HIPAA Compliance for Medical Practices
82.5K views | +10 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Is the Collective Will Present for a Concerted Push on Cybersecurity?

Is the Collective Will Present for a Concerted Push on Cybersecurity? | HIPAA Compliance for Medical Practices | Scoop.it

It was a privilege and a pleasure to moderate the panel “Healthcare Cyber Security Solutions: Concepts and Trends,” at the Denver CHIME Lead Forum on Monday, July 20. The panel I moderated was part of a daylong event held at the Sheraton Downtown Denver, and sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2, a sister organization of Healthcare Informatics under the corporate umbrella of our parent company, the Vendome Group LLC).

I was joined on the panel by Mike Archuleta, director of IT at Mt. San Rafael (Colo.) Hospital; Guy Turner, chief data security officer at Sutter Healthcare (San Francisco); Francisco C. Dominicci, R.N., CIO and director of health IT for the Colorado Springs (Colo.) Military Health System; Ryan Witt, vice president, healthcare industry practice, at Fortinet (Sunnyvale, Calif.); and Steve Shihadeh, senior vice president at the Seattle-based Caradigm.

Our panel’s discussion covered a very wide range of topics under the cybersecurity umbrella, including why that term itself is becoming more used these days.

Numerous statements were made by panelists that I found to be particularly worth recounting. Among those was Turner’s strongly urging attendees to adopt behavioral pattern recognition solutions, as had been recommended earlier in the day by Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm. As McMillan had stressed, so did Turner, the fact that, as Turner put it, “You have to invest in tools for pattern recognition for anomalous behavior.” To not do so essentially leaves one’s entire clinical information system open to hackers once they’ve penetrated the outer defenses of the system.

Importantly, all the panelists agreed that investing in cybersecurity solutions and measures really is exactly that: a form of investment. It can’t be seen purely as a “cost” or set of costs, as can many

purchases, given the risks facing patient care organizations these days.

As for the term “cybersecurity,” there was general consensus around the idea that there is some logic to that term in some cases now eclipsing the terms “data security” and “IT security” in industry usage, since so many of the security issues facing patient care organizations really are online and electronic in nature.

Among the important statements made during the discussion were this one by Dominicci: “Providers need to hold vendors accountable, he stressed, noting that there is an intensifying need on the part of healthcare IT leaders to be able to hold vendors accountable for their ability to help ensure the security of information systems in a more thorough way than was ever needed until recently.

How will the accelerating consolidation of patient care organizations through mergers and acquisitions affect the broader dynamics around investing in cybersecurity? In fact, said Shihadeh, with consolidation proceeding apace, this is in fact a good time for investment in cybersecurity tools and processes. “There is a good opportunity now to invest,” he said, “because of the bigger patient care organizations involved. Large integrated delivery networks are being created, and those larger organizations will have the capital to be able to fund these initiatives” in beefing up cybersecurity/IT security, in his view.

Of course, there are people-based issues as well. What about a question from the audience around whether the leaders of patient care organizations should focus their efforts on grooming or recruiting individuals with healthcare industry-specific data security experience, versus bringing talented individuals in from other industries, and teaching them the ins and outs of healthcare IT security, versus IT security in other industries? Turner was very blunt in stating his perspective: “It’s easier to teach someone the healthcare business than it is to teach someone with a healthcare background all the technical aspects of IT security,” he said. “I would very willingly seek people outside healthcare,” he opined, as patient care organizations are finding themselves trying to fill such important positions as chief information security officer (CISO) in an environment in which the number of potential candidates is dwarfed by the need for qualified individuals these days.

And what of the next couple to few years in this whole arena? There was a broad consensus on the panel that things will get worse before they get better, across range of issues in the IT/cybersecurity arena. The panelists agreed that the ongoing series of announced data breaches will inevitably intensify, growing in number and frequency, before a very broad collective consensus emerges in the U.S. healthcare industry around what to do about all of this, and industry leaders will band together in very broad, concerted efforts.

It was very clear to me from this panel discussion with these industry leaders, that it will indeed require a huge, collective commitment, at a policy, industry, strategic, and business level, for the leaders of healthcare IT industry-wide, to move forward together to address the issues facing us. Several references were made to the recent disclosure on the part of the leaders of the UCLA Health System of a massive data breach there, which may have exposed 4.5 million people to being data-compromised; and the consensus on the panel was that such disclosures are being seen as “wake up calls”—in a patient care delivery setting, they might be referred to as “sentinel events”—that will eventually compel collective action, on the industry and policy levels.

