HIPAA Compliance for Medical Practices
77.7K views | +1 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Hospital with repeat security failures hit with $218K HIPAA fine

Hospital with repeat security failures hit with $218K HIPAA fine | HIPAA Compliance for Medical Practices | Scoop.it

Does your hospital permit employees to use a file-sharing app to store patients' protected health information? Better think again. A Massachusetts hospital is paying up and reevaluating its privacy and security policies after a file-sharing complaint and following a HIPAA breach. 


St. Elizabeth's Medical Center in Brighton, Mass. – a member hospital of Steward Health Care system – will pay $218,400 to the Office for Civil Rights for alleged HIPAA violations. The settlement resulted from a 2012 complaint filed by hospital employees, stating that the medical center was using a Web-based document-sharing application to store data containing protected health information. Without adequately analyzing the security risks of this application, it put the PHI of nearly 500 patients at risk.


"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," said Jocelyn Samuels, OCR director, in a July 10 statement announcing the settlement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


It wasn't just the complaint that got St. Elizabeth's in hot water, however. A HIPAA breach reported by the medical center in 2014 also called attention to the lack of adequate security policies. The hospital notified OCR in August of last year of a breach involving unsecured PHI stored on the personal laptop and USB drive of a former hospital employee. The breach ultimately impacted 595 patients, according to a July 10 OCR bulletin.


As part of the settlement, St. Elizabeth's will also be required to "cure the gaps in the organization's HIPAA compliance program," OCR officials wrote in the bulletin. More specifically, this includes conducting a self-assessment of its employees' awareness and compliance with hospital privacy and security policies. Part of this assessment will involve "unannounced visits" to various hospital departments to assess policy implementations. Officials will also interview a total of 15 "randomly selected" employees with access to PHI. Additionally, at least three portable devices across each department with access to PHI will be inspected.


Then there's the policies and training piece part of the settlement. With this, St. Elizabeth's based on the assessment, will submit revised policies and training to HHS for approval.


In addition to the filed complaint and the 2014 breach, the medical center also reported an earlier HIPAA breach in 2012when paper records containing billing data, credit card numbers and security codes of nearly 7,000 patients were not properly shredded by the hospital. Some of the files containing the data were reportedly found blowing in a field nearby.


To date, OCR has levied nearly $26.4 million from covered entities and business associates found to have violated HIPAA privacy, security and breach notification rules.


The largest settlement to date was the whopping $4.8 million fine paid by New York Presbyterian Hospital and Columbia University Medical Center after a single physician accidentally deactivated an entire computer server, resulting in ePHI being posted on Internet search engines. 

more...
Gerard Dab's curator insight, 17 July 2015, 01:05

Security! Security! Security!

#medicoolhc #medicoollifeprotector

Scoop.it!

Premera Blue Cross Data Breach Results in Several Lawsuits, Class Actions

Premera Blue Cross Data Breach Results in Several Lawsuits, Class Actions | HIPAA Compliance for Medical Practices | Scoop.it

Premera is the third largest health insurer in Washington State, and was hit with a cyber attack initiated on May 5 of last year. The Premera attack exposed the personal information of as many as 11 million current and former clients of Premera across the US. While Premera noted on January 29 of this year - the day the data breach was discovered - that according to best information none of the personal data had been used surreptitiously, the fact remains that the data mined by cyber attackers is exactly the kind of information useful for perpetrating identity theft.

To that end, it has been reported that the cyber attackers targeted sensitive personal information such as names, dates of birth, Social Security numbers, mailing addresses, e-mail addresses, phone numbers, member identification numbers, bank account information, and claims and clinical information.

As for why the attack was not discovered for some eight months, Premera has said little. However, the breadth of the attack - affecting some 11 million people - and the delay in discovering the breach (initiated May 5, 2014 and revealed January 29, 2015) will likely provide much fodder for Premera cyber attack lawsuits.

According to the Puget Sound Business Journal, the New York Times had suggested the Premera cyber attack may have been perpetrated by the same China-based hackers who are suspected of breaching the federal Office of Personal Management (OPM) last month. However, the VP for communications at Premera, Eric Earling, notes there is no certainty the attack originated in China.

“We don’t have definitive evidence on the source of the attack and have not commented on that,” he said. “It continues to be under investigation by the FBI [Federal Bureau of Investigation] and we would leave the speculation to others.”

That said, it has been reported that the US government has traced all of these attacks to China.

Recent data breach attacks, including the Vivacity data breach and Connexion data breach, are reflective of a shift in targets, according to cyber attack experts. The attacks to the data systems of the federal OPM notwithstanding, it seems apparent that hackers are increasingly shifting their targets to health insurers in part due to the breadth of information available from the health records of clients.

The goal of cyber attackers in recent months, according to claims appearing in the New York Times, is to amass a huge trove of data on Americans.

Given such a headline as “Premera Blue Cross Reports Data Breach of 11 Million Accounts,” it appears they have a good start. While it might be a “win” for the hackers involved acquiring such data surreptitiously and illegally, it remains a huge loss in both privacy and peace of mind for millions of Americans who entrust their personal information to insurance providers, who, in turn, require such information in order to provide service. Consumers and clients also have historically assumed that such providers have taken steps to ensure their personal information is secure.

When it isn’t - and it takes eight months for a cyber attack to be identified - consumers have little recourse than to launch a Premera cyber attack lawsuit in order to achieve compensation for the breach, and as a hedge for the possibility of ample frustration down the road were the breach to evolve in a full-blown identity theft.

To that end, five class-action data breach lawsuits have been filed in US District Court for the District of Seattle. According to reports, two of the five lawsuits allege that Premera was warned in an April 2014 draft audit by the OPM that its IT systems “were vulnerable to attack because of inadequate severity precautions,” according to the text of the lawsuits.

Tennielle Cossey et al. vs. Premera asserts that the audit in question, “identified… vulnerabilities related to Premera’s failure to implement critical security patches and software updates, and warned that ‘failure to promptly install important updates increases the risk that vulnerabilities will not be.’

“If the [OPM] audit were not enough, the events of 2014 alone should have placed Premera on notice of the need to improve its cyber security systems.”

Moving forward, Premera Blue Cross data breach lawsuits are being consolidated into multidistrict litigation, given the number of Americans affected and their various locations across the country. An initial case management conference has been scheduled for August 7.

more...
No comment yet.
Scoop.it!

Hospital ID Theft Leads to Fraud

Hospital ID Theft Leads to Fraud | HIPAA Compliance for Medical Practices | Scoop.it

Eight alleged members of an identity theft ring, including a former assistant clerk at Montefiore Medical Center in New York, have been indicted on a variety of charges stemming from using stolen information on nearly 13,000 patients to make purchases at retailers.


Ann Patterson, senior vice president and program director of the Medical Identity Fraud Alliance, says that the incident points to the need for ongoing vigilance by healthcare organizations to prevent and detect ID theft and other related crimes.


Manhattan District Attorney Cyrus Vance Jr. alleges in a statement that members of the ID theft ring made up to $50,000 in purchases at retailers in Manhattan by opening up store credit card accounts using patient information stolen by former hospital worker, Monique Walker, 32.


Walker was an assistant clerk at Montefiore Medical Center, where her position gave her access to patients' names, dates of birth, Social Security numbers, and other personal information, Vance says.

Between 2012 and 2013, Walker allegedly printed thousands of patients' records on a near daily basis and supplied them to a co-defendant, Fernando Salazar, 28, according to Vance's statement.

Salazar is accused of acting as the ringleader of the operation. He allegedly purchased at least 250 items personal identifying information from Walker for as little as $3 per record, Vance says.


The stolen information was then allegedly provided to other defendants to open credit card accounts that were used for purchasing gift cards and merchandize at retailers, including Barneys New York, Macy's, Victoria's Secret, Zales, Bergdorf Goodman and Lord & Taylor.

Walker is charged with one count of felony grand larceny and one count of felony unlawful possession of personal identification information. The other defendants are charged with varying counts of grand larceny, identity theft and criminal possession of a forged instrument, among other charges.


All of the defendants have been arrested and arraigned in criminal court, and have various dates pending for their next court appearances.


"Case after case, we've seen how theft by a single company insider, who is often working with identity thieves on the outside, can rapidly victimize a business and thousands of its customers," Vance says. "Motivated by greed, profit and a complete disregard for their victims, identity thieves often feed stolen information to larger criminal operations, which then go on to defraud additional businesses and victims. In this case, a hospital employee privy to confidential patient records allegedly sold financial information for as little $3 per record."

Hospital Fires Worker

A Montefiore spokeswoman tells Information Security Media Group that the medical center was informed by law enforcement on May 15 of Walker's alleged crimes dating back to 2012 and 2013. As a result, Walker, who worked for the hospital for about three years, was fired, the spokeswoman says. "Montefiore is fully cooperating with law enforcement, including the Manhattan's District Attorney's office," a hospital statement says.


Law enforcement discovered the connection to Montefiore patient information while investigators were working on the ID theft case, the Montefiore spokeswoman says.


Of the 12,000-plus patient records that were compromised, it's uncertain how many individuals are victims of ID theft crimes, she says. But as a precaution, Montefiore is offering all impacted patients free identity recovery services, 12 months of free credit monitoring and a $1 million insurance policy to protect against identity theft-related costs.


Montefiore has reported the breach to the Department of Health and Human Services Office for Civil Rights, the spokeswoman says. While that incident as of June 22 was not yet listed on HHS'"wall of shame" tally of health data breaches affecting 500 or more individuals, three other breaches at Montefiore Medical Center appear on the federal website.


Those incidents, all reported in 2010, involved the theft of unencrypted computers. That includes the theft of a laptop in March 2010 which resulted in a breach impacting 625; and two July 2010 thefts of desktop computers that impacted 16,820 and 23,753 individuals.

Breach Prevention Steps

In a statement, Montefiore says that following the alleged crimes committed by Walker that were discovered in May, the hospital has expanded both its technology monitoring capabilities and employee training on safeguarding an accessing patient records to further bolster its privacy safeguards.


"The employee involved in this case received significant privacy and security training and despite that training, chose to violate our policies," the statement notes. "In response to this incident, Montefiore is also adding additional technical safeguards to protect patient information from theft or similar criminal activity in the future."


