HIPAA Compliance for Medical Practices
82.7K views | +35 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

HIPAA Data Backup Plan and Disaster Recovery Plan

HIPAA Data Backup Plan and Disaster Recovery Plan | HIPAA Compliance for Medical Practices | Scoop.it

The requirements of a HIPAA data backup plan and disaster recovery plans are discussed below.

What are the Requirements of a HIPAA Data Backup Plan?

A HIPAA data backup plan is a component of the administrative safeguards that must be implemented under the HIPAA Security Rule.


The data backup plan, which is part of the administrative safeguard requirement to have a contingency plan, consists of establishing and implementing procedures to create and maintain retrievable, exact copies of electronic protected health information (ePHI).


Is your organization protected against breaches? Download the free cybersecurity eBook to get tips on how to protect your patient information.


Data that is secured and backed up must be capable of being recovered (i.e., must be recoverable or retrievable).


The requirement that data be capable of being recovered comes from a related provision of the contingency plan requirement – the disaster recovery plan requirement.


Under a disaster recovery plan, a covered entity or business associate establishes (and implements as needed) procedures to restore any loss of data.

What Should I Consider When Developing a HIPAA Data Backup Plan?

When developing a HIPAA data backup plan, covered entities and business associates should consider the nature of the ePHI that must be backed up, including how many identifiers the ePHI has. 


The HIPAA Security Officer should make an inventory of all sources of data, to determine the nature and type of ePHI an organization stores.


There are many potential sources of ePHI. These include, among others, patient accounting systems, electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, electronic test results, and any other electronic documents created or used.

Where Should I Store Backup Copies of Data?

There are two types of backup storage organizations should use:


Backup #1 (Local Storage Backup): The first kind of backup (Backup #1) you should use is backup through a local, onsite appliance. In this kind of data backup, backup data is stored on a local storage device (appliance), such as a hard disc, CD, or hard drive.

Backup #2 (Offsite Backup): The second kind of backup is offsite backup. Offsite backup consists of either backing up data to the cloud, or storing backup data at an offsite facility. Storing backup data with a HIPAA compliant cloud provider allows an organization to easily retrieve information from the cloud.


With cloud storage, backup data can be retrieved at any time. Storing backup data at an offsite facility (a physical location other than your worksite) allows recovery of backup data if backup data stored locally, onsite, is destroyed or damaged because the premises themselves have been damaged to emergencies such as earthquakes and floods. 

What is the Difference Between a HIPAA Data Backup Plan and a Disaster Recovery Plan?

The difference between backups and disaster recovery is a matter of scope. Backing up data refers to backing up actual copies of data.


A backup plan does not take disaster response into account. A disaster recovery (DR) plan, in contrast, is a strategy for disaster event response, which response includes deployment of the backups – in other words, putting the backups into action.

What Steps Does the Disaster Planning Process Consist of?

There are four essential steps to complete in the disaster recovery planning process. These are discussed in turn.


Step 1: Performing a Business Impact Analysis (BIA)


A business impact analysis (BIA) is a thorough assessment and inventorying of an organization’s virtual environment.


In this process, the organization must take into account the volume and type of data that is being managed; where the data is being stored; how much in terms of resources and time must be expended to restore access to different types of data; and how critical each type of data is to business operations.


The more vital the data is to the business’s ability to function, the higher that data’s priority of restoration, and resource allocation, should be.


Step 2: Performing a Risk Assessment


Conducting a risk assessment consists of running and evaluating hypothetical external situations that can hurt your business. External situations that can damage your business include natural disasters, such as hurricanes and blizzards.


External situations also include man-made events, such as active shooter situations and acts of terror. 


When conducting the risk assessment, an organization should consider all potential external incident types, and the likelihood of their occurrence.


The organization should also consider the nature and severity of the impact each incident may have on the organization’s ability to continue normal operations.


It is necessary to consider all the possible incident types, as well as the impact each may have on the organization’s ability to continue to deliver its normal business services.