It was also agreed that the headlong rush into accountable care organization development, population health management innovation, and health information exchange, all of which are extremely worthwhile, valuable areas of pursuit, will inevitably ratchet up the risks for patient care organizations around cybersecurity/IT security.

In short, the immediate future is one fraught  with danger and challenge, everyone agreed. And yet one did not leave that session with a sense of despair, but rather with a sense of “let’s-roll-up-our-sleeves” commitment to action, at a time when there is no time to waste, and there are many, many extremely tasks ahead—and that there is indeed both a collective intelligence, as well as a collective will, to move forward industry-wide in this incredibly crucial area for all the stakeholder groups in U.S. healthcare.

No comment yet.

Should HIPAA require encryption of medical data?

Should HIPAA require encryption of medical data? | HIPAA Compliance for Medical Practices | Scoop.it
Dive Brief:
  • Even more surprising to some than the fact that Anthem did not encrypt its medical recordswhich made it easier to hack, according to expertswas the fact that HIPAA's regulations do not currently require that personal health data be encrypted by providers who manage those records. A report in HealthIT Security revealed that lawmakers are starting to address this issue.
  • The US Senate Health, Education, Labor and Pensions committee is taking up the debate, while New Jersey Gov. Chris Christie has already enacted a law requiring medical record encryption and Connecticut Democrats are apparently also seeking similar legislation in their state.
  • At present, HIPAA regs do not specifically require data encryption. Instead, HIPAA-covered entities get to choose, based on their situation, whether encryption is necessary or another approach is more appropriate.
Dive Insight:

The Anthem hack has become the cue for every agency, governmental body, consumer group, healthcare advocacy organization and technology forum to start pushing tougher cybersecurity requirements. While the strong reaction was expected, the stampede could generate more problems than solutions, with lawmakers and federal agencies duplicating efforts with state legislatures around the country.

What would make the aftermath of the Anthem hack even worse is a resulting mish-mash of regulations and laws that vary from state to state, from agency to agency. Any additional HIPAA security regs should at least attempt to coordinate bills being drafted by Congress and work to advise individual states so there can be some parity across all the different bodies with multiple approaches to the same goal.

No comment yet.

Health providers lack awareness of cyberthreats

Health providers lack awareness of cyberthreats | HIPAA Compliance for Medical Practices | Scoop.it

In a three-month review of cyber risk management practices in healthcare, the Health Information Trust Alliance (HITRUST) has found that the industry's approach is reactive, inefficient and labor intensive.

HITRUST says one of the key concerns revealed by the review is that organizations are not aware of the threats they face, according to an announcement.

The providers "acknowledged they had minimal understanding as to the impact of cyberthreats on their current cybersecurity products," the review says. In addition, because of that lack of awareness, health entities put a lot of emphasis on indicators of compromise (IOCs) to uncover breaches, which is a "retrospective" approach that "introduces inefficiencies," HITRUST says.

Organizations also need to improve communcation about how effective their security measures are, especially with senior management, according to the review.

In reaction to the findings, HITRUST is rolling out a new component to its cyber risk strategy--HITRUST CyberVision--a "real-time situational awareness and threat assessment tool tailored to the healthcare industry." It plans to have the service available by March 9.

The push to get the healthcare industry to be more proactive when it comes to security and privacy is nothing new. Professionals in the industry remain too reactive and compliant-focused, Mark Ford, principle of Deloitte Cyber Risk Services, said in November. "There's a pretty significant gap between where they are today and where they ultimately need to be," he said.

No comment yet.

St. Mary's: Patient information compromised in Email hack

St. Mary's: Patient information compromised in Email hack | HIPAA Compliance for Medical Practices | Scoop.it

Around 4,400 people were recently sent letters by St. Mary’s Medical Center informing them of a cyber attack on several hospital employees’ email accounts that happened in January, according to Randy Capehart, St. Mary’s spokesperson.

