HIPAA Compliance for Medical Practices
82.6K views | +39 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

The Bottom Line on HIPAA Compliance and Your Email 

The Bottom Line on HIPAA Compliance and Your Email  | HIPAA Compliance for Medical Practices | Scoop.it

Email is everywhere, and it’s not going away anytime soon. Social media, texting, and other forms of electronic communication have had an important and notable rise recently, but about half of the world now uses email, and that figure is increasing. In medicine, approximately 50% of patients either use or want to use email to contact their healthcare providers, and about a third of clinics are actually making it possible for them to do so.


Email, however, was invented well before either HIPAA or our society’s modern appreciation for the importance of strong online security. Because of this, in its most basic and typical form, email has no credible controls to ensure sender and recipient identity, to protect message integrity, or, perhaps most importantly, to prevent third-party snooping. These deficiencies intersect particularly poorly with the legal and ethical demands on healthcare communication, which turns the situation into a powder keg.

In short, email in medicine can be a HIPAA disaster. But it doesn’t have to be.

Let’s talk about the problem and what you can do to solve it.

What HIPAA Compliance Demands from Email

If your healthcare activities are covered by HIPAA and you want to use email to store or transmit protected health information (PHI), then two important sections of the HIPAA regulations will apply to you: the Privacy Rule and the Security Rule.

We’ve discussed these rules before in more detail, but the one-sentence summary is that the Privacy Rule governs how all PHI must be treated, while the Security Rule provides additional regulations for PHI that is in electronic form (ePHI).

The HIPAA Privacy Rule and email

When it comes to email and the HIPAA Privacy rule, the U.S. Department of Health and Human Services (HHS), which administers HIPAA, has actually weighed in with specific guidance. Here’s a snippet of their position:


Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?


Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c).

Sounds like great news! For reference, the 45 CFR § 164.530(c) that they referenced is just a citation for a section of the actual HIPAA regulations, and it simply requires that you “have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”

Of course, when it comes to email, the definition of an “appropriate technical safeguard” becomes important. HHS weighs in on this, as well:

Covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

So that brings us to the Security Rule…

The HIPAA Security Rule and email

The 45 CFR Part 164, Subpart C, which HHS referenced above is actually quite long and contains many of the foundational aspects of the HIPAA Security Rule. Instead of going through all of it, we’re going to assume that you already have a functioning HIPAA compliance program in place, and we’ll spend this section highlighting just a few key regulations that are especially important when it comes to email. If you need a more thorough rundown on the Security Rule first, check out our earlier complete guide to HIPAA compliance.

Within the Security Rule, much of the important technical guidance shows up in 45 CFR § 164.312, a section on “technical safeguards.” Let’s take an abridged look at some of this section’s requirements as they apply to email:

  • Access control
    Only those people with appropriate access rights should be able to access ePHI. This means that you should use strict security measures for your email account, including a strong password and two-factor authentication. However, you should also consider this requirement as it applies to emails once they leave your email provider’s server and travel across the Internet; if they are unencrypted, then you can’t control access to them as they pass through other servers.
  • Unique user identification and identity verification
    Users on systems with ePHI must be uniquely identified, and their identities must be verifiable. This means no shared logins for email accounts, and it also means that the identity of every person sending or receiving ePHI should be verifiable. Basic email does not have sender or recipient identity verification capabilities.
  • Data integrity
    Systems must protect ePHI from improper alteration or destruction, both at rest and in transit. Technical measures to guard against data loss or corruption need to be in place, and basic email does not include integrity controls.
  • Encryption and decryption
    A mechanism should be used to encrypt and decrypt ePHI. Basic email does not employ encryption.
  • Transmission security
    Technical measures must guard against unauthorized access to ePHI that is being transmitted. Basic email transmission protocols include no guarantee of secure transit.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

When does HIPAA require more than encryption?

When does HIPAA require more than encryption? | HIPAA Compliance for Medical Practices | Scoop.it

Encryption of sensitive electronic personal health information (ePHI) on mobile devices – including PCs – is often considered sufficient to protect that data well enough to achieve HIPAA compliance. However, it’s important that those handling this data understand the circumstances where encryption alone is not enough.

These situations do exist – and can be nightmares if they occur. The Department of Health and Human Services' HIPAA Security Rule describes satisfactory encryption as “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key … and such confidential process or key that might enable decryption has not been breached.” That last part means that encryption is only adequate as a safeguard for HIPAA-protected ePHI if the situation is such that the encryption still secures the data.

There are several scenarios where even encrypted data can be breached relatively easily and, unfortunately, there are many real world examples of each of these scenarios occurring. The trouble with encrypted data is that it needs to be decrypted to be useful to those who would access it legitimately, and the bad guys will look to take advantage of those moments when encryption’s defenses are down. Encryption is a powerful defense for data when a device’s power is off and for when the password is unknown and can’t be learned or hacked. But putting it that way, we’ve actually rather narrowly defined where encryption is effective.

Here are some cases where it isn’t.

1. The data thief gains the password needed to get around the encryption on an ePHI-filled device. This can happen when the password is stolen along with the device - for example, if a laptop is taken along with a user’s notepad containing the password needed to access ePHI. HIPAA requires not only encrypting sensitive data but also paying attention to the safety of passwords or any such methods of access. Bad password security effectively negates encryption. Too often we’ve seen a sticky note of passwords attached to a laptop – or even passwords written on USB devices themselves – which is a great example of an encryption that is not HIPAA-secure.

In another type of case at Boston’s Brigham and Women’s Hospital, a physician was robbed at gunpoint and threatened into disclosing the pass codes on the laptop and cellphone that were taken from him, each of which contained ePHI. The doctor appears to have done all that could be done to comply with HIPAA as far as keeping data encrypted, but when forced to choose between personal health information and actual personal health, he made the reasonable choice. Still, the incident was a HIPAA breach, requiring patients and officials to be notified.

2. The stolen device is already running and an authorized user has already been authenticated. In this scenario, the legitimate user has already given his or her credentials and has a session accessing ePHI running when an unauthorized user gains control of the device. HIPAA contains measures to minimize the likelihood of this scenario, calling for the issue to be addressed with automatic log-off capability to “terminate an electronic session after a predetermined time of inactivity.” Still, authorized users should take care to close out sessions themselves if stepping away from their devices and leaving them unguarded.

3. A formerly authorized user becomes unauthorized, but still has access. This can happen when an employee quits or is terminated from a job but still possesses hardware and passwords to bypass encryption. A case such as this occurred at East Texas Hospital, where a former employee was recently sentenced to federal prison for obtaining HIPAA-protected health information with the intent to sell, transfer or otherwise use the data for personal gain. Criminals in these cases often use ePHI for credit card fraud or identity theft, demonstrating how important HIPAA safeguards can be to the patients they protect.

So how can ePHI be protected beyond encryption?

The safest security system to have in place when encountering each of these scenarios is one where the organization retains control over the data, and the devices containing ePHI are equipped with the ability to defend themselves automatically.

The fact is that employees will always seek and find ways to be their most productive, meaning that policies trying to keep ePHI off of certain devices are, for all intents and purposes, doomed to be burdensome and disrespected. For doctors and other healthcare staff, productivity trumps security. It’s best to take concerns around security off their plate and provide it at an organizational level. Organizations can implement strategies that maintain regular invisible communications between the IT department and all devices used for work with ePHI in a way that isn’t cumbersome to the user. Through these communications, the IT department can access devices to remotely block or delete sensitive data and revoke access by former employees. Software installed on devices can detect security risks and respond with appropriate pre-determined responses, even when communication can’t be established.

Given the high stakes of HIPAA compliance – where a single breach can lead to government fines and costly reputational damage – it would be wise for healthcare organizations to consider encryption only the beginning when it comes to their data security.


Unencrypted Devices Still a Breach Headache

Unencrypted Devices Still a Breach Headache | HIPAA Compliance for Medical Practices | Scoop.it

While hacker attacks are grabbing most of the health data breach headlines so far in 2015, a far more ordinary culprit - the loss or theft of unencrypted computing devices - is still putting patient data at risk.

Incidents involving unencrypted laptops, storage media and other computing devices are still popping up on the Department of Health and Human Services' "wall of shame," which lists health data breaches affecting 500 or more individuals. Among the largest of the most recent incidents is a breach at the Indiana State Medical Association.