In preparing the risk assessment, organizations should review all records and sources of information at their disposal to assess the threat posed by each instance. Records and sources of information can include, for example:

  • Employee recollection of prior disruptive events and how they affected business operations;
  • First-responder organizations advice; and
  • Disaster recovery resource libraries from government agencies, such as the Federal Emergency Management Agency (FEMA).


Step 3: Create a Risk Management Strategy


Once you have identified data processes and the business impacts of disruptions to them, combined with likelihood of a given disaster taking place, you should develop a risk mitigation strategy. This strategy should provide for specific backup solutions and disaster recovery procedures for critical data.


Factors to consider in developing a strategy (among others) include legal factors (laws may restrict where data can be stored); recovery point objectives (RPOs), which measure how much data an organization can afford to lose as the result of a disaster; and recovery time objectives (RTOs), which are metrics that calculate how quickly an organization needs to recover IT services and infrastructure after a disaster to maintain business continuity. 


Step 4: Configure and Run Testing Exercises on Your Disaster Recovery Plan


Once the risk management strategy is in place, you must engage in testing scenarios to ensure that strategy is properly configured. Testing exercises can differ in complexity.


The goal of any testing exercise is to ensure that data has been backed up in accordance with your recovery point objectives, and to ensure that the strategy actually works.


Once testing has confirmed that the risk management strategy is sound, the strategy is “ready to use.” Bear in mind, however, that testing should not be conducted only before strategy rollout.


Testing should be performed continuously – especially after an incident occurs. This way, you can refine and make changes to the strategy you deploy.


Data backup plans and disaster recovery plans are required under the HIPAA Security Rule. Implementing robust backup and disaster recovery plans can help keep your business running smoothly and securely. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

mark's curator insight, May 3, 10:44 AM
Oxy Best Pharmacy, ship and do home delivery World Wide

BUY VYVANSE ONLINE, can be a smart move. It saves you money many times, as you remove the cost of a physical retailer. Online prices for medications are almost always lower, and when it comes to medications you require, any savings you can get can really help. You’ll often have to buy these medications regularly, and those costs can really add up. So buying online gives you an opportunity to save a little time for you to buy will add up to substantial savings in time as you buy from home you need not take a drive to a pharmacy. If you want to buy Vyvanse online, then you’ve come to the right place visit Our Shop Page. To buy this medication from us you do not need a prescription and also it will be good if you have one as it will be way easy to make delivery without doing much on security. We’ll get the drug to you quickly, safely and you will pay online prices that easily beat out what you would pay at a physical pharmacy.

Why Us?

Payment methods: We take Western Union Money Gram, Bitcoin, Cashapp, and Zelle Payments. Order your medications from the best online pharmacy in the USA Here.


If your package is not delivered to you because of our error, we will offer you a reshipment. We will ship a similar request for nothing out of your pocket. Inform us quickly in that regard so we solve the issue.

Buy Vyvanse Online HERE Now and have it delivered right at your doorsteps. Oxy Best Pharmacy is the best and secure place to order painkillers online. Customer satisfaction is our highest priority, and we never fail to exceed the customer’s expectations! Contact Oxy Best Pharmacy today for all of your meds. Order Vyvanse and other highly controlled pills like BOTOXMORPHINECODEINEDIAZEPAM DILAUDIDSUBUTEXFENTANYL PATCHESXANAXNEUROBLOCOXYCODONEOXYCONTINOPANAROXICODONESUBOXONEOXYNORM AND RITALIN Online without Prescription. You are always welcome to our pharmacy at any time to enjoy from our best online services feel free to contact our pharmacy HERE




10 Reasons to be HIPAA Compliant

10 Reasons to be HIPAA Compliant | HIPAA Compliance for Medical Practices | Scoop.it

Here is a reprint of a recent online article submitted by Nick McGregor and posted by CMIT Solutions. # 7 on the list calls for an increase in enforcement of HIPAA compliance by HHS. More of an incentive to make this a priority if your small practice has not done so already.

Rather than asking, “What has changed for your business in the health care realm this year?” the better question might be, “What hasn’t changed?”