Hackers gained access to health information contained in the emails, according to Capehart. Patient information was compromised, including name, date of birth, gender, date of service, insurance information, health information and Social Security numbers in some cases. Capehart said St. Mary’s immediately shut down the email accounts

“It’s not clear if their information was shared because the shutdown was so quick,” Capehart said.

Capehart said the hospital had to figure out if there was a breach and investigate the incident before they alerted the public. Officials are not clear who is responsible for the attack. A forensic investigation is underway, according to Capehart.

St. Mary’s said no patients have reported identify theft.

According to a news release from St. Mary’s, “sophisticated” hackers gained access “through a fraudulent Email communication.”

No comment yet.

Insider Threat: Mitigating the Risk

Insider Threat: Mitigating the Risk | HIPAA Compliance for Medical Practices | Scoop.it

You've screened your candidate, hired them into the position, assigned them resources and granted them access...now what? Hope they don't rob you blind? Trust them completely? The real job has just begun, now you have to:

  • Translate risk levels into appropriate levels of scrutiny, the greater the access, the greater the need for review;
  • Implement an ethical and legal approach to people security and protective monitoring;

SpectorSoft will present a practical approach to mitigating employee risk from hires to fires. Attend this webinar if you answer 'No' to the following question: Do you believe that, once a position is filled, the company should simply trust that the person in the position will not exceed or misuse that access in a way that could harm the company?


Employees are an organization's greatest asset and greatest risk. With a single click an employee can devastate a business by transferring or damaging huge amounts of data. Finding the balance between trust and scrutiny/control represents a tremendous challenge and a huge opportunity if executed correctly. Most organizations use intense pre-hire screening and background checks to ensure they are bringing in valuable talent that will benefit the organization without the propensity to do harm. Once the employee is hired they are given the "keys to the castle" to do great things for their new employer...or they could cause great damage.

No comment yet.

HIPAA Holiday Cheer

HIPAA Holiday Cheer | HIPAA Compliance for Medical Practices | Scoop.it

On the twelfth day of breaches
my hacker sent to me:

Twelve Data Downloads

Eleven Plundered Patches

Ten Missed BA Contracts

Nine Malware Installs

Eight Mis-sent Faxes

Seven Stolen Laptops

Six Snooping Staffers

Five Old NPPs

Four Lost Thumbdrives

Three Re-sent Texts

Two Pop-up Links …

And a Bill for Compliance Auditing.

Happy Holidays to All!

No comment yet.

Cybersecurity: Things Are Getting Worse, But Need to Get Better

Cybersecurity: Things Are Getting Worse, But Need to Get Better | HIPAA Compliance for Medical Practices | Scoop.it

In his opening keynote address at the CHIME Lead Forum at iHT2-Denver, sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and by the Institute for Health Technology Transformation (iHT2—a sister organization of Healthcare Informatics through our parent company, the Vendome Group LLC), being held at the Sheraton Downtown Denver, Mac McMillan laid out in the clearest possible terms for his audience of IT executives the growing cybersecurity dangers threatening patient care organizations these days.

Under the heading, “What Is Cyber Security and Why Is It Crucial to Your Organization?” McMillan, the CEO of the Austin, Tex.-based CynergisTek consulting firm, used his opening keynote address to challenge his audience to think strategically and proactively about the growing cyber-threats hitting patient care organizations across the U.S.

McMillan elaborated on what he sees as 11 key areas of concern going forward right now for healthcare IT leaders: “increased reliance”; “insider abuse”; “questionable supply chains”; “device-facilitated threats”; “malware”; “mobility”: “identity theft and fraud”; “theft and losses”; “hacking and cyber-criminality”; “challenges emerging out of intensified compliance demands”; and a shortage of chief information security officers, or CISOs.

In fact, McMillan said, cybersecurity threats are accelerating and intensifying, and are coming through such a broad range of threat vehicles—hacking by criminal organizations and foreign governments, penetration of information networks via the deliberate infiltration via medical devices, and a crazed proliferation of all types of malware across the cyber universe, that the leaders of patient care organizations must take action, and take it now, he urged.