A hospital spokeswoman says the hospital has rolled out "sophisticated technology" to monitor for improper access by employees to the hospital's electronic patient records


The hospital also says it performs criminal background checks on all employees and "has comprehensive policies and procedures, as well as a code of conduct, which prohibits employees from looking at patient records when there is not a work-related reason to do so."

Steps to Take

Dan Berger, CEO of security consulting firm RedSpin, says it's not surprising the breach went undetected for so long because insider attacks are difficult to uncover. It's unclear if the Montefiore hospital clerk had "good reason to access so many records" as part of her job, he notes.


Patterson of the Medical Identity Fraud Alliance notes: "In addition to proper vetting of employees, the continued evaluation of employee education and awareness training programs and of your internal fraud detection programs is necessary. It's not something you do once and are done. Employees who are properly vetted upon initial hire may have changing circumstances that change their work integrity later on in their employ."


Additionally, security measures often need tweaking as circumstances within an organization change, she says.


"Fraud detection processes that worked when a specific type of workflow procedure was in place may need to be adjusted as that workflow process changes. An emphasis on continued evaluation of all components - people, process, technologies - for fraud detection is good practice."


Workforce training is important not only for preventing breaches, including those involving ID crimes, but also to help detect those incidents, she says. "Each employee must understand their role in protecting PHI. Equally important is regular and continued evaluation of the training programs to make sure that employees are adhering to the policies put in place, and that the 'red flags' detection systems are keeping pace with changing technologies and workplace practices."

more...
No comment yet.
Scoop.it!

Think Your Practice is HIPAA Compliant? Think Again.

Think Your Practice is HIPAA Compliant? Think Again. | HIPAA Compliance for Medical Practices | Scoop.it

You may think you know HIPAA inside and out, but experts say many practices and physicians are making mistakes regarding protected health information (PHI) that could get them into big trouble with the law. Here are nine of the most common compliance missteps they say practices and physicians are making.

1. TEXTING UNENCRYPTED PHI

For most physicians, texting is an easy, convenient, and efficient way to communicate with patients and colleagues. But if a text contains unencrypted PHI, that could raise serious HIPAA problems.


"One of the big things people are doing these days is texting PHI, and people seem to be ignoring the fact that text messages can be read by anyone, they can be forwarded to anyone, [and] they're not encrypted in any fashion when they reside on a telecommunications provider's server," says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC. "People really need to understand that [short message service (SMS)] text messaging is inherently nonsecure, and it's noncompliant with HIPAA."


That's not to say that texting PHI is never appropriate, it just means that physicians must find a way to do so securely. While the privacy and security rules don't provide explicit text messaging guidelines, they do state that covered entities must have "reasonable and appropriate safeguards to protect the confidentiality, availability, and integrity of protected health information," says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC. As a result, Caswell, who formerly worked for HHS' Office for Civil Rights, says physicians must consider, "What would I put on my [smart] phone to reasonably and appropriately safeguard that information?" Most likely, the answer will be a secure messaging service with encryption, she says, adding that many inexpensive solutions are available to providers.


2. E-MAILING UNENCRYPTED PHI

Similar to text messaging, many physicians are e-mailing unencrypted PHI to patients and colleagues. As Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association says, e-mailing is becoming ubiquitous in our society, and healthcare is no exception.


If your providers are e-mailing PHI, consider implementing a secure e-mail application; for instance, one that recognizes when content included in the e-mail contains sensitive information and therefore automatically encrypts the e-mail. Your practice could use the application to specify certain circumstances in which e-mails should be encrypted; such as the inclusion of social security numbers or credit card numbers. The application would then filter e-mails for that specified content, and when it finds that content, encrypt those e-mails automatically, says Caswell.


Another option is to use a secure e-mail application to set up filters to automatically encrypt e-mails sent with attachments, or encrypt e-mails when senders include a word like "sensitive" or "encrypt" in the subject line, she says. An added benefit of encrypting e-mail is if a potential breach occurs, like the theft of a laptop containing e-mails with PHI, that is not considered a reportable breach if the e-mails stored on the laptop are encrypted, says Tennant. "You don't need to go through all of the rigmarole in terms of reporting the breach to the affected individual, and ultimately, to the government," he says. "So it's sort of a get out of jail free card in that sense."


If your practice would rather prohibit the use of e-mail altogether, a great alternative might be a patient portal that enables secure messaging.


Finally, if patients insist on having PHI e-mailed to them despite the risks, get their permission in writing for you to send and receive their e-mails, says Tennant.


3. FAILING TO CONDUCT A RISK ANALYSIS

If your practice has not conducted a security risk analysis — and about 31 percent of you have not, according to our 2014 Technology Survey, Sponsored by Kareo — it is violating HIPAA. The security rule requires any covered entity creating or storing PHI electronically to perform one. Essentially, this means practices must go through a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI).


Though the security risk analysis requirement has been in place since the security rule was formally adopted in 2003, it's been pretty widely ignored by practices, says Hook. Part of the reason, he says, is lack of enforcement of the requirement until recently. Since conducting a security risk analysis is now an attestation requirement in the EHR incentive program, auditors are increasingly noting whether practices are in compliance.


4. FAILING TO UPDATE THE NPP

If your practice has not updated its Notice of Privacy Practices (NPP) recently, it could be violating HIPAA. The HIPAA Omnibus Rule requires practices to update these policies and take additional steps to ensure patients are aware of them, says Tennant.

Some of the required updates to the NPP include:


• Information regarding uses and disclosures that require authorization;

• Information about an individual's right to restrict certain disclosures of PHI to a health plan; and

• Information regarding an affected individual's right to be notified following a privacy or security breach.


In addition to updating the NPP, a practice must post it prominently in its facility and on the website, and have new patients sign it and offer a copy to them, says Tennant. "I'd say of every 10 practices, hospitals, dental offices I go into, nine of them don't have their privacy notice in the waiting room," he says.


5. IGNORING RECORD AMMENDMENT REQUESTS

Don't hesitate to take action when patients request an amendment to information in their medical records, cautions Cindy Winn, deputy director of consulting services at The Fox Group, LLC. Under the HIPAA Privacy Rule, patients have the right to request a change to their records, and providers must act on those requests within 60 days, she says.


If you disagree with a patient's requested change, you must explain, in writing, why you are not making the requested change, says Hook. Then, share that reasoning with the patient and store a copy of it in the patient's medical record, as well as a copy of the patient's written request for the amendment.


6. NOT PROVIDING ENOUGH TRAINING

The privacy and security rules require formal HIPAA education and training of staff. Though the rules don't provide detailed guidance regarding what training is required, Hook recommends training all the members of your workforce on policies and procedures that address privacy and security at the time of hire, and at least annually thereafter.


The HIPAA Security Rule also requires practices to provide "periodic security reminders" to staff, says Caswell, adding that many practices are unaware of this. Actions that might satisfy this requirement include sending e-mails to staff when privacy and security issues come up in the news, such as information about a recent malware outbreak; or inserting a regular "security awareness" column in staff e-newsletters.

Finally, be sure to document any HIPAA training provided to staff.


7. OVERCHARING FOR RECORD COPIES

With few exceptions, the privacy rule requires practices to provide patients with copies of their medical records when requested. It also requires you to provide access to the record in the form requested by the individual, if it is readily producible in that manner.


While practices can charge for copies of records, some practices may be getting into trouble due to the fee they are charging, says Tennant. "HIPAA is pretty clear that you can only charge a cost-based fee and most of those are set by the state, so most states have [limits such as] 50 cents a page up to maybe $1 a page ... but you can't charge a $50 handling fee or processing fee; at least it's highly discouraged," says Tennant.


To ensure you are following the appropriate guidelines when dealing with record copy requests, review your state's regulations and consult an attorney. Also, keep in mind that though the privacy rule requires practices to provide copies within 30 days of the request, some states require even shorter timeframes.


8. BEING TOO OPEN WITH ACCESS

If your practice does not have security controls in place regarding who can access what medical records and in what situations, it's setting itself up for a HIPAA violation. The privacy rule requires that only those who have a valid reason to access a patient's record — treatment purposes, payment purposes, or healthcare operations — should do so, says Caswell. "If none of those things exist, then a person shouldn't [access] an individual's chart."


Caswell says practices need to take steps to ensure that staff members do not participate in "record snooping" — inappropriately accessing a neighbor's record, a family member's record, or even their own record.


She recommends practices take the following precautions:


• Train staff on appropriate record access;

• Implement policies related to appropriate record access; and

• Run EHR audits regularly to determine whether inappropriate access is occurring.


9. RELEASING TOO MUCH INFORMATION

Similar to providing too much access to staff, some practices provide too much access to outside entities, says Caswell. For instance, they release too much PHI when responding to requests such as subpoenas for medical records, requests for immunization information from schools, or requests for information from a payer.


"If there's, say, for instance, litigation going on and an attorney says, 'I need the record from December 2012 to February 2014,' it is your responsibility to only send that amount of information and not send anything else, so sort of applying what's called the minimum necessary standard," says Caswell. "When you receive outside requests for PHI, pay close attention to the dates for which information is requested, as well as the specific information requested."

more...
No comment yet.
Scoop.it!

Here's how healthcare can guard against data breaches in the "year of the hack"

Here's how healthcare can guard against data breaches in the "year of the hack" | HIPAA Compliance for Medical Practices | Scoop.it

Protected Health Information, or PHI, is increasingly attractive to cybercriminals. According to PhishLabs, health records can fetch as much as 10 times the value of credit card data on the black market.

Stolen healthcare records can be used for fraudulent billing which, unlike financial fraud, can go undetected for long periods of time. The rising price of healthcare records on the market is attracting more cybercriminals, who are exploiting any vulnerability they can find, be it an unpatched system or an insecure endpoint device.


We’ve all heard about several devastating data breaches in the healthcare industry this year – Anthem’s breach of more than 78 million records and the Premera Blue Cross breach of 11 million records. In the first quarter of 2015 alone, there have been 87 reported data breaches affecting 500 or more individuals, according to data from US Department of Health and Human Services Office for Civil Rights. These breaches affected a combined total of 92.3 million individuals, up 3,709 percent from Q1 2014.