The Affordable Care Act, premium increases, existing policy cancellations, enrollment period confusion, continuing IT problems with the HealthCare.gov website… Each of these minor health care earthquakes has shaken the small business community to its core.

Add in constant worries about data security and IT functionality and it can be enough to drive a business owner mad. But there’s one feature of the health care landscape that represents an even more critical decision: new HIPAA rules, regulations, and compliance requirements.

If your business has any contact with electronic health records or medical information, either as a Covered Entity (CE) — health care provider, health plan, or health care clearinghouse — or a Business Associate (BA) — any vendor or subcontractor that helps a CE carry out its activities and functions — HIPAA compliance should be of the utmost importance for you.

Why? The following 10 reasons provide a good start:

  1. The HITECH Act and HIPAA Omnibus Rule have substantially increased civil penalties for non-compliance. The penalty cap for HIPAA violations was increased from $25,000/year to $1,500,000/year per violation. Willfully ignoring or failing to be compliant means mandatory investigations and penalties can be initiated by any complaint, breach, or discovered violation.
  2. New Breach Notification rules will increase the number of HIPAA violations determined to be breaches. The HIPAA Omnibus Rule expands the definition of a breach and the consequences of failure to address it properly. Providing proper notification can trigger federal investigations and eventual fines and penalties.
  3. The mandated deadline for new HIPAA compliance rules has already passed. All Covered Entities and Business Associates were required to update their HIPAA policies, procedures, forms, and Notices of Privacy Practices by September 23, 2013.
  4. All Covered Entities must have documented policies and procedures regarding HIPAA compliance. Recently, a dermatology practice in Concord, MA, learned this lesson the hard way, getting slapped with a $150,000 fine for allowing the health information of just 2,200 individuals to be compromised via a stolen thumb drive. The company also had to incur the cost of implementing a corrective action plan to address Privacy, Security, and Breach Notification rules.
  5. Business Associates are now required to be compliant with HIPAA Privacy and Security Rules. Business Associates will be held to that standard by Covered Entities, who are now responsible for ensuring their BAs are compliant.
  6. While Meaningful Use incentives for Electronic Health Records (EHR) are optional, HIPAA compliance is not. If you manage Protected Health Information (PHI), you must comply with federal regulations or face substantial civil and criminal penalties. If a Covered Entity accepts Meaningful Use funding, a Security Risk Analysis is required — and any funding may have to be returned if adequate documentation is not provided upon request.
  7. The Department of Human & Health Services’ (HHS) Office of Civil Rights (OCR) is expanding its Division of Health Information Privacy enforcement team. The federal bureau is stepping up hiring for HIPAA compliance activities calling for professionals with experience in privacy and security compliance and enforcement.
  8. State Attorney Generals are getting involved in HIPAA enforcement. HHS has even posted HIPAA Enforcement Training for State Attorneys General agendas on its www.HHSHIPAASAGTraining.com website.
  9. HIPAA compliance requires staff privacy and security training on a regular basis. All clinicians and medical staff that access PHI must be trained and re-trained on proper HIPAA procedures. Documentation of provided training is required to be kept for six years.
  10. Protecting your practice means avoiding the HIPAA “Wall of Shame.” The list of health care organizations reporting major breaches and receiving substantial penalties is growing at an alarming rate. The details of these breaches are widely available to the general public — and widely reported in the media.
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Electronic data breach planning: 4 tips for reducing liability risk | Lexology

Electronic data breach planning: 4 tips for reducing liability risk | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

There is no doubt that electronic data breaches are a hot topic. The recent breach of Morgan Stanley’s customer data is a prime example and chilling reminder that businesses, no matter the amount of security measures, are at risk of an electronic data breach. Indeed, as nearly every state has passed its own set of unique electronic data breach laws, electronic data breaches are becoming a much larger liability concern for companies, in terms of both financial and reputational harm.