As for “increased reliance,” the reality, McMillan noted, is that “We live in a world today that is hyper-connected. When I left the government and came back into healthcare in 2000,” he noted, “probably the total number of people who looked at any patient record, was about 50, and all were hospital employees. Today, that average is more like 150, and half of those individuals are not hospital employees. And our systems are interconnected. Digitizing the patient record, under meaningful use, coincided with the rise in breaches. Not that any of that is bad,” he emphasized. “But it did become easier for bad people to do bad things; it also increased the number of mistakes that could be made. If I wanted to carry out paper medical records” in the paper-based world, he noted, “I was limited to the number I could put into a basket. Now, I can download thousands at a time onto a flash drive.”

With regard to “insider abuse,” McMillan made a big pitch for the use of behavior pattern recognition strategies and tools. “We have to actively monitor what’ going on,” he urged. “It doesn’t mean running random audits. You have to actively monitor activity, and you can’t do that manually, and we have to recognize that. Also, a lot of activity, particularly identity theft, is not captured by monitoring compliance rules, but rather, by capturing activity patterns. The fact that someone looks at information four times the frequency that their neighbor does—the fact that an individual is looking at four times as many records, is absolutely a flag. They’re either working four times as hard/fast, or are snooping, or are engaged in nefarious activities. But fewer than 10 percent of hospitals are actively monitoring behavior patterns.”

McMillan was totally blunt when it came to discussing “questionable supply chains.” “I’ll just come out and say it: vendors are a threat,” he told his audience. “We’ve had cases where vendors have been hacked or have had incidents, and the vendor didn’t have a good procedure for restoration or what have you. We need to do a better job of vetting our vendors, of holding them to a higher standard for performance. And this industry needs to create a better baseline—basic requirements—if you connect my network, this is how you have to connect, this is the basic level of encryption required, that kind of thing. This is about creating and adhering to minimal requirements, not creating a new framework,” he said. “We’re already got a million frameworks out there.”

What about medical devices? The threats there are absolutely exploding, McMillan said. He noted that successful hacks have now been documented via such devices as insulin pumps and blood pumps, all of which are relatively recent, as most medical devices weren’t networkable until at least 2006.

Meanwhile, the malware explosion dwarfs just about all other issues, at least in terms of volume. At the beginning of last year, McMillan reported, there were 100 million instances of malware floating around; by the end of the year, there were 370 million. Importantly, he noted, “Malware is no longer produced by smart people in dark rooms writing code. It’s now being produced by bots morphing old malware. And this is putting more pressure on people in terms of the integrity of the environment.” He warned his audience that “The anti-virus products we have today are antiquated products. Less than half of the malware out there is recognized by anti-virus anymore; if you’re relying on antivirus, you’ve already lost the battle. In the next decade,” he predicted, “we’ll move from a speed of computing of 10 to the 8th power, to one of 10 to the 26th power—that’s how fast we’ll be computing. That’s phenomenal. So decisions will be made by computers so fast that any technology relying on signatures to be looked up, will be blown by. It will never keep up. So our security vendors have got to get ahead of this curve, have got to recognize that this whole paradigm we’re dealing with is changing, and we’ve got to change the way we act around this.”

With regard to the rest of the 11 key areas he cited, McMillan made a number of important comments. Among them, with regard to mobility and data, he said, “We’ve got to quit chasing the device. I’ve said this for the better part of five years now. If we chase the device, we’ll never catch up. We’ve got to focus on how the devices connect the environment and how we register and protect those devices.” Meanwhile, he emphasized that while hacking and cyber-criminality represented only 10 percent of data breaches only two years ago, breaches created by hacking and cyber-criminality are now surging.

A lot of these challenges really require a level of IT security management and governance that remains lacking in U.S. healthcare, McMillan said. “I absolutely believe that we need more CISOs in healthcare. I think we need to improve the education of our CISOs and need to help professionalize them. We need to find ways for CIOs to collaborate. That’s the way we help everyone benefit and get ahead.”

No comment yet.

Read the Fine Print: Where FERPA and HIPAA leave your medical records at risk

Read the Fine Print: Where FERPA and HIPAA leave your medical records at risk | HIPAA Compliance for Medical Practices | Scoop.it

If you are a student and seek counseling or health services through your university, your medical records may not be protected by typical medical-privacy laws.

Students enrolled in post-secondary educational institutions should make sure they understand the basics of the Family Educational Rights and Privacy Act and the Health Insurance Portability and Accountability Act, as the education and medical laws can overlap in a confusing manner, making it unclear what is really private and what is not.