Given the mega breaches experienced by Anthem and Premera, one could consider them as outliers. In terms of comparison, excluding the aforementioned breaches would still leave us with a 4.9 percent increase in individuals affected in the first quarter of 2015 versus the same quarter in 2014. Although the first three months of 2014 saw three more data breaches than what has occurred in 2015, it is clear that the number of individuals affected per breach is on the rise.

2015 is the year of the “hack”, but people are still the root cause.

In the first quarter of the year, 33 percent of data breaches were attributed to hacking or an “IT incident,” but the methods by which cybercriminals have successfully penetrated corporate networks are quite telling. These breaches have originated from unencrypted data, unpatched systems, or compromised passwords. In 2015, several hacking incidents have been tracked back to the compromise of a single set of credentials.


The Verizon 2015 Data Breach Investigations Report analyzed nearly 80,000 security incidents including 2,122 confirmed data breaches. Its findings reveal that despite the rise in cyberattacks, 90 percent of security incidents are tied back to people and their mistakes including phishing, bad behavior, or lost devices. The report notes that, even with a detailed technical report of a security incident, the “actual root cause typically boils down to process and human decision-making.” This is frightening but also good news, as there are measures that can be taken to reduce these risks by improving upon process and education, complemented by the right data security solutions.


It’s not all about the network


Healthcare organizations reacting to data breach headlines may focus efforts on protecting the network, leaving data vulnerable to other attack vectors and overlooking the people and process risks that ultimately result in most data breaches.


Cyberattacks come from many different vector points. It only takes one missing device, one use of unsecured WiFi, one compromised password, one click of a phishing email to compromise the entire corporate network. Many of these risks, which originate on the endpoint, put corporate network at risk. Current data security strategies in healthcare cannot be network versus endpoint, nor can they ignore the “people” risk that is only amplified by such trends as BYOD, mobile work, the cloud, and the Internet of Things.


A holistic approach to healthcare security


If we don’t adopt a different approach – one that addresses the multitude of options available to cybercriminals – breaches will continue to occur. Healthcare organizations that want to get ahead of cybercriminals need to create a holistic approach to data security that incorporates threat prevention, incident detection, and efficient response.


Reduce “the attack surface”


Every point of interaction with PHI puts that data at risk. Reducing the sum total of these points of interaction – the attack surface – can reduce the risk to the data. I suggest a layered approach to data security which decreases the attack surface across endpoints as well as the network, including:

  • A foundation of tight controls and processes;
  • Encryption is a must, but on its own is often circumvented;
  • Supplement encryption with a persistent technology that will provide a connection with a device, regardless of user or location while defeating attempts to remove the technology;
  • Network segmentation is key — granular access controls and tools for continuous monitoring offer real-time intelligence about the devices on the network and the security status of these systems;
  • Automate security remediation activities such as setting new firewall rules or locking down a suspicious device in the case of suspicious activities.


Minimize the “people” risk


You can have the best firewalls, encryption and network access controls, but your employees are still your weakest link. Using a combination of process (education and interactive ongoing training) and technology (such as mobile device management), employees should be aware of their part in protecting corporate data on endpoints.


Know how to detect anomalies


Conduct regular security audits on the network and endpoints. Know where your sensitive data resides and how it’s being used (or misused, in the case of employees) with the aid of a data loss prevention (DLP) tool. Most DLP and endpoint security tools can create automated alerts for suspicious activity.


Develop and maintain an incident response plan


With clear procedures in place to pursue anomalies and to escalate breach situations, potential risks can be addressed promptly and effectively. With many false positives, skilled IT personnel need to connect the dots (such as a user name change, unauthorized physical changes to the device or the device location, software vulnerabilities, registry changes or unusual system processes) and spot a true security incident quickly. Ensure your endpoint security supports remote actions such as data delete and device freeze.


With data regulations tightening, and healthcare data breaches escalating, don’t give cybercriminals an easy “in” to your organization. Trim the sails and batten the hatches to weather the oncoming storm of cyberattacks with a holistic approach to data security.


The more layers of protection you have in place, the better chance you have of avoiding a breach. Just as sailors can make or break a ship’s success in a storm, your employees are your first line of defense in preventing and detecting a data breach incident. If an incident is discovered, an efficient response plan can help your organization stay afloat in the muddy and complex waters of compliance.

more...
No comment yet.
Scoop.it!

Your Cyber-Risk Policy: What it Covers and What it Doesn't

Your Cyber-Risk Policy: What it Covers and What it Doesn't | HIPAA Compliance for Medical Practices | Scoop.it

In healthcare, we deal with highly sensitive and very private electronic information, so of course our ears perk up every time we see headlines about the latest cyber threat or breach. The natural question is whether this could happen to us. This is constructive if it leads to cyber risk-prevention. But all too often, folks are responding with, "it could not happen to me," or "my insurance policy covers this so I'm prepared." These folks are ignoring the growing cyber threat around all of us. They are whistling past the "cyber" graveyard.

We live in a digital age where almost everything is accessible — even more now with the evolution of EHRs — so we have to run our businesses as though we are all at risk. To be prepared, we must first understand the common sources of cyber risk. Second, we must understand the basics of cyber insurance policies we may or may not have in place.


There are several ways breaches at small healthcare organizations may occur:


1. Disgruntled employees are one of the leading reasons for cyber attacks. They know your systems — likely better than you do — so keep a close watch on them and what type of data they have access to. Really pay close attention to new staff and those that may be on their way out. Also make sure they know they are monitored.

2. Cyber criminals are looking for remote Internet access services with weak passwords. Require and enforce more complex passwords and require employees to change their passwords regularly.


A smart form of cyber protection is a cyber-risk insurance policy. These provide bundled services designed to help you quickly respond to a data breach. However, there are many cyber insurance product options to consider. These range from standalone policies with high limits and comprehensive services to policy add-on coverages typically offering less coverage.


Rather than stumbling through a maze of complicated cyber-related insurance rhetoric, do yourself a favor and review your options with an experienced broker:


• Carefully scrutinize "free" cyber coverage or riders added onto your base coverage. While not totally worthless, the majority come nowhere near covering the exposure of a potential cyber breach (which explains why they are typically thrown in at no additional cost). In reviewing your insurance coverages with your broker, it's easy to brush by this one and mentally check off the fact that you have cyber coverage. Drill into the details of what's covered, as outlined below.

• Find out how much you are covered for and what out-of-pocket expenses you could expect. A data breach at a small physician practice could run into the hundreds of thousands of dollars or even higher. This type of uncovered damage could put a small practice out of business. Some expenses physicians can expect to incur when a breach occurs include legal fees, IT forensic costs, notification costs, credit monitoring costs, and public relations and advertising expenses to reclaim patient goodwill as well as making the public aware of the steps taken to address the breach.


Cyber risk is not just a technology issue. It affects all elements of the healthcare business and needs to be well-planned and mitigated through ongoing education and risk-management programs.

more...
No comment yet.
Scoop.it!

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency | HIPAA Compliance for Medical Practices | Scoop.it

Kareo, the leading provider of cloud-based medical office software for independent medical practices, today announced the launch of its Apple Watch App. Kareo’s most recent innovation extends the functionality of the company’s EHR to Apple Watch, streamlining care delivery and enhancing the patient experience by improving communications, reducing patient wait times, and increasing practice efficiency.


Kareo is launching this new Apple Watch App in response to the growing demands on physicians to increase their focus on all aspects of patient engagement. “Physicians are on their feet attending to the needs of patients for the majority of the day, leaving little time to check their schedules and prepare for the next appointment,” said Dr. Tom Giannulli, CMIO of Kareo. “Recognizing this demanding care delivery environment, Kareo’s Apple Watch App will help doctors better manage their schedule while enabling enhanced communication throughout the day, improving their ability to deliver a great patient experience.”

Kareo’s Apple Watch App provides the most relevant, practice-oriented information necessary to improve care and increase practice efficiency. Key functionalities of the App include:


  • Secure messaging that allows the user to send, reply, and read messages via dictation. Messages can be sent to staff or patients using Kareo’s secure messaging system, improving overall patient engagement and practice communication.
  • An agenda that allows the provider to quickly reference their schedule and see the status of appointments checked-in, no show, late, checked out, etc., helping reduce wait times and improve practice efficiency.
  • Appointment reminders that can be sent five minutes before the next scheduled appointment. The notification subtly vibrates the watch, indicating that the doctor has an impending appointment.
  • Appointment information that is accessible within a notification or through the agenda, allowing the provider to review details such as the patient’s name, time of appointment, visit type, and reason for the visit.
  • “I’m Running Late” pre-set messages that allow the doctor inform other staff members when they are running behind and how much longer they expect to be. This improves practice communication and enables the front desk to give patients a more accurate wait time estimate.
  • Apple “Glances” that provide a quick overview of key practice metrics, including how many patients are scheduled throughout the day, how many patients are waiting to be seen, and which patients are currently waiting in an exam room.


All features of Kareo’s Apple Watch App are HIPAA compliant and secure, ensuring all data are private, yet easily accessible.

“Independent physicians need new tools to grow strong, patient-centered practices, and Kareo’s Apple Watch App is another example of Kareo’s focus on helping physicians leverage innovative technology to drive their success,” said Dan Rodrigues, founder and CEO of Kareo. “With key practice and patient information accessible on their wrists, physicians are able to discreetly and efficiently provide updates to staff while staying focused on what matters most – the patient.”


more...
No comment yet.
Scoop.it!

The New World of Healthcare Cybercrime

The New World of Healthcare Cybercrime | HIPAA Compliance for Medical Practices | Scoop.it

In healthcare, the number and volume of the breaches are ever increasing. For many of these breaches, phishing is the initial point of compromise. The human tends to be the weakest link and so hackers tend to exploit the low hanging fruit. Much of the information which is exfiltrated ends up on the black market (e.g., medical identity information, intellectual property, financial information, etc.).


We often hear about healthcare information being very valuable on the black market. But, for anyone who may dare to look at the dark web or even public dump sites, the black market can indeed be somewhat of a scary place—or at least, eye opening. The type of information which is traded on the black market includes healthcare and related identity information and bad actors may use the stolen information to commit medical identity theft and fraud. Indeed, the Medical Identity Fraud Alliance has a lot of information on this subject, including a survey on point.