In 2014, Kentucky passed KRS 365.732 and joined 46 other states in quantifying and qualifying what constitutes a data breach and the obligations that arise from a breach. Like most states, Kentucky’s law does not include breaches of financial or health information which are covered under federal law in the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

Because of this increased liability, businesses should be proactive in trying to manage risk in the event a data breach occurs.

Is My Company at Risk for an Electronic Data Breach?

While the news has focused on large electronic data breaches of major retailers, electronic data breaches of a smaller scale are much more common. Even more problematic may be the reputational loss of consumer trust and confidence resulting from an electronic data breach. Any business or organization that electronically collects and/or stores personal information is susceptible to a breach. Consider the following five questions:

  1. Do you have customers’ or potential customers’ information stored electronically?
  2. Do you store or transmit electronic files with customers’ information?
  3. Do you have client information stored on a cloud or with a third party vendor?
  4. Do you process credit card transactions?
  5. Do you have wireless networks in your office?

If you answered yes to the first question, you are at risk of an electronic data breach. Answering yes to any of the questions that follow greatly increase your risk for a data breach.

What is a Data Breach?

In general, a data breach occurs when there is an unauthorized disclosure of personal information. There is no model rule for what constitutes a breach of someone’s personal information and each state can define what constitutes personal information.

In Kentucky, personal information is defined as a person’s name coupled with a social security number, driver’s license number, or credit/debit card or account number and passcode. However, some states define personal information much more broadly. For example, Texas defines personal information as any “sensitive” information.

A data breach is commonly thought of in context of computer hacking, however, data breaches can occur in a number of more innocuous ways. In fact, most statutes are defined so broadly that a data breach occurs if an employee loses his/her cellphone containing personal information of a customer. As such, most companies today, no matter size, are at risk.

Decreasing Your Company’s Electronic Data Breach Liability

Planning for and proactively adopting preventative measures in the event of an electronic data breach is the most important thing you can do to protect against potential liability. Being prepared can save you time, likely a significant amount of money, and any reputational harm associated with the data breach.

Most state laws require actual damages to bring a claim for a breach of data. Not surprisingly, in reviewing cases in which customers brought a claim for a breach of data, damages were less or non-existent when companies reacted and notified their customers quickly of the breach. (See generally Giordano v. Wachovia Sec., 2006 U.S. Dist. LEXIS 52266, Civ. No. 06-476JBS, 2006 WL 2177036 (D.N.J. July 31, 2006); Key v. DSW, Inc., 454 F. Supp. 2d 684 (S.D. Ohio 2006).

4 Tips for Reducing Liability Risk

While the type and amount of data a company collects or has access to will lead to varying plans, the following are some general tips that all businesses should know:

#1: Know what type of information is electronically stored. If a breach occurs, the information compromised may not be considered “personal information” under certain state laws. In addition, many state laws do not require action or impose liability if data is compromised that is encrypted. Further, take a hard look at the personal information you are collecting and determine whether such information is necessary to serve and know your customer. If the answer is no, not collecting that data would reduce your liability, as well as save valuable server or cloud space.

#2: Know where that information is stored. Most businesses use “clouds” to store their data on a remote server. Clouds offer different types of data storage, services and security levels. Many cloud vendors actually rely on subcontractors to hold their customers’ information. In many cases, these subcontractors are located overseas making any attempt to seek indemnification for a breach very difficult and expensive.

#3: Be ready to react. Have your notification template in place to communicate and know who is making that communication if a data breach occurs. Figuring out what should be done and communicated and who should lead this charge should occur before a breach occurs. Not having a plan of action will delay a reaction and likely lead to increased liability and reputational harm.

#4: Test your systems and your plan. A data breach does not have to mean that you breached the duty of care to your customers. Showing that you are using the best in class systems to prevent a breach and that you test your systems for a breach in a consistent manner, will assist in showing that you are meeting your duty of care owed to your customers.

Not only will the steps above help in limiting any liability your company may face if a data breach occurs, but it will also likely allow you to identify potential gaps in your data security, therefore, preventing a breach from occurring. Data breaches are inevitable these days, which is why having a well-defined incident response plan and team in place is important.