Discovering the Legal Loophole

In January of this year, a student sued the University of Oregon for mishandling her sexual-assault case where, through the campus’ judicial process, three male students were found responsible for gang raping her.

In response to the litigation, the Oregon administration accessed the student’s therapy records from the university counseling center and turned them over to its general counsel’s office to use as part of their defense against her lawsuit. The university’s actions came to light in a recent op-ed piece by Katie Rose Guest Pryal in the Chronicle of Higher Education. Pryal is a former law professor at the University of North Carolina, Chapel Hill.

As the piece points out, the university was going to use the student’s own post-rape therapy records against her.

Typically, medical privacy can be breached in a lawsuit setting only when a patient sues a health-care provider for malpractice. This makes sense because in those instances the medical records become evidence that would determine whether the provider had actually breached medical standards of care.

However, in this case, the student had not actually asserted any claim of malpractice against the University of Oregon. A senior staff therapist in the counseling unit wrote a public letter detailing the administration’s actions and appeared appalled that work she believed was protected by medical privacy laws was being violated in such a way.

So why was the university able to access a student’s medical records if they were protected by the HIPAA Privacy Rule?

Ironically enough, Oregon was entitled under the Family Educational Rights and Privacy Act to access and use her records against her in the lawsuit. The university was allowed to access the therapy records of a rape victim in order to defend itself in a lawsuit that did not have anything to do with therapy malpractice. 

Even though Oregon dropped its counterclaim against the student last week, the litigation brought some unsettling legal loopholes to light, loopholes that need to be closed.

Where FERPA and HIPAA Intersect

Most students know the Family Educational Rights and Privacy Act as it pertains to their academic records at a post-secondary institution, if they are familiar with it at all. FERPA considers any student 18 years of age or older who attends a post-secondary institution, whether it be a college or university, to be an “eligible student.”

Essentially what FERPA does is take all rights given to parents or legal guardians and transfers them to the eligible student. The student then has the right to access his or her records, to have control over personally identifiable information from the records and file a complaint with the department, should it ever be necessary.

What people may not know is that FERPA applies to student records at the campus health clinics, too. In terms of privacy, college medical records do not count as “real” medical records. The FERPA FAQ page states that these records “will either be education records or treatment records under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule.”

The Health Insurance Portability and Accountability Act was enacted by Congress in 1996 to improve the healthcare system’s efficiency by establishing “national standards and requirements for electronic healthcare transactions” and to protect the security of “individually identifiable health information.” Collectively, these are known as HIPAA’s Administrative Simplification provisions.

The HIPAA Privacy Rule requires covered entities to implement various safeguards to protect patient privacy and set limits and conditions on uses and disclosures that “may be made of such information without patient authorization.” Covered entities include health plans, health care clearinghouses and health care providers who transfer health information in an electronic form, according to the U.S. Department of Health and Human Services.

University health and counseling clinics would normally be considered covered entities according to HIPAA and therefore the HIPAA Privacy Act would protect student medical records. The problem is, while FERPA does differentiate between “treatment records” and “education records,” the same disclosure rules apply to both: “A school may disclose an eligible student’s treatment records for purposes other than the student’s treatment provided that the records are disclosed under one of FERPA’s exemptions to written consent.”

One such exemption is when a student sues the institution.

How to Protect Yourself

Whether or not anyone realized it at the time, the University of Oregon’s actions were, in fact, legal, because of the FERPA exemption. An education-law loophole allowed the administration to access medical records.

Institutions across the nation have been feeling increasing pressure to improve both their prevention and response to sexual assault. Some universities created counseling clinics for victims of assault or improved upon existing ones. Programs were fashioned or rebranded and students are encouraged to seek guidance and help through the university. But what if going through the school isn’t the safest option?

Arguably the best way for students to protect their privacy is to seek counseling outside of their post-secondary institution. They simply will not have adequate privacy protection through the school. The problem is, there’s no guarantee that students can find off-site centers that provide free services or even services at a relatively affordable cost. Additionally, most student health plans won’t pay for students who seek counselors who are not a part of the institution’s counseling center.

For these students, this means choosing between therapy they need but cannot afford at a place where they feel safe, or free on-site therapy provided by an institution they are not certain they can trust. True, the University of Oregon could be an isolated incident, and I hope this is the case, but that doesn’t change the discrepancies and holes in these policies.