And, now, law firms that support healthcare organizations and other entities are the target of hackers. Law firms have valuable information, such as data on mergers and acquisitions, intellectual property, protected health information, and other types of sensitive information which they are entrusted to safeguard on behalf of their clients. Indeed, several law firms have reportedly been considering standing up a law firm information sharing and analysis center “to share and analyze information and would permit firms to share anonymously information about hackings and threats on computer networks in much the same way that bank and brokerage firms share similar information with the financial services group.”


All businesses, including healthcare organizations, need to make cybersecurity a business priority. Just like other kinds of risk management, cybersecurity needs to be part of the equation. Reacting to incidents, in the long run, will only prove to be very costly for your organization, in terms of expenditure, manpower, and damage to your organization’s goodwill. Instead, appropriate investment needs to be made in technology and skilled personnel to detect and remove hackers from systems and to make it more difficult for hackers to infiltrate into the systems.


In addition, avoid being low hanging fruit for the hackers. Practice good cyber hygiene, adopt and implement an appropriate security framework for your organization and best practices, have a culture which embraces information security, be vigilant, and call in the good guys when you are in need of help (or even before there is a problem). The importance of information security has increased as a priority for many organizations—it should have a high priority for yours as well. The cyber threat is real and we all need to stay ahead of it.


more...
No comment yet.
Scoop.it!

Health system sees 7th HIPAA data breach

Health system sees 7th HIPAA data breach | HIPAA Compliance for Medical Practices | Scoop.it

How many breaches, how many compromises of patients' confidential medical information does it take before there are some questions asked of an organization and its security policies? One health system recently announced its seventh large HIPAA breach.

 
The 20-hospital St. Vincent health system in Indianapolis, part of Ascension Health, most recently notified 760 of its medical group patients that their Social Security numbers and clinicaldata was compromised in an email phishing incident. The breach, which was discovered by hospital officials back in December 2014, marked the seventh breach for the health system in a less than five years.
 
It wasn't until March 12, 2015, that officials said they discovered which patients were impacted by the breach, which involved the compromise of an employee's network username and password. 
 
"St.Vincent Medical Group sincerely apologizes for any inconvenience this unfortunate incident may cause," St. Vincent officials wrote in the patient notification letter. 
 
According to data from the Office for Civil Rights, which keeps track of HIPAA breaches involving 500 people or more, St. Vincent health system has been a repeat HIPAA offender. Its most recent breach, reported in July 2014, compromised the health data of 63,325 patients after a clerical error sent patients letters to the wrong patients. 
 
The health system has also reported two breaches involving the theft of unencrypted laptops, which collectively compromised the health data of 2,341 patients. 


more...
No comment yet.
Scoop.it!

ONC issues new privacy, security handbook

ONC issues new privacy, security handbook | HIPAA Compliance for Medical Practices | Scoop.it

During the HIMSS15 annual conference in Chicago last week, the Office of the National Coordinator for Health IT announced the release of a new and improved guide for securing electronic health information that hospitals, providers and business associates can integrate into their practice.

How to comply with MU security requirements, questions you should ask your health IT vendors and everything from cybersecurity and HIPAA to action plans and checklists are among the big highlights.
 
Many useful tips, permitted use cases, compliance requirements and HIPAA explanations have been added since the last update, four years ago.
 
The guide, as ONC Chief Privacy Officer Lucia Savage explained in a blog post, has been revised to include new "practical information" on topics such as cybersecurity, encryption, patient access and HIPAA privacy and security rules in action. The revised version also include information on compliance with the EHR Incentive Programs' security requirements.
 
And for those looking for more guidance on what questions to ask your health IT vendors, look no further.
 
The handbook "also offers suggested questions providers may want to ask their health IT developers or EHR companies so they can be confident that the systems they buy and use will meet their privacy and security needs," Savage explained.
 
Top of this list are questions such as: "How does my backup and recovery system work? How often do I test this recovery system? How much remote access will the health IT developer have to my system?" and "How much of the health IT developer's training covers privacy and security awareness, requirements and functions?"
 
According to a new Verizon data breach report that analyzed the healthcare vertical, physical theft or loss accounted for the lion's share, some 26 percent, of security incidents by pattern. Another 20 percent of security incidents were due to insider privilege and insider misuse; "miscellaneous errors" accounted for 19 percent. Other patterns noted in the report for the healthcare vertical were upticks in DoS and Web app attacks, at 9 percent and 7 percent respectively. 


more...
No comment yet.
Scoop.it!

TigerText bringing HIPAA compliant messaging to Apple Watch

TigerText bringing HIPAA compliant messaging to Apple Watch | HIPAA Compliance for Medical Practices | Scoop.it

TigerText announced this week that its bringing its HIPAA compliant messaging platform to the Apple Watch.


TigerText is a secure enterprise text messaging platform that meets HIPAA requirements for electronic communication. In his review of TigerText, Dr. Eli Sprecher described how the app is used at Boston Children’s Hospital. The app can be used to communicate protected patient health information, send media such as pictures and video, or send group texts. And everyone on the care team can use it – physicians, nurses, social workers, case managers, patient advocates, and so on.


According to TigerText, the Apple Watch app will give users the ability to read as well as dictate messages. Specifically, the app will include:

  • Speech-to-text: An alternative to typing out a message, users can speak into the watch, and the TigerText app will dictate their speech to text, helping them save time when corresponding with others.
  • Receive notifications & alerts: Automated alerts and notifications from the TigerText app can be directly received on the Apple Watch.
  • View photos: Users can quickly view photos sent via TigerText on the Apple Watch.


With the increasingly multidisciplinary nature of the care team, improved communication is critical to effective care. That’s why HIPAA-compliant messaging was included in our wishlist of apps for the Apple Watch. Doximity recently announced that they would be launching an Apple Watch app that enables secure communication among physicians as well as delivering notifications when you get a fax on your secure Doximity e-fax line.


TigerText is already a popular tool at many healthcare institutions. And that is open to any team member, not just physicians, makes it a better fit for communication within a care team at a hospital or clinic.

Given the cost of the Apple Watch, it seems unlikely that we’ll see an enterprise level deployment within healthcare in the near future though I wouldn’t be surprised if we see a few pilots pop up here and there. As recognized by TigerText, its far more likely to start out much the same way as the iPhone and iPad did – in a “bring your own device” model. And with physicians’ enthusiastic uptake of iOS devices, we’ll probably see a fair number of Apple Watches in the clinic and on the wards.


more...
No comment yet.
Scoop.it!

BYOD and cloud are top data breaches and malware risks, survey shows

BYOD and cloud are top data breaches and malware risks, survey shows | HIPAA Compliance for Medical Practices | Scoop.it

With the influx of personal devices in the workplace and the unprecedented risk of data breach and malware, tightening IT security at a company can seem like a daunting task. Just how difficult of a task is it? What are the biggest security risks and what are the top minds in IT considering to combat them?



Security risks and data breaches are growing while the form factors of computing devices shrink—because

Wisegate, a crowdsourced IT research company, surveyed hundreds of its senior IT professional members to find out. Earlier this year, we shared with CSO readers that a lack of security metrics and reporting was undermining IT security programs. Now, we’ll take a look at what those top security risks are.


Data breaches and malware are at the top

In a not surprising response to a poll that asked IT professionals to name their top three security risks, 32 percent of respondents named data breaches and malware as their top threats and risks. Over half—51 percent—of respondents included not only data breaches and malware, but also insider and outsider threat, BYOD management and security, and advanced persistent threats as their companies’ top risks.

While data breaches and malware are not new risks to the industry, we wanted to get to the bottom of what technology and business trends are causing this concern over malware and information leaks.


Trends impacting security programs: BYOD and cloud

When asked to identify the trends that most impact their security programs, IT professionals revealed that the malware threat and its associated data breach risk is likely to get worse over the coming years specifically because of these trends:

  • The continuing evolution of BYOD practices 

  • Increasing adoption of cloud technology, both public and private 



Required BYOD


What we’ll see is a world where employers will actually require people to bring and use their own devices. Most companies already provide staff with equipment, and many currently tolerate BYOD. The trend will continue until eventually companies will choose to make the personal devices employees already use official.


But this leads to a tension between company and personal information held on the same device. The company will need to protect its own data, but the personal data will be in conflict with any device monitoring that the company does. In short, there is potential for a ‘Big Brother’ inspired kickback from the employee. However, the savvy security team will earn the user’s trust by demonstrating that the company can only monitor the corporate data, and not only doesn’t, but cannot monitor anything else.


Shying away from BYOD and using the cloud to defend against malware-inspired sensitive breaches is a strong argument. It is harder to infect the cloud than it is to infect an individual endpoint. But there is also a scale issue. If an attacker manages to infect the cloud, he could potentially get to impact many more customers and much larger datasets. The weakness in cloud security is less the cloud itself and more how the cloud is used. This is an aspect of something that is one of the biggest challenges to IT security: the difference between something working correctly and something working correctly and securely. This affects everything from malware prevention to proprietary apps, open source software, and websites.


The future of IT security is data security—not device security

When asked what infrastructure security controls would be prioritized over the next few years, nearly a third of respondents—32 percent—named information protection and control as their top priority. Web application firewall wasn’t far behind, with 26 percent naming this as a top priority.




This suggests a shift in emphasis from protecting devices to placing a greater emphasis on protecting applications and the data itself. Firewalls are now application firewalls rather than trusted network firewalls. If IT security professionals’ top security controls are designed to protect the data itself, even if there is a breach of sensitive information, that information will remain hidden from any attacker.


What next?


Faced with the impossibility of defending against malware attacks in the new cloud/BYOD paradigm, security teams are engaged in a massive shift from protecting devices to protecting data. Stay tuned for our breakdown of this new paradigm—data centric security in a future CSO article. We’ll take a deeper dive into the idea that if data itself is safe, it doesn’t matter if there is a breach.


more...
No comment yet.
Scoop.it!

Using E-mail at Your Medical Practice: 5 Security Tips

Using E-mail at Your Medical Practice: 5 Security Tips | HIPAA Compliance for Medical Practices | Scoop.it

Methods for transferring protected health information (PHI) have been broken for a long time. Even with the advent of EHRs, data exchange methods haven't kept pace with industry expectations for privacy and convenience.