That breach involved the theft of a laptop computer and two hard drives from a car parked for 2-1/2 hours in an Indianapolis lot, according to local news website, The Star Press. Information on more than 38,000 individuals, including ISMA employees, as well as physicians, their families and staff, was contained in the ISMA group health and life insurance databases on those devices.

The incident occurred on Feb. 3 while ISMA's IT administrator was transporting the hard drives to an offsite storage location as part of ISMA's disaster recovery plan, according to The Star Press. An ISMA spokeswoman declined Information Security Media Group's request to comment on the breach, citing that there are "ongoing civil and criminal investigations under way."

A breach notification letter sent by ISMA indicates that compromised data included name, address, date of birth, health plan number, and in some cases, Social Security number, medical information and email address. ISMA is offering those affected one year's worth of free credit monitoring.

Common Culprit

As of Feb. 27, 51 percent of major health data breaches occurring since 2009 involved a theft while 9 percent involved a loss, according to data presented by an Office for Civil Rights official during a session at the recent HIMSS 2015 Conference in Chicago. Of all major breaches, laptop devices were involved in 21 percent of the incidents, portable electronic devices in 11 percent and desktop computers in 12 percent, according to the OCR data.

Two of the five largest breaches to date on the Wall of Shame involved stolen unencrypted computing devices:

  • A 2011 breach involving the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals from the car of a Science Applications International Corp. employee who was transporting them between federal facilities on behalf of military health program TRICARE.
  • The 2013 theft of four unencrypted desktop computers from an office of Advocate Health and Hospital Corp. in Chicago, which exposed information on about 4 million patients.

Many smaller breaches affecting less than 500 individuals also involve unencrypted computing devices, according to OCR.

Safe Harbor

The thefts and losses of encrypted computing devices are not reportable breaches under HIPAA. That's why security experts express frustration that the loss and theft of unencypted devices remains a common breach cause.

"It is unfortunate that [encryption] is considered an 'addressable' requirement under HIPAA, as many people don't realize that this does not mean optional," says Dan Berger, CEO of security risk assessment firm Redspin, which was recently acquired by Auxilio Inc.

Under HIPAA, after a risk assessment, if an entity has determined that encryption is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI, it must implement the technology. However, if the entity decides that encryption is not reasonable and appropriate, the organization must document that determination and implement an equivalent alternative measure, according to HHS.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he's expecting to see soon an OCR resolution agreement with a healthcare provider that suffered several breach incidents caused by their failure to manage the mobile devices used by their employees on which electronic protected health information was stored or accessed.

"Install encryption on laptops that handle PHI," he advises. "Don't store patient information on a smartphone or other mobile device."

Concerns about the cost and complexity of encryption are unfounded, Berger contends, because encryption has become more affordable and the process has been made easier.

"There have been arguments that encrypting backup media sent offsite is technically problematic," says privacy and security expert Kate Borten, founder of the consultancy The Marblehead Group. "While it's true that encryption can add overhead, this has become a weaker argument in recent years."

But Borten acknowledges that organizations must look beyond encryption when safeguarding patient information. "Encryption is not a silver bullet," she notes. "For example, if a user leaves a laptop open, the otherwise-encrypted hard drive is accessible. But for portable devices and non-paper media, there is no equivalent security measure."

Borten notes that the most common reason cited for a lack of device encryption is a lack of adequate support and resources for overall security initiatives. "While all an organization's laptops might be encrypted - the easy part - there are mobile devices running on multiple platforms and personally owned devices and media that are harder to control," she notes. "It takes management commitment as well as human and technical resources to identify all those devices and bring them under the control of IT."

Room for Improvement

The 2015 Healthcare Information Security Today survey of security and privacy leaders at 200 healthcare entities found that encryption is being applied by only 56 percent of organizations for mobile devices. The survey, conducted by Information Security Media Group in December 2014 and January 2015, found that when it comes to BYOD, about half of organizations require encryption of personally owned devices; nearly half prohibit the storage of PHI on these devices. Only 17 percent of organizations say they don't allow BYOD.

Complete results of the survey will be available soon, as well as a webinar that analyzes the findings.

"Personally owned devices are definitely the Achilles heel," Berger says. "Healthcare organizations have to address BYOD head-on. It is a complicated and thorny issue, but 'looking the other way' is not an acceptable approach. We recommend clear decisions regarding acceptable use, reflected in policy and backed up by enforcement," he says.

"We have also seen [breaches] happen when an organization makes the decision to encrypt but then has a long roll-out plan and the lost/stolen devices had yet to be encrypted," he adds.

Steps to Take

To help reduce the risk of breaches involving mobile computing devices, Berger says organizations should make sure they have a mobile device use policy that's "clear, comprehensive and well-understood. We suggest calling it out as a separate policy that must be signed by employees. Back up policy with ongoing security awareness training and strong enforcement."

In addition, OCR advises covered entities and business associates to make use of guidance it has released with its sister HHS agency, the Office of the National Coordinator for Health IT. OCR also offers free online training on mobile device security.

No comment yet.

Cybersecurity must be faced by industry head on

Cybersecurity must be faced by industry head on | HIPAA Compliance for Medical Practices | Scoop.it

Less than a quarter of the way through 2015, tens of millions of healthcare consumers already have seen their personal information compromised--the most notable hacks so far being on health insurance providers Anthem and Premera.

The Anthem attack, announced in February, sent the industry reeling, with the unencrypted information of more than 78 million individuals compromised after hackers broke into a database.

Weeks later, it was revealed that at Premera Blue Cross, hackers gained access to the personal information of 11 million customers. The attack initially occurred May 5, 2014, but it was not detected by the Mountlake Terrace, Washington-based insurer until Jan. 29 of this year, Premera said on a website it set up to inform members about the incident.

Many in healthcare have said threats have to be taken seriously from the top all the way down--from the C-suite to the workforce.

"The C-suite must care, the workforce must be aware. This is a very simple recipe, and if you follow this recipe, it will be tremendous improvement on protecting privacy and data security," Daniel Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School said during the HIPAA Summit in the District of Columbia last month. "Data protection must be felt in the bones of an organization, it must be part of the organization's culture. It can't be something that's an afterthought or tacked on."

With all the trouble these kinds of breaches and attacks are causing healthcare organizations, it's no surprise that the Healthcare Information and Management Systems Society's conference in Chicago next week will be chock full of panels and events on the growing issue.

Educational sessions will address cybersecurity aspects that include upcoming HIPAA audits (though no date has been announced for when those will begin), data security and enforcement trends, and how to protect patients by staying ahead of such threats.

No comment yet.

It’s Time to Rethink Security

It’s Time to Rethink Security | HIPAA Compliance for Medical Practices | Scoop.it

I had a conversation with the CEO of a very progressive hospital recently and as I sat in my home office afterwards reflecting on that discussion, and the rest of that week’s events which included near miss security incidents at two other hospitals we work with, it occurred to me that we are addressing cyber security all wrong. And because we are coming at it all wrong, we are rewarding and punishing the wrong behaviors. 

If we accept the fact that breaches are inevitable—which I believe we should due to the complexity of the environment today, the nature of the threat, the hyper-connected ecosystem we operate in, the sheer volume of transactions occurring, and the value placed on personal health information—then we should be focusing more attention on detection, both proactive and reactive, and our ability to respond. We should be rewarding CISOs who actively hunt for weaknesses in the operations, processes, controls, etc. at the organizations they support and who bring those risks to management’s attention early and work to remediate them. We should see boards and executive managers asking questions and expecting to be briefed on potential issues that could impact patient care or safety. We should see risk management programs that recognize information systems security incidents as a critical business risk that can affect hospital operations. We should see general counsels and compliance officers who view this as an important business issue that deserves independent audit just as finances and tax matters do. Information technology incidents should receive their own code (color/name) and be a part of the organization’s incident response process. The bottom line is: it’s high time that we start treating information security as what it is -- a critical business issue.

We need to attack our culture and change it. We need to provide our workforce with the knowledge and awareness that will protect our patients, information systems and data, and just as importantly the workforce themselves.  All over the country we are seeing healthcare systems beginning to perform social engineering and phishing exercises and failing miserably. The positive side of this is that they are doing it and raising their organizations’ awareness, but the negative side is that we are simply not changing fast enough. Challenging someone you don’t know or don’t recognize should not be a stressful decision. It should be a customer service issue. Challenge them to identify themselves and their purpose for being there. If they are in the wrong area help them to get to the right area and turn them over to another coworker. Explain that privacy and security are important at the institution and aid them in getting the assistance they need. It’s an opportunity to be helpful and at the same time reinforce an important cultural ethic of patient privacy and safety. We need to talk about and celebrate the things that go right, such as the incidents that are averted, or the ones that are detected and stopped before serious harm or compromise occurs. We should acknowledge the number of workforce members who identified a phishing email, not just the ones who clicked on and opened it.