If you do believe customer data has been compromised, you should contact an attorney immediately to help you understand what duties you may have to notify and further protect your customers’ information. As stated above, reacting quickly can help reduce any liability that may be caused by the breach.

No comment yet.

Failure to Follow HIPAA Policies Results in $150,000 Liability and Corrective Action Plan | JD Supra

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR) has recently released information about another HIPAA settlement, emphasizing yet again the government's focus on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement underscores that organizations cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice.

On December 8, 2014, HHS-OCR issued a bulletin stating that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services in Anchorage, Alaska, agreed to settle potential violations of the HIPAA Security Rule. HHS-OCR opened an investigation upon receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI). The breach was the result of a malware that compromised the security of ACMHS' information technology (IT) resources and affected 2,743 individuals. During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed. Significantly, ACMHS may have avoided the breach (and would not be subject to the HHS-OCR settlement agreement) if it had followed the policies and procedures it adopted and regularly updated its IT resources with available patches.

The settlement agreement requires ACMHS to pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years. The Resolution Agreement can be found on the OCR website.

The settlement with ACMHS is just one of a handful of recent settlements arising from an HHS-OCR investigation prompted by an organization self-reporting a breach of unsecured ePHI; however, HHS-OCR may also examine an organization's HIPAA compliance program after receiving a complaint or as part of its annual audit protocol. In every instance, HHS-OCR will expect an organization to have fully implemented its HIPAA compliance program and/or policies and procedures.

According to HHS-OCR, compliance with the HIPAA Security Rule requires organizations (among other things) to address risks to ePHI on a regular basis and to review systems for vulnerabilities and unsupported software. Organizations cannot simply adopt HIPAA policies and procedures and then place those documents on a shelf. HIPAA compliance programs must be dynamic and reviewed and updated on a regular basis to reflect changes within the organization, including discovered vulnerabilities and ever-evolving external threats. Threats to ePHI are real and can have a devastating impact on a business – and patients' privacy. All organizations subject to HIPAA, regardless of size, must devote the necessary resources to protect the organization's data from these threats.

No comment yet.

State law may provide a remedy for breach of HIPAA’s privacy rules | Lexology

State law may provide a remedy for breach of HIPAA’s privacy rules | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

When a woman received extortion threats and other forms of harassment from an ex-lover, she sued her medical provider for unauthorized disclosure of her medical records. Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 314 Conn. 433 (2014). She further alleged that the threats and harassment directly resulted from a breach of the defendant’s duty of confidentiality under the Health Insurance Portability and Accountability Act (“HIPAA”). During her course of treatment, the defendant provided her with a copy of its notice of privacy practices that expressly stated it would not disclose medical records without obtaining authorization from the patient. Additionally, the plaintiff specifically instructed the defendant not to disclose her medical records to her ex-lover. But, when her ex-lover filed a paternity suit against her and served the defendant with a subpoena requesting a copy of her medical records, the defendant failed to notify her of the subpoena, to file a motion to quash the subpoena, or to appear in court. Instead, the defendant mailed a copy of her medical records to him.

As a result, the plaintiff filed four claims against the defendant. First, the plaintiff alleged that the defendant breached its contract when it disclosed her protected health information (“PHI”) in violation of its notice of privacy practices. Second, she claimed that the defendant was negligent when it failed to care for her PHI and disclosed her PHI without her authorization. Her third and fourth claims were for negligent misrepresentation and negligent infliction of emotional distress.

Since HIPAA does not create a private right of action for breach of its privacy provisions, the trial court interpreted common law claims for negligence and negligent infliction of emotional distress that relate to a breach of HIPAA’s privacy rules as inconsistent with HIPAA. Thus, in reliance on HIPAA’s preemption provision, the trial court granted the defendant’s motion for summary judgment on the claims for negligence and negligent infliction of emotional distress. Notably, the claims for breach of contract and negligent misrepresentation were not dismissed by the trial court, thus these claims were not reviewed on appeal.