It's time to retire the usual stable of secure alternatives to e-mail, like patient portals, faxes, or snail mail. They're far too burdensome for both practitioner and patient. Like it or not, e-mail is synonymous with accessibility. To deliver the best care possible, it's essential to meet patients on their terms. It's harder than ever to ignore e-mail, just as it's becoming more difficult to embrace it in good conscience.


Most e-mail security solutions focus on simple text, but the real risk comes with files and attachments. That's because sensitive data typically resides in files. Files, in turn, often get duplicated and cached on devices, making them hard to easily track or protect. So when we talk about the risks facing medical practices when it comes to communicating, it's about files—not simple text messages. The question, of course, is where all that leaves most practices.

The key lies with file encryption. Encryption essentially scrambles messages so that they're only legible by intended users. That's why encryption is so often the means through which healthcare providers guarantee HIPAA compliance. Although most secure e-mail tools focus on the body text of an e-mail, that part might not even be necessary to encrypt. After all, the real threat lies in what comes appended to the e-mail. Whether they're voice recordings, digital X-rays, intake forms, or medical bills, it's essential to encrypt the files themselves.


Seeking Solutions


Finding the right solution, though, is another story. E-mail encryption services exist for handling simple text correspondence with patients by scrambling the messages and sending them through a secure connection. But even these have risks. Many HIPAA-compliant e-mail providers are simply adding yet another system to your already disconnected work flows, rather than integrating seamlessly or solving some of the other problems you have, like storing files and auditing access. What's more, they aren't foolproof.


Here are five tips to help practices communicate with patients and other provider and business associates while maintaining airtight security.


1. Look for file encryption. File-level encryption ensures that protections follow the file no matter where it ends up. With built-in authentication controls, file-level encryption also eliminates the threats associated with mistakenly entering the wrong e-mail address.


2. Don't forget about secure file storage. Many encrypted e-mail services that purport to comply with HIPAA destroy messages after a set period of time. The issue, of course, is that practices need to keep detailed records — and the best place for that, in my humble opinion, is the cloud. Which brings us to …


3. The best solutions will integrate seamlessly with other work flows. The cost of inconvenience is too high, because inconvenience often leads users to seek out workarounds that aren't compliant, including popular cloud services like Dropbox. So the expensive EHR system you've built or bought is nothing more than a loophole to circumvent. In some ways, the cloud presents the ideal all-in-one solution, eliminating the need for e-mail attachments by allowing you to store and share links or folders themselves. In those deployments, it's essential to ensure that your Dropbox files are encrypted and HIPAA-compliant. If you have file encryption, you can use e-mail and Dropbox the same way you would in your personal life — just more securely.


4. Many easy-to-use secure providers don't include a safety net for mistakes. We're all familiar with the horror stories and HIPAA fines that have been levied against practices that mistakenly e-mailed lab results to the wrong patient or faxed a form to the wrong number. That's why the best HIPAA-compliant sharing tools will help prevent or create solutions for mistakes by showing just what was attached and offering the ability to revoke access to the wrong recipient. If a file itself is encrypted, access and modification can be audited even if it was mistakenly downloaded.


5. You don't need to encrypt everything. It isn't necessary — and maybe even inappropriate — to treat all information equally. Flexible solutions that allow you to set permissions according to their sensitivity are ideal.


There's no shortage of options for communicating, but many secure e-mail technologies can leave much to be desired. The key in striking a balance between convenience and compliance lies in finding a solution that does the hard work of communicating securely for you. The onus should be on the technology — not the patient or your employees — to strike that balance.


more...
No comment yet.
Scoop.it!

Hospital Slammed With $218,000 HIPAA Fine

Hospital Slammed With $218,000 HIPAA Fine | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators have slapped a Boston area hospital with a $218,000 HIPAA penalty after an investigation following two security incidents. One involved staff members using an Internet site to share documents containing patient data without first assessing risks. The other involved the theft of a worker's personally owned unencrypted laptop and storage device.


The Department of Health and Human Services' Office for Civil Rights says it has entered a resolution agreement with St. Elizabeth's Medical Center that also includes a "robust" corrective action plan to correct deficiencies in the hospital's HIPAA compliance program.

The Brighton, Mass.-based medical center is part of Steward Health Care System.


Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

Complaint Filed

On Nov. 16, 2012, OCR received a complaint alleging noncompliance with the HIPAA by medical center workforce members. "Specifically, the complaint alleged that workforce members used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice," the OCR statement says.


OCR's subsequent investigation determined that the medical center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome."


"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," says Jocelyn Samuels, OCR director in the statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


Separately, on Aug. 25, 2014, St. Elizabeth's Medical Center submitted notification to OCR regarding a breach involving unencrypted ePHI stored on a former hospital workforce member's personal laptop and USB flash drive, affecting 595 individuals. The OCR "wall of shame" website of health data breaches impacting 500 or more individuals says the incident involved a theft.

Corrective Action Plan

In addition to the financial penalty - which OCR says takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed - the agreement includes a corrective action plan "to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach."

The plan calls for the medical center to:


  • Conduct a "self-assessment" of workforce members' familiarity and compliance with the hospital's policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.


Lessons Learned

Other healthcare organizations and their business associates need to heed some lessons from OCR's latest HIPAA enforcement action, two compliance experts say.


Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The settlement indicates that OCR first learned of alleged noncompliance through complaints by the covered entity's workforce members. Entities should consider whether their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed. Otherwise, the employees' next stop may be complaining to the government."

The settlement also highlights the importance of having a cloud computing strategy, Greene points out. That strategy, he says, should include "policies, training and potential technical safeguards to keep PHI off of unauthorized online file-sharing services."


The enforcement action spotlights the continuing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach, he notes.


The case also sheds light on how OCR evaluates compliance issues, he says. "The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices."


Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement "serves as an important reminder that a covered entity or a business associate must make sure that the organization's risk assessment takes into account any relationship where PHI has been disclosed to a contractor or vendor so as to ensure that appropriate safeguards to protect the data are in place."


The alleged violations involving the document sharing vendor, he says, "involve failure to have a BA agreement in place prior to disclosing PHI to the vendor, as well as failing to have appropriate security management processes in place to evaluate when a BA agreement is needed when bringing on a new contractor that will handle PHI."

St. Elizabeth's Medical Center did not immediately respond to an Information Security Media Group request for comment.

Previous Settlements

The settlement with the Boston-area medical center is the second HIPAA resolution agreement signed by OCR so far this year. In April, the agency OK'd an agreement with Cornell Prescription Pharmacyfor an incident related to unsecure disposal of paper records containing PHI. In that agreement, Cornell was fined $125,000 and also adopted a corrective action plan to correct deficiencies in its HIPAA compliance program.


The settlement with St. Elizabeth is OCR's 25th HIPAA enforcement action involving a financial penalty and/or resolution agreement that OCR has taken since 2008.


But privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says OCR isn't doing enough to crack down on organizations involved in HIPAA privacy breaches.


"Assessing penalties that low - St. Elizabeth will pay $218,400 - guarantees that virtually no organizations will fix their destructive practices," she says. "Industry views low fines as simply a cost of doing business. They'll take their chances and see if they're caught."

The largest HIPAA financial penalty to date issued by OCR was a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for incidents tied to the same 2010 breach that affected about 6,800 patients. The incidents involved unsecured patient data on a network.

more...
No comment yet.
Scoop.it!

Website Error Leads to Data Breach

Website Error Leads to Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

An error in a coding upgrade for a Blue Shield of California website resulted in a breach affecting 843 individuals. The incident is a reminder to all organizations about the importance of sound systems development life cycle practices.


In a notification letter being mailed by Blue Shield of California to affected members, the insurer says the breach involved a secure website that group health benefit plan adminstrators and brokers use to manage information about their own plans' members. "As the unintended result of a computer code update Blue Shield made to the website on May 9," the letter states, three users who logged into their own website accounts simultaneously were able to view member information associated with the other users' accounts. The problem was reported to Blue Shield's privacy office on May 18.


Blue Shield of California tells Information Security Media Group that the site affected was the company's Blue Shield Employer Portal. "This issue did not impact Blue Shield's public/member website," the company says. When the issue was discovered, the website was promptly taken offline to identify and fix the problem, according to the insurer.


"The website was returned to service on May 19, 2015," according to the notification letter. The insurer is offering all impacted individuals free credit monitoring and identity theft resolution services for one year.


Exposed information included names, Social Security numbers, Blue Shield identification numbers, dates of birth and home addresses. "None of your financial information was made available as a result of this incident," the notification letter says. "The users who had unauthorized access to PHI as a result of this incident have confirmed that they did not retain copies, they did not use or further disclose your PHI, and that they have deleted, returned to Blue Shield, and/or securely destroyed all records of the PHI they accessed without authorization."


The Blue Shield of California notification letter also notes that the company's investigation revealed that the breach "was the result of human error on the part of Blue Shield staff members, and the matter was not reported to law enforcement authorities for further investigation."

Similar Incidents

The coding error at Blue Shield of California that led to the users being able to view other individuals' information isn't a first in terms of programming mistakes on a healthcare-sector website leading to privacy concerns.


For example, in the early weeks of the launch of HealthCare.gov in the fall of 2013, a software glitch allowed a North Carolina consumer to access personal information of a South Carolina man. The Department of Health and Human Services' Centers for Medicare and Medicaid Services said at the time that the mistake was "immediately" fixed once the problem was reported. Still, the incident raised more concerns about the overall security of the Affordable Care Act health information exchange site.


Software design and coding mistakes that leave PHI viewable on websites led to at least one healthcare entity paying a financial penalty to HHS' Office for Civil Rights.


An OCR investigation of Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, began in February 2009, following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.

The investigation determined the practice had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information, according to an HHS statement. The investigation led to the healthcare practice signing an OCR resolution agreement, which included a corrective action plan and a $100,000 financial penalty.


The corrective action plan required the physicians practice, among other measures, to conduct arisk assessment and implement appropriate policies and procedures.

Measures to Take

Security and privacy expert Andrew Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire, says that to avoid website-related mistakes that can lead toprivacy breaches, it's important that entities implement appropriate controls as well as follow the right systems development steps.