As Gerry McGuire said, it's a cynical world out there, but we don’t have to, and shouldn’t, give into that perception. Yes, incidents are inevitable but compromise is not. Throwing in the towel and giving up is just not an option.  The Ponemon Institute just recently published its 5th Annual Medical Identity Theft Study. It’s an easy read, and every healthcare executive should read it.  It has some pretty illuminating things to say about what the consumer feels and expects, and it’s important to remember that consumers are your patients. Their confidence level that healthcare organizations can effectively protect their information is very low, but their expectation that we should be protecting their information is very high. That said, we should be assessing more often, testing our environment on a regular basis, running exercises and table tops to increase readiness, providing more useful and relevant training for the workforce, as well as regularly reporting to committees, executive leadership and the board. The board should be requiring independent third party assessment and audit of controls. In short, we should be investing in the business and our patients, in order to achieve our mission of providing quality care.

No comment yet.

Data Encryption Is Key for Protecting Patient Data

Data Encryption Is Key for Protecting Patient Data | HIPAA Compliance for Medical Practices | Scoop.it

According to the HIPAA Final Omnibus Rule, section 164.304 sets forth the following definition: "Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key." Although encryption is considered an "addressable" issue, and not "required" or "standard," it really should be accounted for as "required." But why? Encrypting mobile devices, laptops, hard drives, servers, and electronic media (e.g., UBS drives and CD-ROMs) can prevent the practice from paying a large fine for a HIPAA breach.

As a reminder, both Concentra and QCA Health Plan paid over $2 million in combined fines to the Department of Health and Human Services, Office for Civil Rights. The "investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (PHI) was a critical risk," the Office for Civil Rights said. "While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security-management processes in place to safeguard patient information."

The problems with not encrypting data and failing to conform to the other requirements associated with HIPAA and the HITECH Act can have further reaching consequences. According to a recent article by Absolute Software, "Protected health information is becoming increasingly attractive to cybercriminals with health records fetching more than credit card information on the black market. According to Forrester, a single health record can sell for $20 on the black market while a complete patient dossier with driver's license, health insurance information, and other sensitive data can sell for $500."

Any physician who has had their DEA number compromised or been involved in a government investigation involving Medicare fraud knows firsthand about the importance of implementing adequate security measures and internal audits. Investing in encryption is one way to mitigate financial, reputational, and legal liability.

Justin Boersma's curator insight, March 27, 2015 7:28 AM

Data encryption is vital in the protection of private consumer data collected by companies, especially medical records. Innovation in data encryption is required to prevent breaches of sensitive information as The Information Age grows in the coming years.


Should HIPAA Encryption Be Legislated?

Should HIPAA Encryption Be Legislated? | HIPAA Compliance for Medical Practices | Scoop.it

A federal law from the 1990s says insurers aren’t required to encrypt consumer data. This law is now under review after the Anthem breach in which 80 million customers were left vulnerable.

According to Fierce Health IT, The Senate Health, Education, Labor and Pensions committee will be overseeing the matter as a bipartisan review of health information security. “We will consider whether there are ways to strengthen current protections,” said the spokesman for Chairman Lamar Alexander, R-TN.

“We need a whole new look at HIPAA,” said David Kibbe, CEO of DirectTrust, a nonprofit working to create a national framework for secure electronic exchange of personal health information. “Any identifying information relevant to a patient ... should be encrypted,” he told the AP.

Encryption has been controversial, according to the AP article, because it adds costs and makes daily operations cumbersome. It’s not foolproof protection either. If someone has the code or steals it, they can access information anyway.

Even Anthem spokeswoman Kristin Binns said encryption would not have prevented the highly publicized recent attack because the hackers gained access with a system administrator's ID and password. “These attackers gained unauthorized access to Anthem’s system and had access to names, birthdates, medical IDs/social security numbers, street addresses, email addresses, and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information were targeted or compromised,” said Anthem President and CEO Joseph R. Swedish in a statement. Anthem does encrypt information which is exported.

“In today's environment, we should expect all health care providers to encrypt their data from end to end,” says Indiana University law professor Nicolas Terry who specializes in health information technology. “HHS should amend the security rule to make encryption mandatory,” he said.

No comment yet.

3 Tips for Improving Breach Response

3 Tips for Improving Breach Response | HIPAA Compliance for Medical Practices | Scoop.it

Breaches can happen even when there are strong protections in place. But healthcare organizations can do more to prepare for breaches and respond in the best possible way to protect patient information.

Here are three tips to avoid common pitfalls in healthcare incident response programs.

1. Define Incidents Broadly

HIPAA and state laws require organizations to recognize and properly respond to events that put certain personally identifiable information at risk. Most states today require notification when data that could be used for identity theft is breached. Hence, "incidents" must include negative events affecting a variety of legally protected data, not limited to protected health information, or PHI. For your organization's sake, you should include internal confidential and proprietary data as well.

"Incidents" can include such data in any form, including written, spoken and electronic. Some organizations mistakenly consider security incidents only in technical terms, relating to computers and networks. While incidents and breaches often involve malicious attackers and malware, that's only part of the story.

Both HIPAA's privacy rule and its security rule require incident response and mitigation. Therefore, "incidents" must include both privacy and security events. However, there is considerable overlap between privacy and security incidents, with most, if not all, privacy incidents also being security incidents. It is counterproductive to attempt to segregate privacy and security incidents, and, in fact, the HIPAA breach notification rule does not distinguish between them.

2. Teach Workforce to Report Incidents

Training is a critical component of privacy and security programs. Without it, the best policies and technologies can only go so far. Building on your broad definition of "incidents," ensure your documented workforce training content includes not only the definition but a wide range of examples. It is essential to convey to your staff the full scope of this requirement and the organization's expectations. Also, use current news stories on breaches to inform your workforce. Explain these incidents and discuss whether and how they could happen in your organization, as well as what individuals can do to prevent such breaches.

Training content must also include how to report incidents within the organization; the process should be easy and unambiguous. Here again, the workforce should not need to categorize an incident as involving either privacy or security issues to determine how to report it; most incidents will be both. Yet many organizations require security incidents be reported to IT and privacy incidents to the privacy or compliance officer, or compliance tracking system.

Since the information security officer and the privacy officer should be acting as a team in responding to incidents, it makes sense to have a single reporting stream. In addition, the workforce should not be expected to make the breach determination; that is the responsibility of the information security and privacy officers because it requires expertise in the regulations.

Be sure your training content reinforces the requirement to report all incidents promptly, even if an incident is only suspected. Each organization's information security officer and privacy officer should determine the time limit - such as "the same day" or "within 24 hours" or "within one business day" - and include it in training content.

3. Make Incident Response Plan Comprehensive

Ensure that the scope of your organization's plan is comprehensive, including all incidents, both privacy and security.

Keep in mind that an organization's incident response plan is intended to be a clear guide to actions, particularly during a crisis. A plan that simply states high level commitments to satisfy HIPAA or state regulations is not a real plan. Think of the plan as a cookbook with necessary ingredients and logical steps to follow. Unfortunately, this cookbook will have guidelines instead of precise measures, but a good plan will take an organization to a successful outcome.

The ingredients may include factors to consider in triaging an incident, questions to ask as part of the investigation, and state and federal legal requirements regarding notifications. The latter can be embedded in the plan or provided via direct links to actual regulation details such as at www.eCFR.gov.

The recipe should include, for example: triaging incidents based on criticality; convening primary and secondary response teams; determining if an incident falls under one or more state laws and/or HIPAA; if the incident involves PHI, determining violations versus breaches; mitigation actions depending on the type of incident; carrying out notification steps; and wrapping up.

Following HIPAA violations and breaches, take time to evaluate the effectiveness of your plan, as well as the training of your workforce and your response teams. Update the plan and training as needed.

No comment yet.

Client Side Encryption Service - Technical Doctor Inc.