On November 11, 2014, the Supreme Court of Connecticut held that HIPAA does not preempt a private cause of action arising from the unauthorized disclosure of PHI based on state common law, thereby reversing the trial court’s dismissal of the plaintiff’s claims for negligence and negligent infliction of emotional distress. Specifically, the Court found that if state law provides a plaintiff with a remedy for a medical provider’s breach of its duty of confidentiality, HIPAA does not preempt the plaintiff’s state law remedies for negligence or negligent infliction of emotional distress. Rather, a state law will be preempted by HIPAA only if it is impossible for a medical provider to comply with both the federal and state laws. Furthermore, a state law is not preempted by HIPAA if it relates to the privacy of PHI and provides an individual with greater privacy protection than HIPAA.

The Court did not analyze whether Connecticut law provides a remedy for a medical provider’s breach of its duty of confidentiality, it only determined that HIPAA would not preempt an available remedy under state law. Thus, the Court did not decide whether the plaintiff was successful in her claims for negligence and negligent infliction of emotional distress. The Court did, however, find that HIPAA may be used to determine the applicable standard of care for such state law claims.

No comment yet.

How To Prevent A Natural Disaster From Becoming A HIPAA Disaster

How To Prevent A Natural Disaster From Becoming A HIPAA Disaster | HIPAA Compliance for Medical Practices | Scoop.it

Over the past few years, many natural disasters have hit the United States that have had direct impacts on healthcare organizations such as the direct hit on the hospital by a tornado in Joplin, Missouri or flooding that leaked into a hospital in Duluth, Minnesota. What about a loss of power to an organization or bad network connection? Healthcare has also seen a drastic increase in the number of ransomware attacks, which block an organization’s ability to access patient data. When disasters happen and impact access to patient information, it is easy for the healthcare organization to panic and not know what to do. We all know how vital it is to treat patients with the most up to date and current information so planning becomes essential to prepare your organization for disasters and emergencies.


The HIPAA Security Rule requires that healthcare organizations create a contingency plan to follow in the event of a disaster or loss of access to protected health information. Under the HIPAA Security Requirement, a contingency plan should consist of the following:

  1. Data backup plan (for all systems with protected health information)
    • Document the process in which your data is being backed up. Include the location of the backup, process for backup, and frequency of back up. If you are using a third party vendor to backup data, an organization should have a process to ensure successful data backups and define a process for failed backups.
  2. Disaster recovery plan
    • Once the emergency situation is over, the disaster recovery plan defines the steps the organization must take to restore data and systems to original operating status. This will include information on what information must be added back into the system and the specific order of data to be restored.
  3. Emergency mode operations
    • Define process to ensure that critical business functions occur when the emergency is happening and information is unavailable. This includes information on how data may be accessed, how data will be documented with system unavailability, what additional security measures will be used, whom to contact and when, and how the organization will function to provide patient care. The emergency mode operations may look different depending on the disaster.
  4. Testing and revision procedures
    • The contingency plan should be regularly tested and the appropriate updates made. The revised contingency plan should be provided to the appropriate people within the organization.
  5. Applications and data criticality analysis
    • Create a list of each of the different systems that house protected health information within the organization and rank the criticality (importance) to the organization. Your output for this step is a listing of every software application that has PHI and the importance to the daily operations of your organization. The goal of this step is to understand the data and know what systems are more critical to get up and running over others.


The other big task with a contingency plan is to train the workforce. Your workforce should know and understand the processes in the event that the information becomes unavailable or your network is blocked off by a hacker. Workforce members should feel confident and comfortable with the process of working in emergency mode and having access to minimal, if not no information.

A contingency plan doesn’t have to be complex, but it should be written. In a recent discussion with a Senior Underwriter for Cybersecurity Insurance, he stated that he asks for the organization emergency preparedness plan when assessing and processing a cybersecurity insurance quote.