"Organizations should have a sound systems development life cycle - SDLC - in place to assess all systems in a production environment, especially those that are externally facing," he says. "Components of a mature SDLC would include code reviews, user acceptance testing, change management, systems analysis, penetration testing, and application validation testing."


Healthcare entities and business associates need to strive for more than just HIPAA compliance to avoid similar mishaps, he notes.

"Organizations that are solely seeking HIPAA compliance - rather than a comprehensive information security program - will never have the assurance that website vulnerabilities have been mitigated through the implementation of appropriate controls," he says. "In other words, HIPAA does not explicitly require penetration testing, secure code reviews, change management, and patch management, to name a few. These concepts are fundamental to IT security, but absent from any OCR regulation, including HIPAA."

Earlier Blue Shield Breach

About a year ago, Blue Shield of California reported a data breach involving several spreadsheet reports that inadvertently contained the Social Security numbers of 18,000 physicians and other healthcare providers.


The spreadsheets submitted by the plan were released 10 times by the state's Department of Managed Health Care. In California, health plans electronically submit monthly to the state agency a roster of all physicians and other medical providers who have contracts with the insurers. Those rosters are supposed to contain the healthcare providers' names, business addresses, business phones, medical groups and practice areas - but not Social Security numbers. DMHC makes those rosters available to the public, upon request.

more...
No comment yet.
Scoop.it!

Four Common HIPAA Misconceptions

Four Common HIPAA Misconceptions | HIPAA Compliance for Medical Practices | Scoop.it

While practices must work hard to comply with HIPAA, some are taking HIPAA compliance efforts a bit too far. That's according to risk management experts, who say there are some common compliance misconceptions that are costing practices unnecessary time and resources.

Here's what they say many practices are avoiding that they don't necessarily need to avoid, and some extra steps they say practices are taking that they don't necessarily need to take.


1. Avoiding leaving phone messages

While it's true that a phone message from your practice to a patient could be overheard by the wrong party, phone messages that contain protected health information (PHI) don't need to be strictly off limits at your practice, says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC."Many offices adopt a blanket policy of, well, 'We can't leave you any phone messages because HIPAA says we can't,' and, that's really not true," he says. "You can always get consent from a patient on how they want to be communicated with."


Hook recommends asking all of your patients to sign a form indicating in what manner you are permitted to communicate with them, such as by mail, e-mail, text, and phone message. "If the patient says, 'Yes, you can call and leave me phone messages at this phone number I'm giving you,' then it's not a HIPAA violation to use that method of communication," he says.


2. Avoiding discussing PHI

It's important to safeguard PHI as much as possible, but some practices are taking unnecessary precautions, says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC.


"I think there's still a fear among small providers ... that they can't discuss protected health information anywhere in the [practice]," she says. "They feel that they have to almost build soundproof walls and put up bulletproof glass or soundproof glass to prevent any sort of disclosure of protected health information, and that's not what HIPAA requires at all. HIPAA allows for incidental disclosures, [which] are disclosures that happen [incidentally] around your job. So if you've got a nurse and a doctor talking, maybe at the nurses' station, and someone overhears that Mr. Smith has blood work today, that probably wouldn't be a violation because it's incidental to the job. Where else are the doctors and nurses going to talk?"


As long as you are applying "reasonable and appropriate" safeguards, Caswell says you should be in the clear.


3. Requiring unnecessary business associate agreements

HIPAA requires practices to have written agreements, often referred to as business associate agreements (BAAs), with other entities that receive or work with their PHI. Essentially, the agreements state that the business associates will appropriately safeguard the PHI they receive or create on behalf of the practice.


Still, some practices take unnecessary precautions when it comes to BAAs, says Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association. "A lot of practices are very concerned about people like janitorial services [and] plant maintenance folks, and they have them sign business associate agreements, but those folks are not business associates for the most part," says Tennant. "You may want to have them sign confidentiality agreements basically saying, 'If you do come across any information of a medical nature, protected health information, you are not permitted to look at it, copy it, keep it ...,' But, you do not need to sign a business associate agreement with anybody other than those folks that you actually give PHI to for a specific reason, like if you've got a law office or accounting office or a shredding company that is coming in to pick up PHI to destroy it."


4. Requiring unnecessary patient authorizations

While it's critical to comply with HIPAA's requirement that only those who have a valid reason to access a patient's medical record, such as treatment purposes, payment purposes, or healthcare operations, have access to it — some practices are misconstruing that rule, says Tennant. "They demand patient authorization before they transfer data to another provider for treatment purposes," he says. "I understand why they do it, but it's one of those things that … can cause delays and confusion, and even some acrimony between the patient and the provider. If it's for treatment purposes specifically, you do not need a patient authorization."

more...
No comment yet.
Scoop.it!

Unencrypted Laptop Leads To US HealthWorks Data Breach

Unencrypted Laptop Leads To US HealthWorks Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

U.S. HealthWorks, a California-based health care service provider specializing in urgent care and occupational medicine, recently alerted employees to a data breach after a password protected (but unencrypted) laptop was stolen in April.


According to its website, the company operates over 200 locations in 20 states and has 3,600 employees, but it was unclear in the notification of the breach exactly how many people may be affected.


The letter explains how an internal investigation began shortly after the company was notified on April 22, 2015, that a laptop issued to an employee was stolen from their vehicle overnight.


“On May 5, 2015, we determined that the employee’s laptop was password protected, but it was not encrypted. After conducting a thorough review, we determined that the laptop may have contained files that included your name, address, date of birth, job title, and Social Security number. Although we continue to work with law enforcement, at this time, the computer has not been located,” U.S. HealthWorks said in its notice letter to employees.


The company did not confirm whether any personal information has been accessed or used inappropriately, but it said it will offer employees free enrollment in identity protection services for one year as a precautionary measure. U.S. HealthWorks reported efforts to ensure compliance to its laptop encryption policy going forward, including an enhancement to deployment procedures for laptops and full disk encryption.


With the number of security breaches on the rise, the importance of organizations controlling and protecting data is critical.

“If you have laptops in your enterprise environment, and let’s face it who doesn’t, you need to address this issue. In this day and age there really isn’t a good reason to not encrypt the hard drives on your laptops,” wrote Forbes contributor Dave Lewis in a post Monday (June 1).


While the scope and effects of this particular breach are unclear, U.S. HealthWorks does not need to look far to see that data breaches can wreak havoc. Anthem Inc.TargetHome Depot and many others have learned the hard way about the ongoing financial impacts associated with data breaches. A recent study by Ponemon Institute found that the average cost of a data breaches is now more than $3.8 million on average, a 23 percent increase from the levels seen two years ago.

more...
No comment yet.
Scoop.it!

Beacon Health Is Latest Hacker Victim

Beacon Health Is Latest Hacker Victim | HIPAA Compliance for Medical Practices | Scoop.it

Yet another large hacker attack has been revealed in the healthcare sector. But unlike three recent cyber-attacks, which targeted health insurers, this latest breach, which affected nearly a quarter-million individuals, involved a healthcare provider organization.


South Bend, Ind.-based Beacon Health System recently began notifying 220,000 patients that their protected health information was exposed as a result of phishing attacks on some employees that started in November 2013, leading to hackers accessing "email boxes" that contained patient data.


The Beacon Health incident is a reminder that healthcare organizations should step up staff training about phishing threats as well as consider adopting multi-factor authentication, shifting to encrypted email and avoiding the use of email to share PHI.

"Email - or at least any confidential email - going outside the organization's local network should be encrypted. And increasingly, healthcare organizations are doing just that," says security and privacy expert Kate Borten.


Unfortunately, in cases where phishing attacks fool employees into giving up their email logon credentials, encryption is moot, she says. "Although encryption is an essential protection when PHI is sent over public networks, and stored somewhere other than within IT control, it is only one of many, many security controls. There's no silver bullet."

At the University of Vermont Medical Center, which has seen an uptick in phishing scams in recent months, the organization has taken a number of steps to bolster security, including implementing two-factor authentication "for anything facing the Web, because that can pretty much render phishing attacks that are designed to steal credentials useless," says CISO Heather Roszkowski.

The Latest Hacker Attack

On March 26, Beacon Health's forensic team discovered the unauthorized access to the employees' email accounts while investigating a cyber-attack. On May 1, the team determined that the affected email accounts contained PHI. The last unauthorized access to any employee email account was on Jan. 26, the health system says.


"While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes," Beacon Health says in a statement posted on its website. "The majority of accessible information related only to patient name, doctor's name, internal patient ID number, and patient status (either active or inactive). The accessible information, which was different for different individuals, included: Social Security number, date of birth, driver's license number, diagnosis, date of service, and treatment and other medical record information."


The provider organization says it has reported the incident to the U.S. Department of Health and Human Services, various state regulators, and the FBI.

Hospital Patients Affected

A Beacon Health spokeswoman tells Information Security Media Group that the majority of those affected by the breach were patients of Memorial Hospital of South Bend or Elkhart General Hospital, which combined have more than 1,000 beds. The two facilities merged in 2012 to form the health system. Individuals who became patients of Beacon Health after Jan. 26 were not affected by the breach, she says.


The breach investigation is being conducted by the organization's own forensics team, the spokeswoman says.

Affected individuals are being offered one year of identity and credit monitoring.


The news about similar hacker attacks earlier this year that targeted health insurers Anthem Inc. and Premera Blue Cross prompted Beacon's forensics investigation team to "closely review" the organization's systems after discovering it was the target of a cyber-attack, the Beacon spokeswoman says.


In the wake of the incident, the organization has been bolstering its security, including making employees better aware of "the sophisticated tactics that are used by attackers," she says. That includes instructing employees to change passwords and warning staff to be careful about the websites and email attachments they click on.

The Phishing Threat

Security experts say other healthcare entities are also vulnerable to phishing.


"The important takeaway is that criminals are using fake email messages - phishing - to trick recipients into clicking links taking them to fake websites where they are prompted to provide their computer account information," says Keith Fricke, principle consultant at consulting firm tw-Security. "Consequently, the fake website captures those credentials for intended unauthorized use. Or they are tricked into opening attachments of these fake emails and the attachment infects their computer with a virus that steals their login credentials."