Client Side Encryption Service - Technical Doctor Inc. | HIPAA Compliance for Medical Practices | Scoop.it

Data is a critical part of every organization, but this most valuable asset often poses a huge risk when it travels or is transmitted beyond the corporate network. Full disk and removable media encryption protect laptop computers against the unexpected. File, folder and email encryption allow fully secure collaboration across complex workgroups and team boundaries, with security policies enforced at all endpoints by the TD Encrypt Enterprise Server. Meet data security compliance obligations with a single MSI package.

No comment yet.

Defending Against Health Data Hacks

Defending Against Health Data Hacks | HIPAA Compliance for Medical Practices | Scoop.it

With the healthcare sector becoming a growing target for cybercriminals, it's critical that organizations implement information security management practices that go far beyond a focus on HIPAA compliance. Yet, one of the biggest mistakes many healthcare entities continue to make in protecting patient information from cybercrime is taking a compliance-centric approach to information security, says Kenneth Peterson, CEO of risk management consulting firm Churchill & Harriman.

"With the ever-changing threat landscape, they should be approaching it from a risk management perspective," he says. Many organizations in healthcare and other industries also frequently overlook third-party risk, he says. For example, a vendor was the entry point for hackers in the high-profile Target breach a year ago, he points out.

"Unless you shore up your information security programs through the third-party risk element of that program, you are missing the boat," he says.

Another mistake being made when it comes to healthcare organizations and their business associates is not involving the right people at the table from the outset of the risk assessment process. "From the beginning, the assessment is not set up for success, but at best, set up for partial success."

In the meantime, being better prepared to defend against cybercrime will only become more challenging in 2015 as hacking attacks become more common, he says. And when it comes to patient information, "Social Security numbers are the single most valuable data that hackers are after," he adds.

In the interview, Peterson also discusses:

  • Common risk management mistakes that covered entities make, including neglecting to use repeatable and auditable tools;
  • The importance of "layered" security controls;
  • Cybersecurity intelligence and information-sharing trends in the healthcare sector and other industries.

Peterson has more than 30 years of experience developing and implementing enterprise risk management and human resources consulting solutions. He founded Churchill & Harriman in 1986 to develop and implement enterprise risk management and third-party risk management solutions for large enterprises. The company helps clients select and implement controls, processes and tools that identify, measure and manage enterprise risk.

No comment yet.

Lessons Learned from Data Breaches [INFOGRAPHIC] | The National Law Review

Lessons Learned from Data Breaches [INFOGRAPHIC] | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

Recent data breaches have left some large organizations reeling as they deal with the aftermath. They include the Target data breach, compromises at Home Depot, JP Morgan, USPS (which exposed employee Social Security Numbers and other data) and, most recently, Sony Pictures. The Sony hack also proved to be embarrassing to some of the company’s executives, as private email correspondences were exposed.

Collateral damage from data breach is significant: one in nine customers affected by a data breach stopped shopping at a particular retailer. According to LifeLock, a recent survey of corporate executive decision-makers found that while concern for a breach is 4 or 5 on a 5-point scale, only 10% to 20% of their total cyber security budgets go to breach remediation. Establishing an incident response plan in advance can reduce the cost per compromised record by $17.

While strengthening cybersecurity is important, the impact on breached organizations shows that preparing a response must be part of the breach-management equation. These breaches present an opportunity for business leaders and risk professionals to learn important lessons about how to protect their companies, customers and employees if a breach should occur.

Below are steps companies can take to establish a response plan, as well as information on the data breach landscape.

No comment yet.

Health Care Industry To See Phishing, Malware Attacks Intensify in 2015 -

Health Care Industry To See Phishing, Malware Attacks Intensify in 2015 - | HIPAA Compliance for Medical Practices | Scoop.it

That’s the analysis of industry executives who contend the information security threats facing health care institutions will only intensify in 2015. They say attackers believe hospitals and health systems hold a wealth of data, from credit card information to demographic details to insurance beneficiary data. The notion that health care trails other industries in IT security may encourage attempts to seize those data.

But while attacks are on the rise, health care budgets aren’t quite as buoyant.

Phyllis Teater, CIO and associate vice president of health services at the Ohio State University’s Wexner Medical Center, said, “The threats continue to mount … at a time when all of health care is looking to reduce the cost of delivering care.”

Earlier this month, Art Coviello — executive chair of RSA, the security division of EMC — predicted that “well-organized cyber criminals” will ramp up their efforts to steal personal information from health care providers. Coviello, in what has become his annual security outlook letter, described health care information as “very lucrative to monetize” and “largely held by organizations without the means to defend against sophisticated attacks.”

Some health care providers, however, plan to strengthen their defenses. Health care organizations’ expected security priorities for 2015 include:

  • Encryption and mobile device security;
  • Two-factor authentication;
  • Security risk analysis;
  • Advanced email gateway software;
  • Incident response management;
  • Expansion of IT security staff; and
  • Data loss prevention (DLP) tools.
Uptick in Attacks

Lynn Sessions, a partner with the law firm BakerHostetler, cited an uptick in cyber-attacks targeting health care. Sessions, who specializes in health care data security and breach response, said much of her firm’s activity once focused on unencrypted devices that were lost or stolen, unencrypted backup tapes and email delivered to the wrong recipient. Those incidents were typical of the years immediately following the passage of the HITECH Act, which in 2009 established a breach notification duty for HIPAA-covered entities. But since the beginning of 2014, the rise of hacking and malware attacks has become “very noticeable,” Sessions said.

That trend seems likely to carry over into 2015.

Scott Koller, a lawyer at BakerHostetler who focuses on data security, data breach response and compliance issues, said he believes two types of attacks will see increased prevalence next year:

  • Phishing; and
  • Ransomware.

Phishing attempts to convince users to give out information such as usernames and passwords or credit card numbers. In settings such as health care, phishing may also provide a stepping stone for more advanced attacks, Koller noted. For example, a user could open an attachment in a phishing email that installs malware on the user’s device. From that foothold, an attacker could then infiltrate the enterprise network.

“Phishing emails often provide the entry point,” Koller said.

Attackers, he added, have become adept at disguising their phishing emails.

“They are much more sophisticated in terms of crafting them and targeting them to users and making them more difficult to detect,” Koller explained.

Phishing emails can also serve as a vehicle for ransomware attacks, which encrypt the data on a computer’s hard drive. Cyber criminals demand payment from users before they will provide the means to unlock the data.

CryptoLocker and CryptoWall are examples of ransomware. In August, the Dell SecureWorks Counter Threat Unit research team reported that nearly 625,000 systems were infected with CryptoWall between mid-March and late August 2014. The researchers called CryptoWall “the largest and most destructive ransomware threat on the Internet” and one they expect will continue expanding.

To further complicate matters, ransom may be demanded in the form of bitcoin, a digital currency. The use of bitcoin makes the perpetrators a lot harder for law enforcement to track down, Koller said. He said he anticipates that ransomware will see greater prevalence and use in the future.

Tightening Security

Against the backdrop of increasing attacks, health care organizations are taking steps to boost their IT security.

Ohio State’s Wexner Medical Center, for example, plans to make staffing a focal point of next year’s IT security investment. It expects to fill three openings over the next few months.

“Much of our investment is in recruiting top talent and growing the team by adding” full-time employees, Teater said.

Technology adoption is also in the works.

“We are deploying a new mobile security tool that has better capabilities,” she said. “We are also starting down the road to deploy data loss prevention” in conjunction with the Ohio State University.

In addition, Ohio State’s medical center is looking at how to enable two-factor authentication for use cases such as remote/mobile access and e-prescribing, Teater noted.

Koller said two-factor authentication will rank among the top IT security measures health care organizations take on in 2015. Two-factor authentication typically involves a traditional credential, such as user name/password and adds a second component such as a security token or biometric identifier.

Two-factor authentication does a good job of counteracting phishing emails, Koller said. If an attacker obtains an employee’s username/password via phishing, it will still lack the additional authentication factor, he noted.

Koller also cited encryption as another security measure health care providers should look to deploy next year. He said that larger institutions already recognize encryption as an issue but that smaller practices still struggle to find ways to implement encryption for laptops and mobile devices.

“Encryption very much needs to be on everybody’s radar,” he said.

To date, it hasn’t been. Forrester Research in September reported that “only about half” of health care organizations secure endpoint data through technology such as full-disk encryption or file-level encryption.

Health care providers next year may also invest in incident response management, as well as prevention.

