vice president and general manager of the RADAR Product Unit at ID Experts, said most people accept that security incidents are a certainty, which places the emphasis on risk reduction and response. ID Experts provides software and services for managing incident response.

Chief information security officers and health care IT security personnel “recognize now that their success is going to be measured on how they manage incident response and minimize the impact on reputation and churn,” Sher-Jan said.



more...
No comment yet.
Scoop.it!

Connected devices at risk for malware, privacy violations

Connected devices at risk for malware, privacy violations | HIPAA Compliance for Medical Practices | Scoop.it

There must be a balance between the promise of new Internet of Things (IoT) tools and devices and the need for robust security and data privacy, according to a new report.

For the report, Intel Security and Atlantic Council's Cyber Statecraft Initiative gathered government, medical and security specialists to create guides for trust and innovation for connected medical devices.

Connected medical devices help patients and their caregivers better monitor their health. That kind of real-time monitoring lets patients receive feedback and alerts more quickly, the report says.

IoT is already creating new care models, improving patient experiences and driving efficiency in providers' business operations, according to new data from another recent IoT report from Verizon. 

That report says the overall number of IoT connections is predicted to more than quadruple between 2014 and 2020 to about 5.4 billion.

However, the benefits of networked devices will mean little without putting the proper security in place, according to the Intel report. Security officials and healthcare organizations must take the correct steps to prevent future attacks.

Networked devices are at risk for the following, according to the Intel report:

  • Accidental failures: Failures in the technology can destroy trust of consumers and prevent tools from making it out of the production process.
  • Privacy violations: Connected devices store sensitive data, and since IoT is relatively new, malicious attacks are hard to predict.
  • Widespread disruption: Connected devices are susceptable to malware, which could be used to search out and infect them.

To better protect networked devices, those surveyed for the report say the industry should take three steps: Stress security from the start; improve collaboration between public and private sectors; and introduce an independent voice for the public in discussions about cybersecurity.


more...
Roger Smith's curator insight, March 23, 2015 6:47 PM

However, the benefits of networked devices will mean little without putting the proper security in place, according to the Intel report. Security officials and healthcare organizations must take the correct steps to prevent future attacks.

Scoop.it!

Are You Ready for a HIPAA Security Risk Assessment? | HealthITSecurity.com

There are numerous aspects of a HIPAA security risk assessment that healthcare organizations must keep in mind.

Even though the Department of Health and Human Services’ (HHS) HIPAA security risk assessment tool has not even had a full year of existence, experts in the industry have stated that it’s a great way for healthcare organizations to improve their risk analyses. Healthcare regulatory compliance is important for facilities for numerous reasons. Not only do providers want to avoid hefty fines for HIPAA violations, they also want to reassure patients that their electronic protected health information (ePHI) will remain secure.

But even with the HHS tool, do healthcare organizations understand what must be done to be fully prepared for a HIPAA security risk assessment? HealthITSecurity.com decided to pull together important points for facilities to keep in mind, ensuring that they are ready for a risk assessment.

Identify all ePHI

A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. These overviews can also reveal areas where ePHI could be at risk. This is why it’s important for healthcare organizations to identify all ePHI that they create, maintain or transmit.

For example, are there any vendors or consultants that have access to ePHI? If so, what is their process? Covered entities must ensure that they understand how patients’ data is not only used, but how it is transmitted. Failing to account for one storage area could lead to regulatory fines.

Moreover, healthcare facilities need to account for all types of threats to the ePHI during a HIPAA security risk assessment. This includes human, natural, and environmental threats to information systems.

“All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule,” according to HHS. “The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. Risk analysis is the first step in that process.”

Specifically, the HIPAA Security Rule requires organizations to create and implement policies that “prevent, detect, contain, and correct security violations.” This process will be much easier after healthcare facilities know where all ePHI is located.

Identify threats, assess security measures

When all assets, including ePHI, have been identified, healthcare facilities should pinpoint any potential threats or security risks. From there, organizations can benefit from ranking those risks in terms of severity of impact and likelihood of occurrence. Cybersecurity might have a greater chance of affecting your facility, but a disgruntled employee could also pose an internal risk. No possibility should be ignored.

Moreover, healthcare facilities should review the types of protections currently in place. Is there up-to-date data encryption, firewalls or anti-malware protection? If not, are there areas that could benefit from such protections?

If any gaps are discovered, they must be immediately addressed. Should any data breaches occur, and it is proven that a facility did not properly assess its risks, heavy penalties could follow.

“An organization must assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability,” according to HHS’ “Guidance on Risk Analysis. “An entity may use either a qualitative or quantitative method or a combination of the two methods to measure the impact on the organization.”

Conduct periodic reviews

A crucial aspect that can be overlooked is that healthcare organizations need to update their risk analyses. Technology continues to evolve, and as such, so can the potential security risks. An ongoing risk analysis procedure will be much more helpful, and further decrease the likelihood of an area being overlooked.

“A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation,” HHS stated on its website.

Any of the following could be a reason for a new analysis:


  • The organization experienced a security incident
  • There is new ownership
  • A facility sees turnover in upper management or other key roles
  • New technology is introduced

“If it is determined that existing security measures are not sufficient to protect against the risks associated with the evolving threats or vulnerabilities, a changing business environment, or the introduction of new technology, then the entity must determine if additional security measures are needed,” according to HHS.

A risk analysis is a vital first step for proper healthcare security management. Organizations need to not only understand potential risks, but also be aware of what steps they can take to mitigate those risks. Moreover, it’s important to understand that different types of assessments will benefit different organizations. Methods can vary depending on facility size, along with its complexity and capabilities. For example, a small healthcare provider might not have ePHI stored with a third-party vendor. Instead, it is located within the main building. However, this does not mean that their ePHI servers are more or less secure than that of a large provider.

It cannot be guaranteed that a data breach will never occur at a facility, but by adhering to HIPAA security risk assessment requirements, the odds will be lower.


more...
No comment yet.