As for having PHI in email, that's something that, while common, is not recommended, Fricke notes. "Generally speaking, most employees of healthcare organizations do not have PHI in email. In fact, many healthcare organizations do not provide an email account to all of their clinical staff; usually managers and directors of clinical departments have email," he says. "However, for those workers that have a company-issued email account, some may choose to send and receive PHI depending on business process and business need."

Recent Hacker Attacks

As of May 28, the Beacon Health incident was not yet posted on the HHS' Office for Civil Rights'"wall of shame" of health data breaches affecting 500 or more individuals.


OCR did not immediately respond to an ISMG request to comment on the recent string of hacker attacks in the healthcare sector.

Other recent hacker attacks, which targeted health insurers, include:


  • An attack on Anthem Inc. , which affected 78.8 million individuals, and is the largest breach listed on OCR's tally.
  • A cyber-assault on Premera Blue Cross announced on March 17, that resulted in a breach affecting 11 million individuals.
  • An "unauthorized intrusion" on a CareFirst BlueCross BlueShield database disclosed on May 20. The Baltimore-based insurer says the attack dated back to June 2014, but wasn't discovered until April 2015. The incident resulted in a breach affecting 1.1 million individuals.


But the recent attack on Beacon Health is yet another important reminder to healthcare provider organizations that it's not just insurers that are targets. Last year, a hacking assault on healthcare provider Community Health System affected 4.5 million individuals.

Smaller hacker attacks have also been disclosed recently by other healthcare providers, includingPartners HealthCare. And a number of other healthcare organizations in recent months have also reported breaches involving phishing attacks. That includes a breach affecting nearly 760 patients at St. Vincent Medical Group.


"Healthcare provider organizations are also big targets - [they have] more complex environments, and so have more vulnerabilities that the hackers can exploit," says security and privacy expert Rebecca Herold, CEO of The Privacy Professor. "Another contributing factor is insufficient funding for security within most healthcare organizations, resulting in insufficient safeguards for PHI in all locations where it can be stored and accessed."

Delayed Detection

A delay in detecting hacker attacks seems to be a common theme in the healthcare sector. Security experts say several factors contribute to the delayed detection.


"Attacks that compromise an organization's network and systems are harder to detect these days for a few reasons," says Fricke, the consultant. "Criminals wait longer periods of time before taking action once they successfully penetrate an organization's security defenses. In addition, the attack trend is to compromise the accounts of legitimate users rather than gaining unauthorized access to a system via a brute force attack."


When criminals access a system with an authorized account, it's more difficult to detect the intrusion, Fricke notes. "Network security devices and computer systems generate huge volumes of audit log events daily. Proactively searching for indicators of compromise in that volume of log information challenges all organizations today."

As organizations step up their security efforts in the wake of other healthcare breaches, it's likely more incidents will be discovered and revealed, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"The challenge that many healthcare entities face is that oftentimes, the better they do at information security, the more likely it is they find potential problems. Implementing new information security tools sometimes can detect problems that may be years old," he says. "But the alternative - keeping your head in the sand - can lead to far worst results for patients and the organization."


However, as more of these delayed-detection incidents are discovered, "regulators and plaintiffs may question why any particular security issue was not identified and corrected earlier," he warns.

Accordingly, organizations should consider if there were reasonable issues that led to any delays in identifying or correcting any security lapses and maintain any related documentation supporting the cause of any delays, he suggests.


"Hindsight is 20-20, and it is always easy for regulators to question why more wasn't done sooner, and it could be challenging for the organization if it is asked to justify why it spent resources on other projects," Greene says.

more...
No comment yet.
Scoop.it!

Doctors Going the Distance (In Education)

Doctors Going the Distance (In Education) | HIPAA Compliance for Medical Practices | Scoop.it

We need more doctors.


Between older care providers retiring, and the general population shift that is the aging of the Baby Boomers, we are running into a massive demographic of more, older patients, living longer and managing more chronic conditions. This puts incredible pressure not just on the remaining doctors and nurses to make up the gap, but strains the capacity of schools to recruit, train, and produce competent medical professionals.


So how can schools do more to reach students and empower them to enter the healthcare field?


The increasing popularity of online programs (particularly at the Masters level, among working professionals looking for a boost to their career advancement) has called forth a litany of studies and commentaries questioning everything from their technology to their academics,compared to traditional, on-campus programs. More productive would be questioning the structure and measuring the outcomes of degree programs in general, rather than judging the value of a new delivery mechanism against an alternative more rooted in tradition than science.


In terms of sheer practicality, though, a distance education—yes, even for doctors and surgeons—makes a certain amount of sense. One of the hottest topics in the medical community right now is Electronic Health Records (EHRs) and the ongoing struggle to fully implement and realize the utility of such technology.


Rolling out in October of 2015, comes the sidecar for the EHR vehicle: ICD-10, the international medical coding language that the U.S. has long postponed adopting. While the digital nature of modern records platforms at least makes ICD-10 viable, it still represents a sharp learning curve for current care providers.


Then there is the intriguing promise of pharmacogenetics, whereby medication is developed, tested, and prescribed, all on the basis of a patient’s individual genetic profile. Combined with an EHR and a personal genetic profile, a patient could be observed, screened, diagnosed, referred to a pharmacist, and able to order and receive a prescription, all without leaving home. Taking into consideration the growing need for medication therapy management—driven by the Baby Boomers living longer with more conditions under care—the value of such a high-tech system is clear.


This draws on what is perhaps the most lucrative (in terms of health outcomes and large-scale care delivery) set of possibilities enabled by the shift to digital: telemedicine. From consultations to check-ups, telehealth in the digital age no longer necessitates sacrificing face-to-face interaction; streaming video chat means patients and doctors can still look one another in the eye, albeit through the aid of cameras.


Proponents of the technology take it further, declaiming that world-class surgeons will no longer be anchored to a single facility—human-guided robotic surgery (telesurgery) will bring expertise to even the most remote locations.


If industry leaders anticipate so much being done remotely, why then are others squeamish about delivering an education online? It would seem that the medical skillset of the future requires greater comfort and competence in dealing with virtual settings, online interaction, and digital record-keeping.


The problem many have is not with online med school in particular so much as online degree programs in general. How can a virtual setting possibly hope to compete with the unique, collaborative, community-oriented environment of the college campus—whatever the area of study?


Forward-thinking professors like Sharon Stoerger at Rutgers have pioneered at least one possible answer to this question. Adopting the online immersive social platform known as Second Life, Stoerger and her like-minded peers have constructed virtual classrooms with accompanying courses, and successfully guided several cohorts (of students as well as instructors) through the experience.


For the aspects of learning that simply require hands-on practice, of course, there are limits to the promise of such virtual environments. Then again, synthetic patient models, known as Human Patient Simulators (HPS), are already proving their merits as an efficient, effective way to let students gain practical experience in a controlled environment. While Ohio Universityinstructors have pioneered the use of HPS in the school’s nursing programs, advancing technology continues to push the functional limits of such systems.


In order to realize the potential of modern delivery of patient care, we first need to realize the potential of modern instructional delivery. The technology is already showing that the real limits of online learning are not practical considerations; they are attitudes and assumptions about what learning ought to look like.


more...
No comment yet.
Scoop.it!

Criminal Attacks on Health Data Rising

Criminal Attacks on Health Data Rising | HIPAA Compliance for Medical Practices | Scoop.it

Criminal attacks in the healthcare sector - including those involving hackers and malicious insiders - have more than doubled in the last five years, according to a new study.


The "Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data" by the research firm Ponemon Institute concludes that criminal attacks in healthcare are up 125 percent since 2010. Cybercriminal incidents involving external and internal actors were the leading cause of a data breaches over the past two years, the study shows. In previous studies, lost or stolen computing devices had consistently had been the top breach culprit.


"The root cause for health data breaches had been mistakes and incompetency, but now criminal attacks are number one," Larry Ponemon, founder and chairman of the Ponemon Institute, tells Information Security Media Group. "Year to year, it's getting worse. We've seen it in large-scale incidents like Anthem," which in February revealed a hacker attack that compromised protected health information of 78.8 million individuals, he notes.


"A lot of organizations are easy targets," he says. "The combination of highly valuable information and easy access makes the sector a huge target."


Ponemon's research, conducted in February and March, generated responses from 90 healthcare organizations and, for the first time this year, 88 business associates. Under the HIPAA Omnibus Rule that went into effect in 2013, business associates and their subcontractors are directly liable for HIPAA compliance.

Hacking Trends

In recent months, the Department of Health and Human Services' "wall of shame" website tracking health data breaches affecting 500 or more individuals has shown a growing number of hacking incidents of various sizes - far more than in previous years. And the Anthem breach alone represents nearly 60 percent of the 133.2 million breach victims listed on the tally since September 2009, when the HIPAA breach notification rule went into effect.


Among the latest hacking breaches added to the wall of shame was an incident reported to HHS on May 1 by Partners HealthCare System, which operates several large hospitals in Boston.


"Unfortunately, the rise in both hacker attacks and criminal activities involving malicious insiders comes as no surprise," says Dan Berger, CEO of the consultancy Redspin, which was recently acquired by Auxilio. "A few years ago, I remember many people being surprised at how few hacker attacks there were in healthcare. We warned our clients of the 'risk of complacency' in this regard."


With more electronic health records than ever before, there's a growing awareness of their "exploitation value," Berger says. "At the same time, healthcare spending on IT security continues to lag almost all other industries. So with a greater amount of valuable data behind lower than average defenses, it should not be a surprise that PHI has become a favorite target of hackers. It is basic economics."


Hackers are the No. 1 "emerging" cyberthreat that healthcare entities are worried about this year, according to the 2015 Healthcare Information Security Today survey of 200 security and privacy leaders at healthcare organizations, which was conducted in December 2014 and January 2015 by ISMG. Coming in at a close second as the biggest "emerging threat" is business associates taking inadequate security precautions with PHI; that's also the top threat respondents are worried about "today." Complete results of that survey, and a webinar analyzing the results, will be available soon.


The Ponemon study found that nearly 45 percent of data breaches in healthcare are a result of criminal activity. However, the researchers found that criminal-based security incidents, such as malware or distributed denial-of-service attacks, don't necessarily result in breaches reportable under HIPAA. In fact, 78 percent of healthcare organizations and 82 percent of business associates had Web-borne malware attacks.