Mahmood Sher-Jan, vice president and general manager of the RADAR Product Unit at ID Experts, said most people accept that security incidents are a certainty, which places the emphasis on risk reduction and response. ID Experts provides software and services for managing incident response.

Chief information security officers and health care IT security personnel “recognize now that their success is going to be measured on how they manage incident response and minimize the impact on reputation and churn,” Sher-Jan said.

AACS Atlanta's comment, October 18, 2019 2:19 AM
If you have been charged with a DUI, or if the DUI charge was reduced to reckless driving, the state of Georgia will most likely require you to attend a 20-hour Risk Reduction Program. For detail https://www.aacsatlanta.com/dui-school/ for directions https://g.page/aacs-dui-school?share
DUI SCHOOL Marietta, Decatur and Atlanta-GA's comment, November 28, 2019 2:52 AM
What Is DUI School? How Can It Help With My DUI Case?
A DUI School is something that is required as a condition of probation by the court when you're convicted of a DUI. There are different levels of school… Helpline Number: 404-594-1770

10 Steps for Ensuring HIPAA Compliance 

10 Steps for Ensuring HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

1. Development of privacy policies. Healthcare organizations must develop, adopt and implement privacy and security policies and procedures. They must also make sure that they are documenting all their policies and procedures, including steps to take when a breach occurs.

2. Appointment of privacy and security officers. Healthcare organizations should appoint a privacy and security officer. This could either be the same or different individuals. This person should be conversant in all HIPAA regulations and policies.

3. Conducting regular risk assessments. Healthcare organizations should regularly conduct risk assessments to identify vulnerabilities. This will help ensure the confidentiality and integrity of protected health information. It is important to remediate any identified risks and revise policies, if necessary, to minimize risk.

4. Adoption of email policies. Healthcare organizations should adopt policies regarding the use of e-mail. "The Office of Civil Rights does not look too kindly on organizations who haven't established policies regarding mobile devices and email communication," HIPAA does not prohibit the use of email for transmitting protected health information and it does not require that the email be encrypted. But, it is best to encrypt email if possible. If your organization can't encrypt email, make sure that your patients are aware of the risks they are facing if they ask for their health information over email. 

5. Adoption of mobile device policies. Healthcare organizations should adopt strict policies regarding the storage of protected health information on portable electronic devices, and they should regulate the removal of those electronic devices from the premises. HHS has issued guidance regarding the use of mobile devices, and healthcare organizations should be familiar with it.

6. Training. Training all employees who use or disclose protected health information and documenting that training, is an essential step to ensuring HIPAA compliance. Healthcare organizations should also conduct refresher courses and train the employees in new policies and procedures.

7. Notice of Privacy Practices. A Notice of Privacy Practices should be correctly published and distributed to all patients. It should also be displayed on the organization's website, and the organization should obtain acknowledgement of receipt from all their patients,that the notice should be updated whenever policies are revised. It will need to be updated now to reflect the provisions of the Omnibus Final Rule. 

8. Entering into valid agreements. Healthcare organizations should ensure that they are entering into valid business associate agreements with all business associates and subcontractors. Any existing business associate agreements will have to be updated to reflect the changes to HIPAA under the final rule, such as the expansion of liability of business associates.

9. Adoption of potential breach protocols. A protocol for investigating potential breaches of protected health information is a must. The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred. If a breach has occurred, it is essential that the healthcare organization document the results of the investigation and notify the appropriate authorities.

10. Implementation of privacy policies. Privacy and security policies must be properly implemented by healthcare organizations, and they should sanction employees who violate them.


These 10 steps will help healthcare organizations ensure that they remain HIPAA compliant, but organizations are also encouraged to check the resources available on the Office of Civil Rights website, such as sample business associate agreements and audit protocols.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Unencrypted Device Breaches Persist

Unencrypted Device Breaches Persist | HIPAA Compliance for Medical Practices | Scoop.it

Although hacker attacks have dominated headlines in recent months, a snapshot of the federal tally of major health databreaches shows that stolen unencrypted devices continue to be a common breach cause, although these incidents usually affect far fewer patients.

As of June 23, the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website of health data breaches affecting 500 or more individuals showed 1,251 incidents affecting nearly 134.9 million individuals.

Those totals have grown from 1,213 breaches affecting 133.2 million individuals in an April 29 snapshot prepared by Information Security Media Group.

The federal tally lists all major breaches involving protected health information since September 2009, when the HIPAA Breach Notification rule went into effect. As of June 23, about 52 percent of breaches on the tally listed "theft" as the cause.

Among the breaches added to the tally in recent weeks are about a dozen involving stolen unencrypted computers. Lately, those type of incidents have been overshadowed by massive hacking attacks, such as those that hit Anthem Inc.and Premera Blue Cross.

"Although we've seen some large hacking attacks, they are aimed at higher-profile organizations than the more typical provider organization," says privacy and security expert Kate Borten, founder of the consulting firm, The Marblehead Group. "Attackers know that these organizations have a very high volume of valuable data. But I continue to believe that unencrypted PHI on devices and media that are lost or stolen is 'the' most common breach scenario affecting organizations of any size."

Borten predicts that many incidents involving unencrypted devices will continue to be added to the wall of shame. "Getting those devices encrypted is an ongoing challenge when we expand the requirement to tablets and smartphones, particularly when owned by the users, not the organization," she says. "We also shouldn't overlook encryption of media, including tapes, disks and USB storage drives."

Unencrypted Device Breaches

The largest breach involving unencrypted devices that was recently added to the tally was an incident reported to HHS on June 1 by Oregon Health Co-Op., an insurer.

That incident, which impacted 14,000 individuals, involved a laptop stolen on April 3. In a statement, the insurer says the device contained member and dependent names, addresses, health plan and identification numbers, dates of birth and Social Security numbers. "There is no indication this personal information has been accessed or inappropriately used by unauthorized individuals," the statement says.

Also recently added to the federal tally was a breach affecting 12,000 individuals reported on June 10 by Nevada healthcare provider Implants, Dentures & Dental, which is listed on the federal tally as "doing business as Half Dental." The incident is listed as a theft involving electronic medical records, a laptop, a network server and other portable electronic devices.

In addition to the recent incidents involving stolen or lost unencrypted devices, several breaches added to the wall of shame involve loss or stolen paper records or film.

"Breaches of non-electronic film and paper will never end, but at least these breaches are typically limited to one or a small number of affected individuals," Borten says. Because many of the breaches involving paper or film are often due to human error, "effective, repeated training is essential" to help prevention of such incidents, she says.

Hacking Incidents Added

The largest breach added to the tally in recent weeks, however, is the hacker attack on CareFirst BlueCross BlueShield, which was reported on May 20 to HHS and affected 1.1 million individuals. Baltimore-based CareFirst has said that an "unauthorized intrusion" into a database dating back to June 2014 was discovered in April by Mandiant, a cyberforensics unit of security vendor FireEye, discovered the attack on CareFirst in April. Mandiant was asked by CareFirst to conduct a proactive examination of CareFirst's environment, following the hacker attacks on Anthem and Premera.

Another hacker incident added to the tally affected South Bend, Ind.-based Beacon Health System. That incident, reported to HHS on May 20, is listed as affecting about 307,000 individuals. The organization has said patients' protected health information, including patient name, doctor's name, internal patient ID number, and in some cases, Social Security numbers and treatment information, was exposed as a result of phishing attacks on some employees that started in November 2013. The attacks led to hackers accessing "email boxes" that contained patient information.

Addressing Multiple Threats

Healthcare organizations need to continue their efforts to protect data from the threats posed by cyber-attackers, insiders or street thieves, says Borten, the consultant.

"There's no simple answer, but security is complex, and so the solutions, or mitigating controls, must be numerous and varied."

No comment yet.

HIPAA Rules and Procedures in the Event of a Data Breach, Part One

HIPAA Rules and Procedures in the Event of a Data Breach, Part One | HIPAA Compliance for Medical Practices | Scoop.it

As discussed in my prior post, recent massive data breaches at major retailers and health insurance providers paint a bleak picture of modern data and emphasize the importance of strong security safeguards and plans for handling suspected security breaches for electronic protected health information (“ePHI”). In the healthcare context, a security breach of a covered entity or a Business Associate’s (BA) data security system triggers the Security Rule and can trigger certain breach notification requirements under Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”). This post will discuss the investigation needed to determine whether a breach has taken place, while the next post will discuss the necessary notifications in the event of a breach.