What good are education laws that require frequently-asked-question sheets to clear the confusion that surrounds them?

Of what use are these privacy laws if they cannot fully protect us?

1 Kishan Patel's curator insight, March 11, 2015 8:15 PM

 Family Educational Rights and Privacy Act and the Health Insurance Portability and Accountability Act are our healthcare biggest bureaucracies that are put into place to protect people. I did not realize that they were also linked with university and colleges across the nation. The connection between the bureaucracies and the college lead to student information getting leaked and I disagree with there actions and how they decided to handle the situation. The bureaucracies should have taken action and are in charge of protecting information, but are putting private information into the world. The carelessness of the bureaucracies lead to a girls life getting ruined and that is why I disagree with there policies and regulations.


When HIPAA Applies to Patient Assistance Programs (and When It Doesn’t)

When HIPAA Applies to Patient Assistance Programs (and When It Doesn’t) | HIPAA Compliance for Medical Practices | Scoop.it

Patient Assistance Programs (PAPs) have proliferated in recent years, despite the fact that many commonly-prescribed medications have lost patent protection and the Affordable Care Act (ACA) has attempted to eliminate pre-existing condition discrimination by insurance companies.  Still, drug costs remain unaffordable to many patients, particularly those with high-cost, chronic conditions, even when patients have insurance coverage.  An article published recently in the New England Journal of Medicine suggests that the ACA has increased insurance coverage for an estimated 10 million previously uninsured individuals in 2014, some insurers are structuring drug formularies in a manner that discriminates against (and discourages enrollment of) patients suffering from particular high-cost conditions.

Regardless of the cause, the need for and utilization of PAPs raises interesting questions related to privacy and security of protected health information (PHI).  I had the opportunity to co-present a workshop session on HIPAA at CBI’s 16th Annual Patient Assistance and Access Programs Conference in Baltimore, MD this week with Paula Stannard, Esq. of Alston & Bird.  The conference was well-attended, and Paula and I were asked a number of questions during and after our workshop that showed interest in HIPAA compliance by PAP entities, as well as confusion regarding it.

Paula and I crafted a scenario in which a PAP’s data system is hacked, and the hacker gains access to individually identifiable health information stored on the system.  Both Patient A and Patient B have insurance, but suffer from a condition requiring a medication not on their carriers’ formularies.  Patient A put his own information into the PAP system after learning about the PAP from TV ad.  Patient B let his physician put her information into the PAP system, after the physician explained that the hospital at which the physician works has an arrangement with the PAP whereby the PAP will help with getting insurance coverage.

We asked the audience whether the hacker’s access to Patient A’s and Patient B’s information in the PAP was a HIPAA breach.  A follow up to this blog will discuss the factors relevant to deciding when HIPAA applies to PAPs (and individually identifiable information they maintain) and when it doesn’t.

No comment yet.

Anthem Refuses Full IT Security Audit

Anthem Refuses Full IT Security Audit | HIPAA Compliance for Medical Practices | Scoop.it

A federal watchdog agency says Anthem Inc. has refused to allow it to conduct vulnerability scans of the health insurer's systems in the wake of its recent massive data breach affecting 78.8 million individuals. Anthem also refused to allow scans by the same agency in 2013.

The Office of Personnel Management's Office of Inspector General, in a statement provided to Information Security Media Group, says Anthem has refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" this summer, as requested by the OIG. The health insurer also refused to allow the OIG to conduct those vulnerability tests in 2013 as part of an IT security audit that was performed by the agency on its systems.

"What we had attempted to schedule for the summer of 2015 was a sort of 'partial audit' - what we call a 'limited scope audit' - that would have consisted only of the work we were prevented from conducting in 2013," an OIG spokeswoman explains. "So this is the second time that Anthem has refused to permit us to perform our standard vulnerability scans and configuration compliance tests."

OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Under the standard FEHBP contract that OPM has with insurers, however, insurers are not mandated to cooperate with security audits, the OIG spokeswoman tells ISMG. Sometimes, however, amendments are made to insurers' federal contracts to specifically require the full audits, she says. In fact, the OIG is now seeking such an amendment to Anthem's FEHBP contract, she adds.