Don’t assume nothing will happen to your organization. Some plan is better than no plan so start having the conversation and creating the processes now. Also, make sure you take time to test the process to ensure that it works effectively for your organization. You want to feel confident regarding your plan so that if the unthinkable happens, you are prepared.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Time to Get Real About Data Breaches

At the CHIME-iHT2 Lead Forum on Data Security, being held March 2 at the Hyatt Fisherman’s Wharf in San Francisco, and co-sponsored by the College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the two organization’s umbrella parent, the Vendome Group, LLC), Mac McMillan, the CEO of the Austin, Tex.-based CynergisTek, offered a bracing and yet carefully balanced portrait of the current landscape around data security in healthcare, for an audience of healthcare IT executives.

Among other comments he made, McMillan, long a data security guru in healthcare, spoke out about the recent, massive data breach at Anthem Inc. “Per Anthem,” he said, “people were missing the point” in most comments on that breach. “There is not an organization on this planet that can keep from being hacked,” McMillan said bluntly. “All it takes is one mistake, one misconfiguration, one missed patch, etc., to create entrée to someone trying to get in the door. But what shouldn’t be so easy is to exploit the network once you’re in and to be able to move around and extract so much data,” he said. “It’s like if Mrs. McMillan and I are sitting in our living room and the Fifth Infantry marches through our living room, and we don’t notice. We may not be able to stop people from getting in, but we should be able to react once they get in.”

One of the key problems, McMillan told his audience, is that “We have become over-reliant on our systems.  In any hospital today, over 90 percent of their processes are automated, and over 90 percent of their data is digitized. When I started in healthcare 15 years ago,” he noted, “the average number of people who looked at a record in an encounter was fewer than 50; today, that number is more than 150, and fewer than half are in the hospital or involved directly in care. It is amazing the number of people who are actually touching our data,” he added. “And the main risk is still from people on the inside—either making mistakes, or doing things deliberately.”

Per that, McMillan added that CEOs and other senior patient care organization executives need to allow their chief information security officers (CISOs) to share with them the blunt truth about the risks and issues they face in their organizations, and provide the support and resources needed to gain realistic control over their data security situations.

What are some of the current developments to be thinking about right now in the data security arena? As McMillan noted, “A survey last year found that 51 percent of CISOs said that they believed the negligent insider was their biggest threat, while 37 percent said security end-user training was ineffective. I think that number was low, actually,” he said, referring to perceptions of the effectiveness of end-user training. “In fact, most people in hospitals are still basing their training on compliance requirements rather than security requirements, which is a big mistake,” as compliance-based training is far too weak, he said.

Of course, even when adequate training is done, there will be individuals doing the wrong things, and catching them is not a simple process, McMillan noted. “Traditional data auditing methods aren’t going to catch a lot of this activity,” he said. “What we need is behavior modeling and pattern detection. When you look at people inside who breached any particular system, they often didn’t break any rules from a compliance perspective, but had a different behavioral pattern from everyone else. So instead of looking at 50 records a day like their colleague, the admitting person committing data breaching patients’ records will have looked at 150 records a day, because they’re surfing, looking for information. And they get brazen over time,” he noted “We’ve had three cases this year already” that his consulting firm was called on to address, “where they caught individuals who had been doing this for over seven years. And these hospitals implemented a privacy monitoring program and looked for patterns, and then they suddenly realized what was going on and caught them.”

The reality, McMillan stressed, is that the breaching is only going to get worse over time, because of the value of the intellectual property in U.S. patient care data, and also because of the monetary value involved in hacking into individual patient records. But, he said, at the same time, “You can’t throw in the towel; we do have victories out there. And part of the problem is that we only talk about the problems.” Indeed, he noted, “Last week, in addition to dealing with the reporters, and asking my opinion about recent breaches, we also had two hospitals we work with, where my teams were able to help them avert a breach, because they detected what was going on early, were able to quickly isolate and eradicate the issue, and they were able to get back online within a few hours.”

It’s important for people to know, McMillan said, that “Those victories happen every day in healthcare, but we don’t talk about those. And we don’t celebrate the victories in healthcare IT. And we do need to talk about the things that go right. There’s still stuff going on out there, but when we have the right people and processes in place, it doesn’t have to end badly all the time. And I think we need to do a better job of that in healthcare IT security.”