Determining Whether an Actionable Breach Has Taken Place

HIPAA defines a security breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted…which compromises the security or privacy of the protected health information.” Pursuant to this definition, the first thing a CE must do is investigate the breach and determine whether unsecured PHI has been compromised. Data is compromised when there is “a significant risk of financial, reputational, or other harm to the individual.”

PHI is unsecured when the PHI “is not … unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary…” Thus, PHI is secure when the data is either encrypted to certain technology standards or the ePHI has been destroyed, which means breach notification is not required. However, encrypted PHI is only secure if the key to decrypt the data is secure and remains confidential.

If ePHI is not encrypted or the decryption key is no longer secure, the data is not secure and data breach will trigger breach notification.

Thus, the best compliance practice is to encrypt all ePHI, whenever practicable, to take advantage of this regulatory safe harbor. Because breach notification can cause irreparable harm to an entity’s reputation and financial status, encryption is an important means to mitigate damages and risks of a data security breach.

In the case of a suspected security breach, covered entities need to take steps to thoroughly investigate the incident, determine if a security breach of unsecured PHI occurred, and determine the extent of the security breach or leak of information and the amount of PHI breached before the covered entity can take steps to stop the leak of PHI and reduce the damage caused by the security breach.

In 2013, the Omnibus Final Rule (“Final Rule”) released by the Department of Health and Human Services (“HHS”) redefined what was considered a security breach. Now, a security breach is presumed unless the entity can demonstrate that there is a low probability that any unsecured ePHI has been compromised.

The only way to show a low probability of compromise is by conducting a risk assessment to consider at least four significant factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.

If a covered entity cannot identify a low probability that unsecured ePHI has been compromised, breach notification is triggered.

No comment yet.

Data Breaches Are Serious Exposures for Fitness Businesses

Data Breaches Are Serious Exposures for Fitness Businesses | HIPAA Compliance for Medical Practices | Scoop.it

Technology is a huge advantage for the fitness industry today, but it also has brought with it serious exposures as well. A data breach can destroy a fitness business by damaging its reputation and relationship with its members, clients and employees. Small and mid-sized business owners need to be aware that they are just as vulnerable to data breaches and hacking as large businesses. The personal information of members, clients and employees can be lost, stolen or destroyed by computer hackers, thieves and even dishonest employees. Sensitive data can be improperly exposed through accidental or inadvertent release.

With recent publicity about large data breaches of prominent organizations, concerns about cyber liability have grown to a point in which most state legislatures have passed laws requiring business owners to notify affected persons. In most states, a business must be able to notify all parties whose personal information may have been released or exposed, communicate the scope of the potential data breach to them, and provide access to credit monitoring assistance and identity restoration to them. In addition, the business owners may face legal defense and settlement costs if claims are brought against them because of the breach.

The first step to addressing the exposure is to understand what a data breach is. To do so, it is necessary to define the "personal information" that would compose a data breach. Personal information that can uniquely identify an individual is called Personal Identifying Information (PII) and includes an individual's first name or first initial and last name, in combination with any one of the following data:

  • Social Security number;
  • driver's license number;
  • bank account number;
  • credit or debit card number with personal identification number such as an access code, security codes or password that would permit access to an individual's account;
  • home address or email address; and
  • medical or health information.

A data breach makes PII available to unauthorized individuals inside or outside of the organization.

All fitness businesses collect PII on members and employees, as well as many prospects and guests. Please note that Health Insurance Portability and Accountability Act (HIPAA) compliance relates to an organization's need to comply with the privacy rules set out by the Health Insurance Portability and Accountability Act. This is not usually triggered unless a business receives direct insurance reimbursement for services. All fitness facilities have liability for data breach, but only those receiving insurance reimbursement will have the requirement to meet HIPPA guidelines for privacy as well.

The data breaches making media headlines right now are systems-related and have to do with computer hackers gaining unauthorized access to PII data electronically. It is important to remember that physical data breaches still occur as well and include misplaced backup files, paper files being lost or misplaced or a stolen laptop. Both types of data breach can result in an expensive variety of damages for a fitness business including:

  • interruption of ongoing operations;
  • destruction of hardware and software;
  • release of sensitive business information; or 
  • the exposure of the PII of members, clients, employees, vendors or partners.

Beyond the legal requirements imposed by state laws and the costs associated with meeting them, how a business owner responds to a data breach can mean the difference between preserving members verses losing them. When confronted with a data breach, many business owners make short-sighted or panicked mistakes that can significantly increase their cost of responding and put their reputation at risk as well. It is imperative to develop a data breach action plan before an incident occurs that will assist the business to address the situation one step at a time if it does occur. Unfortunately, in our present technology-driven environment, it is not a matter of "if" a data breach will occur but "when" for many fitness businesses.

A thorough data breach action plan should start with preventive measures including training staff to properly handle PII data and maintaining appropriate protection software on all systems that store the data. Methods of containment to limit the scope of the data breach should be outlined in the data breach action plan. It will then address effective means of response, including immediate communication to those individuals affected and provide appropriate solutions for them, as well as restoring the safety of the systems going forward. The goal of the plan is to not only restore the systems so that data is once again safe, but to restore the reputation of the business by effectively addressing the well-being of the individuals affected. A well-communicated, timely and compassionate response will go a long way toward retaining the membership's confidence.

11 Paths's curator insight, April 8, 2015 4:31 AM

another great story


Breaking Down HIPAA: Health Data Encryption Requirements

Breaking Down HIPAA: Health Data Encryption Requirements | HIPAA Compliance for Medical Practices | Scoop.it
Health data encryption is becoming an increasingly important issue, especially in the wake of large scale data breaches like Anthem, Inc. and Premera Blue Cross. The HIPAA Omnibus Rule improved patient privacy protections, gave individuals new rights to their health information, and strengthened the government’s ability to enforce the law. However, health data encryption is considered an “addressable” aspect rather than a “required” part of HIPAA.

With close to 90 million Americans potentially having their personally identifiable information exposed in the last few months alone, including PHI in some cases, more people are wondering if enough is being done to keep that data safe. Should health data encryption be required? What exactly determines if an entity incorporated encryption methods into its privacy and security measures?2015-02-05-hhs-budget

We’ll take a closer look at what health data encryption is, why it’s beneficial, and how covered entities are currently required to use it.

What is health data encryption?

Health data encryption is when a covered entity converts the original form of the information into encoded text. Essentially, the health data is then unreadable unless an individual has the necessary key or code to decrypt it. This is a good way for electronic PHI (ePHI) to remain secure and ensure that unauthorized individuals are not able to “translate” the data for their own use.

In relation to the HIPAA Privacy Rule and the HIPAA Security Rule, data encryption is a method to protect PHI. In particular, the Security Rule was designed to protect all data that “a covered entity creates, receives, maintains or transmits in electronic form,” according to the Department of Health & Human Services’ (HHS) site.

Why would it be beneficial?

Theft continues to be one of the major causes of healthcare data breaches, including incidents that involve PHI. If a laptop or smartphone falls into the wrong hands, that individual could potentially cause major damage to patients if he or she had access to medical information or financial information. However, if that unauthorized user was unable to read the information on the devices, then some issues could potentially be avoided.

Health data encryption could be an important step in the privacy and security process. However, by itself, it will not be enough. For example, strong malware could break through a covered entity’s database security. From there, cyber attackers could get access to sensitive information, including PHI. Or, if an employee’s login credentials was stolen, an unauthorized user could gain access that way. In either of those examples, it would not necessarily matter if the health data was encrypted or not.

It is also important to consider if data is being encrypted at rest or in motion. For example, using a virtual private network (VPN) or a secure browser connection can be helpful for protecting data in motion. Or, using Transport Layer Security (TLS) could also work in this situation. This is a protocol ensuring there are mechanisms in place to protect and provide authentication, confidentiality and integrity of sensitive data during electronic communication.

Overall, a covered entity needs to ensure that it has comprehensive technical safeguards – that may include data encryption – along with strong administrative safeguards and physical safeguards. One of those measures by itself will not be enough. Health data encryption could be a beneficial addition to a security program, but it would need to be working with other protection measures.

Is data encryption required?

According to HIPAA, encrypting health data is “addressable” rather than “required.” However, this does not mean that covered entities can simply ignore health data encryption. Instead, healthcare organizations must determine which privacy and security measures will benefit its workflow.

“…it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity,” according to HHS. “If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.”