The OIG says in a statement that after the recent breach was announced by Anthem, "we attempted to schedule a new IT audit of Anthem for this summer. Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests. Again, the reason cited is 'corporate policy.'"

In its statement, the OIG also notes: "We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG."

Anthem did not respond to ISMG's request for comment.

2013 Audit

In January 2013, when the OIG initiated an IT security audit, Anthem imposed restrictions that prevented auditors from adequately testing whether it appropriately secured its computer information systems, according to the agency's statement.

"One of our standard IT audit steps is to perform automated vulnerability scans and configuration compliance audits on a small sample of an organization's computer servers. These scans are designed to identify security vulnerabilities and misconfigurations that could be exploited in a malicious cyber-attack," the OIG says.

The agency says its objective in conducting scans "is not to identify every vulnerability that exists in a technical environment, but rather to form an opinion on the organization's overall process to securely configure its computers."

When the OIG requested to perform this test at Anthem in 2013, "we were informed that a corporate policy prohibited external entities from connecting to the Anthem network," the agency said.

"In an effort to meet our audit objective, we attempted to obtain additional information about Anthem's own internal practices for performing this type of work," the OIG says regarding the 2013 audit. "However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers."

Earlier Findings

Although Anthem refused to allow OIG auditors to conduct the vulnerability testing, the insurer did allow the watchdog agency to conduct an information systems general and application control audit in 2013.

Among the findings of that more general 2013 audit, OIG found that Anthem, formerly known as Wellpoint, "has established a series of IT policies and procedures to create an awareness of IT security at the plan. We also verified that WellPoint has adequate human resources policies related to the security aspects of hiring, training, transferring, and terminating employees," according to the OIG audit report released in September 2013.

That more limited audit report also said in summary: "Nothing came to our attention to indicate that WellPoint does not have an adequate security management program."

However, the OIG says in its March 4 statement, "As a result of the scope limitation on our audit work and Anthem's inability to provide additional supporting documentation, our final audit report stated that we were unable to independently attest that Anthem's computer servers maintain a secure configuration."

After the 2013 partial audit, the OIG says it contacted OPM management about its concerns regarding auditors' limited access to Anthem systems. "After discussions with our office, OPM amended the FEHBP contract to allow a certain degree of auditor access. Since that time, this provision has proven to be insufficient, and we are currently working with OPM to further amend the contract."

No comment yet.

Beyond HIPAA Risk Assessments: Added Measures for Avoiding PHI Breaches

Beyond HIPAA Risk Assessments: Added Measures for Avoiding PHI Breaches | HIPAA Compliance for Medical Practices | Scoop.it

Last year, several high profile security incidents occurred at healthcare organizations where a HIPAA Risk Assessment (HSRA) had previously been conducted. This should provoke some pointed questions: Was the HSRA comprehensive enough? Was the remediation plan implemented correctly and in a timely manner? Was an ongoing process of risk management adopted? In this webinar, attendees will learn why HSRA's are a necessary but not sufficient part of maintaining the security of protected health information (PHI).

  • What qualifies as a comprehensive HIPAA risk analysis?;
  • Learn why HIPAA Risk Assessments are necessary but not sufficient;
  • What are the elements of an ongoing security risk management program?
  • What else can be done to lower the risk of hacking incidents?.

HIPAA Risk Assessments are a valuable component of a healthcare organization's information security program. They fulfill a mandatory requirement of the HIPAA Security Rule, Omnibus Rule, and where applicable, the EHR Meaningful Use Incentive Program. Compliance, however, is not synonymous with security.

The purpose of an HSRA is to identify threats and vulnerabilities. But without a comprehensive remediation and ongoing risk management plan, the HSRA itself is of little value. Further, many HSRA's are too limited in scope, focusing only on policies or "low-hanging" fruit while ignoring more critical and complex risks.

From 2010-2013, the vast majority of breaches of PHI resulted from lost or stolen portable devices. In 2014, the landscape changed. Hackers went on the attack, attracted by high value of data stores of PHI. Millions of health records were stolen. Hackers typically exploit vulnerabilities in the network infrastructure or in web applications. In addition, individual credentials are often compromised through "phishing" email attacks. Were these risks identified in your HSRA?

No comment yet.