No comment yet.

Threat Info Sharing: Time for Leadership

Threat Info Sharing: Time for Leadership | HIPAA Compliance for Medical Practices | Scoop.it

The healthcare sector has a big problem. There's a great deal of information security immaturity and a lack of resources among smaller clinics, rural hospitals and other organizations. In the push to exchange electronic patient data nationwide, those entities are potential weak links in the security chain.

More has to be done to ensure these smaller organizations are aware of emerging cyberthreats and vulnerabilities - and are prepared to mitigate them. That potentially requires more handholding from federal agencies - such as by issuing timely cyber-alerts and guidance. But it also means broader outreach and more affordable membership fees for information sharing organizations, such as the National Health Information Sharing and Analysis Center and others, so that the little guys are also in the cybersecurity intelligence loop.

 More has to be done to ensure smaller organizations are aware of emerging cyberthreats and vulnerabilities - and are also prepared to mitigate them. 

Last week, the Department of Health and Human Services took an important initial step toward addressing the issue of improving cyberthreat information sharing. HHS announced it would investigate various options to ensure important cyber-intelligence gets to all healthcare organizations, regardless of size. It's weighing whether to establish another ISAC for the healthcare sector or bolster the capabilities of an existing organization.

It's good to see that HHS is focusing attention on an important issue, although the move is long overdue. Now, it's time for the agency to take prompt leadership action, because improving accessibility to cyberthreat intelligence for organizations of all sizes is urgent, in light of growing evidence that the healthcare sector is increasingly being targeted by hackers.

For example, Boston Children's Hospital was hit by a distributed-denial-of-service attack earlier this year. And Community Health Systems fell victim to a hack attack, perhaps involving the Chinese, that exposed millions of records.

The old adage says that you're only as strong as your weakest link. At a time when healthcare providers are being urged by the federal government to exchange electronic patient records to improve the quality of care - and consumers want to share health data they collect on their own wearable gadgets - we must eliminate weak spots. That means we must make sure, for instance, that providers of all sizes and types have timely access to information about new malware, software flaws or cyberthreats - and the steps they need to take to mitigate those issues.

No comment yet.

Phishing, ransomware attacks on health industry to rise

Phishing, ransomware attacks on health industry to rise | HIPAA Compliance for Medical Practices | Scoop.it

While security experts predict increased cyberattacks on healthcare organizations in 2015, they foresee phishing and ransomware posing particular challenges.

Phishing emails try to lure recipients into giving out information such as usernames, passwords or credit card numbers. They also can give attackers ways to infiltrate the enterprise network, according to an article in iHealthBeat by John Moore of Chilmark.

"Phishing emails often provide the entry point," Scott Koller, a lawyer at BakerHostetler, says in the article.

Ransomware allows cybercriminals to hold data hostage while they demand payment to unlock it. If they demand to be paid in Bitcoin, a digital currency, they can be difficult for law enforcement officials to track down.

Cybercriminals are growing more sophisticated in their ransomware attacks, according to an article at NPR. Increasingly, they use the anonymous online network Tor to conceal all communication between the attacker and victim, preventing even top executives from identifying and blaming a particular employee.

In the face of increasing threats, healthcare organizations are boosting their security efforts, according to the iHealthBeat article. Among their top priorities are:

  • Encryption and mobile device security
  • Two-factor authentication
  • Security risk analysis
  • Advanced email gateway software
  • Incident response management

"Encryption very much needs to be on everybody's radar," Koller says. In September, Forrester Research reported that only about half of healthcare organizations secure data using full-disk encryption or file-level encryption.

Just last week, Experian's 2015 Data Breach Industry Forecast called healthcare "a vulnerable and attractive target for cybercriminals." While predicting more data breaches, it noted that many doctors' offices, clinics and hospitals may not have adequate resources to safeguard patients' personal health information.

No comment yet.