There are many different encryption methods available as well, so it’s important for covered entities to review their systems and policies to determine if encryption is appropriate, and what kind of encryption to use.

For example, the HHS HIPAA Security Series suggests that covered entities ask themselves the following two questions to help determine if data encryption is appropriate:

Which EPHI should be encrypted and decrypted to prevent access by persons or software programs that have not been granted access rights?
What encryption and decryption mechanisms are reasonable and appropriate to implement to prevent access to EPHI by persons or software programs that have not been granted access rights?

To that same extent, covered entities should determine who is accessing the data, and how they might be doing so. For example, if a facility has a BYOD policy, and employees can access ePHI through their phone, mobile data encryption might be appropriate.

It remains to be seen if the government will make adjustments on its requirements for health data encryption. Until then, facilities need to be thorough in their risk assessments so they can properly determine if data encryption is a necessary measure and then how best to incorporate it into their security. If a covered entity decides that data encryption is not necessary, it is essential to document the reasons why and then provide an acceptable alternative. Data breaches are unlikely to stop happening, so it is important that healthcare organizations remain diligent in making the necessary adjustments to remain as secure as possible.
Rêve's curator insight, March 24, 2015 12:16 AM



Should HIPAA require encryption of medical data?

Should HIPAA require encryption of medical data? | HIPAA Compliance for Medical Practices | Scoop.it
Dive Brief:
  • Even more surprising to some than the fact that Anthem did not encrypt its medical recordswhich made it easier to hack, according to expertswas the fact that HIPAA's regulations do not currently require that personal health data be encrypted by providers who manage those records. A report in HealthIT Security revealed that lawmakers are starting to address this issue.
  • The US Senate Health, Education, Labor and Pensions committee is taking up the debate, while New Jersey Gov. Chris Christie has already enacted a law requiring medical record encryption and Connecticut Democrats are apparently also seeking similar legislation in their state.
  • At present, HIPAA regs do not specifically require data encryption. Instead, HIPAA-covered entities get to choose, based on their situation, whether encryption is necessary or another approach is more appropriate.
Dive Insight:

The Anthem hack has become the cue for every agency, governmental body, consumer group, healthcare advocacy organization and technology forum to start pushing tougher cybersecurity requirements. While the strong reaction was expected, the stampede could generate more problems than solutions, with lawmakers and federal agencies duplicating efforts with state legislatures around the country.

What would make the aftermath of the Anthem hack even worse is a resulting mish-mash of regulations and laws that vary from state to state, from agency to agency. Any additional HIPAA security regs should at least attempt to coordinate bills being drafted by Congress and work to advise individual states so there can be some parity across all the different bodies with multiple approaches to the same goal.

No comment yet.

Lawmakers to rethink requiring encryption in HIPAA

Lawmakers to rethink requiring encryption in HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

In light of the cyberattack against Anthem, federal officials plan to review whether HIPAA should require encryption, according tothe Associated Press.

The Senate Health, Education, Labor and Pensions committee on Friday said it will take up the matter as part of a bipartisan review of health information security.

"We need a whole new look at HIPAA," David Kibbe, CEO of DirectTrust, a nonprofit working to create a national framework for secure electronic exchange of personal health information, told the AP.

Information on up to 80 million consumers--including names, birth dates, addresses, email addresses, employment information and Social Security/member identification numbers--were compromised in the attack on Anthem. That information reportedly was not encrypted.

However, Anthem spokeswoman Kristin Binns told the AP that the hacker also had a system administrator's ID and password, which would have made encryption a moot point. Binns said the company normally encrypts data that it exports.

Some security experts, however, say a stolen credential by itself shouldn't be a key to the whole data kingdom, and that information should be encrypted wherever it resides, whether in transit; sitting in a database, as Anthem's was; or on a mobile device.

When the HITECH Act promoting computerized medical records was passed in 2009, it seemed to be a reasonable balance, creating incentives for encryption without imposing a one-size-fits-all solution, Indiana University law professor Nicolas Terry told the AP. Now he's concerned that events may have shown the compromise is unworkable.

Only slightly more than half of healthcare employees (59 percent) use full-disk encryption or file-level encryption on computing devices at work, a Forrester research report published last September found.

There have been various calls to review HIPAA based on the security and privacy risks for consumers posed by the Internet of Things and for research, among other reasons.

Mac McMillan, current chair of the HIMSS Privacy and Security Policy Task Force, however, has said he doesn't see much happening before the next presidential election.

No comment yet.

HIPAA Compliance: It's Not Just Buying a Kit

HIPAA Compliance: It's Not Just Buying a Kit | HIPAA Compliance for Medical Practices | Scoop.it

Charleston, South Carolina, January 26, 2015 -- When it comes to meeting HIPAA compliance, most people know the basics. Don’t email patient health information; don’t post patient health information online. But few understand some of the more challenging technical requirements.

Here at HIPAAMart, we constantly see medical facilities that “think” they are HIPAA compliant but are not. When we deliver our HIPAA as a service and complete the risk assessment and policies for these facilities we discover most are woefully not meeting all of the requirements.

Dean Jones the CEO of HIPAAMart notes: "When we complete our inclusive process of creating the risk assessment and policies, there is still a lot of work to get these practices and their BAA’s compliant, most think you complete some kit and you are good to go. But that is not true.”

Under HIPAA rule 164.308 a(ii) D which is a required rule, you must Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. This is very challenging because there are 1000s of log entries on servers and workstations. How would a person monitor and report on these on a frequent basis? That is why as part of HIPAAMarts HIPAA In-A-Box service, we include this functionality. Our system includes 24X7 monitoring by security professionals that are trained and experienced with HIPAA. From our monitoring, we generate HIPAA specific reports weekly that outline any security issues or HIPAA problems.

“Our service includes everything; it would take a relationship with 3-5 companies to get all of the pieces in place you get from HIPAAMart,” Jones said.

Be sure you don’t overlook the necessary parts of becoming HIPAA compliant other than the risk assessment and policies. There are a lot of other pieces that need attention and also need the expertise to solve.

Under just this one rule -- 164.308 Administrative Safeguards -- here are some of the requirements:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business  associate.

(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).

(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.

(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

As you can see, you need more than just a kit and your policies; you also need the correct technology and the correct partner to help you achieve being HIPAA compliant.

No comment yet.

N.J. Law Requires Insurers to Encrypt

N.J. Law Requires Insurers to Encrypt | HIPAA Compliance for Medical Practices | Scoop.it

A New Jersey law that will go into effect in July requires health insurers in the state to encrypt personal information that they store in their computers - a stronger requirement than what's included in HIPAA .

The new law, signed by N.J. governor Chris Christie last week, was triggered by a number of health data breaches in the state, including the 2013 Horizon Blue Cross Blue Shield of New Jersey breach affecting 840,000 individuals. That breach involved the theft of two unencrypted laptops.

The new law states: "Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.

The law applies to "end user computer systems" and computerized records transmitted across public networks. It notes that end-user computer systems include, for example, desktop computers, laptop computers, tablets or other mobile devices, or removable media.

Personal information covered by the encryption mandate includes individual's first name or first initial and last name linked with any one or more of the following data elements: Social Security number; driver's license number or State identification card number; address; and identifiable health information.

Different than HIPAA

"The New Jersey law differs from HIPAA in that it mandates implementing encryption, whereas HIPAA mandates addressing encryption," privacy attorney Adam Greene of law firm Davis Wright Tremaine says.

The Department of Health and Human Services offers this explanation of the HIPAA encryption requirement on its website: "The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic PHI.

"If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision."

Greene points out that because the new state law is tougher than HIPAA, "A New Jersey health plan could determine that some of its protected health information does not require encryption under HIPAA, but they will nevertheless be required to encrypt the information under the New Jersey law."

No comment yet.

HIPAA Hurdles in 2015 | HIPAA, HITECH & HIT

HIPAA Hurdles in 2015 | HIPAA, HITECH & HIT | HIPAA Compliance for Medical Practices | Scoop.it

Nearly a year ago, as described in an earlier blog post, one of my favorite health industry journalists, Marla Durben Hirsh, published an article in Medical Practice Compliance Alert predicting physician practice compliance trends for 2014.  Marla quoted Michael Kline’s prescient prediction that HIPAA would increasingly be used as “best practice” in actions brought in state court:  “People will [learn] that they can sue [for privacy and security] breaches,” despite the lack of a private right of action under HIPAA itself.  Now, peering ahead into 2015 and hoping to surpass Michael’s status as Fox Rothschild’s HIPAA soothsayer, I thought I would take a stab at predicting a few HIPAA hurdles that covered entities, business associates, and their advisors are likely to face in 2015.

1.         More sophisticated and detailed (and more frequently negotiated) Business Associate Agreement (BAA) terms.   For example, covered entities may require business associates to implement very specific security controls (which may relate to particular circumstances, such as limitations on the ability to use or disclose protected health information (PHI) outside of the U.S. and/or the use of cloud servers), comply with a specific state’s (or states’) law privacy and security requirements, limit the creation or use of de-identified data derived from the covered entity’s PHI, or purchase cybersecurity insurance.  The BAA may describe the types of security incidents that do not require per-incident notification (such as pings or attempted firewall attacks), but also identify or imply the many types of incidents, short of breaches, that do.  In short, the BAA will increasingly be seen as the net (holes, tangles, snags and all) through which the underlying business deal must flow.  As a matter of fact, the financial risks that can flow from a HIPAA breach can easily dwarf the value of the deal itself.

2.         More HIPAA complaints – and investigations.  As the number and scope of hacking and breach incidents increases, so will individual concerns about the proper use and disclosure of their PHI.  Use of the Office for Civil Rights (OCR) online complaint system will continue to increase (helping to justify the $2 million budgeted increase for OCR for FY 2015), resulting in an increase in OCR compliance investigations, audits, and enforcement actions.

3.         More PHI-Avoidance Efforts.  Entities and individuals who do not absolutely require PHI in order to do business will avoid it like the plague (or transmissible disease of the day), and business partners that in the past might have signed a BAA in the quick hand-shake spirit of cooperation will question whether it is necessary and prudent to do so in the future.  “I’m Not Your Business Associate” or “We Do Not Create, Receive, Maintain or Transmit PHI” notification letters may be sent and “Information You Provide is not HIPAA-Protected” warnings may appear on “Terms of Use” websites or applications.

The overall creation, receipt, maintenance and transmission of data will continue to grow exponentially and globally, and efforts to protect the privacy and security of one small subset of that data, PHI, will undoubtedly slip and sputter, tangle and trip.  But we will also undoubtedly repair and recast the HIPAA privacy and security net (and blog about it) many times in 2015.

Have a Happy and Healthy HIPAA New Year!

No comment yet.

Threat Info Sharing: Time for Leadership

Threat Info Sharing: Time for Leadership | HIPAA Compliance for Medical Practices | Scoop.it

The healthcare sector has a big problem. There's a great deal of information security immaturity and a lack of resources among smaller clinics, rural hospitals and other organizations. In the push to exchange electronic patient data nationwide, those entities are potential weak links in the security chain.

More has to be done to ensure these smaller organizations are aware of emerging cyberthreats and vulnerabilities - and are prepared to mitigate them. That potentially requires more handholding from federal agencies - such as by issuing timely cyber-alerts and guidance. But it also means broader outreach and more affordable membership fees for information sharing organizations, such as the National Health Information Sharing and Analysis Center and others, so that the little guys are also in the cybersecurity intelligence loop.

 More has to be done to ensure smaller organizations are aware of emerging cyberthreats and vulnerabilities - and are also prepared to mitigate them. 

Last week, the Department of Health and Human Services took an important initial step toward addressing the issue of improving cyberthreat information sharing. HHS announced it would investigate various options to ensure important cyber-intelligence gets to all healthcare organizations, regardless of size. It's weighing whether to establish another ISAC for the healthcare sector or bolster the capabilities of an existing organization.

It's good to see that HHS is focusing attention on an important issue, although the move is long overdue. Now, it's time for the agency to take prompt leadership action, because improving accessibility to cyberthreat intelligence for organizations of all sizes is urgent, in light of growing evidence that the healthcare sector is increasingly being targeted by hackers.

For example, Boston Children's Hospital was hit by a distributed-denial-of-service attack earlier this year. And Community Health Systems fell victim to a hack attack, perhaps involving the Chinese, that exposed millions of records.

The old adage says that you're only as strong as your weakest link. At a time when healthcare providers are being urged by the federal government to exchange electronic patient records to improve the quality of care - and consumers want to share health data they collect on their own wearable gadgets - we must eliminate weak spots. That means we must make sure, for instance, that providers of all sizes and types have timely access to information about new malware, software flaws or cyberthreats - and the steps they need to take to mitigate those issues.

No comment yet.

Redefining Healthcare Email & Data Archives in the Age of HIPAA

Redefining Healthcare Email & Data Archives in the Age of HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Information technology has long been an enabler of collaboration and openness in the healthcare industry – but it also adds an additional layer of complexity. And in 2003, the U.S. government’s Health Insurance Portability and Accountability Act (HIPAA) added a new level of complication for how healthcare organizations manage patient information. Yet, it’s a double edge sword. Healthcare IT professionals must devise ways to help workers access patient information faster, safely and securely, while maintaining compliance with HIPAA rules and internal protocols.

There’s a simple reason for that complication, personally identifiable information is extremely valuable. Any breach or act of non-compliance that results in the release of personal medical information can have devastating consequences for both patients and the healthcare organization. As a consequence, the healthcare industry is ramping up its efforts to secure systems to better protect sensitive data, adapt to evolving threats and comply with HIPAA.

The goal posts are moving too. Digital patient records on are growing and organizations need to better manage storage while ensuring continuity and maintaining absolute HIPAA compliance. In addition to front line security measures, healthcare organizations are also tasked with ensuring continuity-of-operations through the deployment of highly-secure disaster recovery and backup strategies.

How Archiving Solutions Can Help

Managing the growing complexity of any healthcare organization’s data, while ensuring and maintaining compliance, is no small feat. Communicating patient data  is critical in healthcare environments, and must remain fluid and fast, regardless of the archiving solution in place. It’s also essential that medical staff remains unaffected –access to data and systems should be transparent.

While many healthcare organizations are utilizing secure content collaboration systems like SharePoint to control access to patent data, email is still the primary tool that most healthcare workers use to communicate patient issues, their needs, requirements as well as a growing list of rich media from blood work, x-rays, sonograms, etc. Proper data management policies and sophisticated archiving solutions can help healthcare IT administrators manage storage growth and cost, while maintaining absolute compliance, eDiscovery and continuity. Robust email archiving solutions can help because they archive content from any platform – SharePoint, file servers, and email servers by providing a searchable and federated index, continuity and secure/compliant storage.

Furthermore, in the event of a legal dispute, HIPAA requires that all patient information, whether in a file or within the body of an email, must be securely stored and quickly retrievable. Many organizations stockpile this information on expensive storage without proper data rules to find that data fast. The result is a loss in productivity as administrators spend days or weeks searching through data in order to comply with legal orders.

HIPAA Isn’t Simple

Complying with HIPAA doesn’t just happen, it’s an on-going process best performed by healthcare IT professionals working in concert with their legal and healthcare end users to deliver the right information to give patients the best care possible. Sophisticated platforms such as Exchange can manage all of these tasks from one dedicated interface but healthcare organizations need to alter how they view patient data on a grassroots level.

1. Set and define internal rules. How long will an email be archived for? A blanket policy is best here. Filtering can always be added at a later date but a core, compliant retention policy is key.

2. Make sure everything can be audited. This also applies to every action carried out by an administrator or dedicated compliance asset – not just end users.

3. Everything must be discoverable. Use advanced content indexing across live data and archived metadata.

4. Learn the official rules. Read the Health Insurance Portability and Accountability Act to understand more about the act, its requirements of healthcare workers and the data they create and access, as well as  how it protects patients. While the data storage and accessibility portions are contained in the HIPAA’s Title II section, it is helpful to review Title I for information about helping patients to keep their data portable.

5. Access control. Who should be on the list of “super administrators”? Who can create policies, manage retention times?

6. Identify e-discovery requirements. Double check with the legal department – what needs to be stored? How long? What type of content? What about external consultants? What about mobile device usage?

7. Deletion policy. Considering a purge option is not an easy task. Rules change without notice. Think about moving older data to cheaper forms of secure storage media just in case your organization is asked to produce data.

8. Backup. Daily backups are 100% necessary for databases and Exchange. Take a close look at where you can save time and effort by creating solutions that store changes and not simply create full backups.

No comment yet.