Breach Costs

Based on its study, the Ponemon Institute estimates that the average cost of a data breach for healthcare organizations is more than $2.1 million, while the average cost of a data breach to business associates is more than $1 million.


Rick Kam, U.S. president and co-founder of security software vendor ID Experts, which sponsored the Ponemon study, tells ISMG that stolen healthcare information is currently valued at about $60 to $70 per record by ID theft criminals, while the current value of credit card information is about 50 cents to $1 per record.


"We see recognition of medical ID theft being a problem, but we don't see many healthcare providers stepping up" in addressing the issue, he says. The Ponemon study found that nearly two-thirds of healthcare organizations and business associates do not offer any medical identity theft protection services for patients whose information has been breached.


The Ponemon study found that information most often stolen in these targeted healthcare sector attacks include medical files and billing and insurance records.


Privacy and security expert Kate Borten, founder of the consulting firm The Marblehead Group, offers a dire prediction: "I believe we will continue to see the number of reported breaches rise, despite stronger efforts to protect data. Personally identifiable health data continues to have high street value, leading to more attacks."


more...
Scopidea's curator insight, 22 June 2015, 08:03

Many great points in this well written article.

Scoop.it!

Researchers examine balancing privacy risk, utility of de-identified health data

Researchers examine balancing privacy risk, utility of de-identified health data | HIPAA Compliance for Medical Practices | Scoop.it

Researchers have shown how easy it is to re-identify patients in de-identified data, yet de-identified data can lose its value as more identifying factors are stripped out.


In a study published in the Journal of the American Medical Informatics Association, researchers from Vanderbilt University and elsewhere extended an algorithm to explore policy options that balance risk of violating a patient's privacy vs. the use of data for society.

The Safe Harbor model defined by HIPAA is one policy that specifies 18 rules, including suppression of explicit identifiers such as names, and generalization of "quasi-identifiers," such as date of birth, requiring recording the age of all patients over 90 as 90+. This rigid rule-based policy might not be ideal for sharing every data set, such as studies on dementia patients.


So the law allows alternatives, provided the risk of re-identification is appropriately measured and mitigated. A Centers for Medicare & Medicaid Services dataset, for instance, published on the Internet would carry a high risk because the system is completely open and the users unknown. Health data to be used by a trusted party with a data-use agreement and strong information security practices could be allowed a policy that favors utility over risk.


The researchers used the Sublattice Heuristic Search algorithm with U.S. census data from 10 states to show it can be applied to recommended rule-based de-identification policy alternatives for patient-level datasets with less risk and more utility than Safe Harbor and other models.


Harvard researchers have shown that patients can be re-identified with just their Zip code, date of birth and gender, along with other publicly available data such as voter rolls.


The Health Information Trust Alliance recently released a new framework for de-identification of sensitive patient information as part of a risk-management strategy.


more...
No comment yet.
Scoop.it!

Misplaced USB drive leads to county health department breach

Misplaced USB drive leads to county health department breach | HIPAA Compliance for Medical Practices | Scoop.it

The Denton County (Texas) Health Department began notifying tuberculosis (TB) clinic patients of a breach that occurred in February when a health department employee left a USB drive containing PHI at a printing store, according to a press release.


The USB drive contained the names, dates of birth, addresses, and test results of 874 patients seen at a TB clinic associated with the county health department. The employee left the USB drive unattended at the printing store for approximately one hour, according to the press release.


The department launched an internal investigation after the employee voluntarily reported the potential breach. The press release states that the department does not believe the records were accessed during the time the USB drive was left unattended. However, it is notifying affected patients by mail and recommending that they obtain a credit report and monitor financial statements.


more...
No comment yet.
Scoop.it!

Don't Make the Same HIPAA Mistakes as Other Practices

Don't Make the Same HIPAA Mistakes as Other Practices | HIPAA Compliance for Medical Practices | Scoop.it

All practices should be working hard to ensure they are HIPAA compliant. But with so much to focus on, it can be difficult to determine what compliance areas deserve the most attention. 

One way to craft an effective, targeted compliance strategy is by identifying what's getting other practices into trouble most often, and taking steps to prevent similar mistakes at your practice.

At the Healthcare Information and Management Systems Society (HIMSS) conference in Chicago, Adam Greene, a partner at Davis Wright Tremaine LLP, a national business and litigation law firm, identified some of these common problem areas during his session, "Preparing for a New Level of HIPAA Enforcement."


Common Sources of HIPAA Breaches


To illustrate what's leading to breaches most often at practices and health systems, Greene shared top sources of HIPAA breaches involving 500 or more individuals by number of individuals affected.

He compiled the information in February 2015 from the HHS and its Office for Civil Rights (OCR) Breach Portal, which features information on breaches that occurred from the start of the breach reporting period in September 2009.


53 percent of breaches occurred due to theft of protected health information (PHI). "We're not talking about mission impossible hanging from a wire kind of theft," said Greene. Instead, he said, most of the thefts appear to be "crimes of opportunity," such as a thief breaking into a window or car and stealing a laptop.
• 18 percent of breaches occurred due to unauthorized access or disclosure of PHI.
• 8 percent of breaches occurred due to loss of PHI.
• 4 percent of breaches occurred due to improper disposal of PHI.
13 percent of breaches occurred due to unknown causes and unknown causes.

Common Types of Media Involved in HIPAA Breaches

Greene also shared the most common types of media involved in HIPAA breaches. Again, the information is based on data he pulled from the HHS and OCR Breach Portal involving 500 or more individuals by number of individuals affected.

• 23 percent of breaches related to PHI stored on paper/films. Of this statistic, Greene said it's clear that amidst the push for electronic information, paper-based media should not be overlooked when it comes to HIPAA compliance. "We really need to be more focused on paper," he said.
• 21 percent of breaches related to PHI stored on laptops.
• 12 percent of breaches related to PHI on a network or server.
11 percent of breaches related to information stored on a desktop computer.
9 percent of breaches related to information stored on other electronic devices.
• 6 percent of breaches related to information included in e-mails.
• 4 percent of breaches related to information in EHRs.
• 14 percent of breaches related to other types of media.

Common HIPAA Compliance Problem Areas

For more insight into the HIPAA compliance areas that practices are most struggling with, Greene shared some of the top issues identified during the HIPAA Pilot Audit Program, which took place between 2011 and 2012.

• In relation to the HIPAA Security Rule, the program found that 80 percent of providers did not have a complete or accurate risk analysis. Other issues found in audits included lack of access management (such as failure to put appropriate role-based access safeguards in place); failure to have appropriate security incident procedures in place (such as those related to workstation security); and failure to encrypt PHI.

In relation to the HIPAA Privacy Rule, common problems identified in the audit program included: Inadequate procedures related to the Notice of Privacy Practices (such as not giving the notice out appropriately or failing to post it appropriately); and failure to have appropriate procedures related to patients' right to request privacy protections.

• In relation to the HIPAA Breach Notification Rule, common problems identified in the audit program included failing to provide breach notification appropriately (such as failing to include the proper content in the notification); and failure to comply with timelines regarding notification.



more...
No comment yet.
Scoop.it!

Cybersecurity must be faced by industry head on

Cybersecurity must be faced by industry head on | HIPAA Compliance for Medical Practices | Scoop.it

Less than a quarter of the way through 2015, tens of millions of healthcare consumers already have seen their personal information compromised--the most notable hacks so far being on health insurance providers Anthem and Premera.


The Anthem attack, announced in February, sent the industry reeling, with the unencrypted information of more than 78 million individuals compromised after hackers broke into a database.


Weeks later, it was revealed that at Premera Blue Cross, hackers gained access to the personal information of 11 million customers. The attack initially occurred May 5, 2014, but it was not detected by the Mountlake Terrace, Washington-based insurer until Jan. 29 of this year, Premera said on a website it set up to inform members about the incident.


Many in healthcare have said threats have to be taken seriously from the top all the way down--from the C-suite to the workforce.

"The C-suite must care, the workforce must be aware. This is a very simple recipe, and if you follow this recipe, it will be tremendous improvement on protecting privacy and data security," Daniel Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School said during the HIPAA Summit in the District of Columbia last month. "Data protection must be felt in the bones of an organization, it must be part of the organization's culture. It can't be something that's an afterthought or tacked on."


With all the trouble these kinds of breaches and attacks are causing healthcare organizations, it's no surprise that the Healthcare Information and Management Systems Society's conference in Chicago next week will be chock full of panels and events on the growing issue.


Educational sessions will address cybersecurity aspects that include upcoming HIPAA audits (though no date has been announced for when those will begin), data security and enforcement trends, and how to protect patients by staying ahead of such threats.



more...
No comment yet.
Scoop.it!

Health Providers Beware: HIPAA Breaches May Give Rise To Negligence Actions

Health Providers Beware: HIPAA Breaches May Give Rise To Negligence Actions | HIPAA Compliance for Medical Practices | Scoop.it

Electronic medical records provide a multitude of benefits for providers and patients by promoting efficient record access, cost savings and better patient care.  So what's the down side?


Well, for starters, these records are ripe for hacking and inadvertent disclosures. As mentioned in a previous post, health care fraud has reached new heights by and through the theft of personal and medical information.  Left in the wrong hands, the sensitive information contained in these computerized records could unleash a fraud firestorm.


Historically, medical providers have successfully defended against claims brought by plaintiffs whose information was hacked or otherwise improperly accessed by relying upon the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") which expressly provides that there is no private right of action under HIPAA.  This success may be short lived as the number of hackers has increased and some courts, like Connecticut's Supreme Court,  have indicated a willingness to allow plaintiffs to bring claims for negligence and privacy violations against providers under state law.

HIPAA Standard of Care

In Byrne v. Avery Ctr. For Obstetrics & Gynecology, 314 Conn. 433 (2013), a health center produced a patient's protected health information (PHI) in response to a subpoena without notifying the patient and without taking any steps to protect it from disclosure in violation of HIPAA's guidelines.  The aggrieved patient filed an action against the provider for breach of contract, negligence, and negligent infliction of emotional distress.


While noting HIPAA's language with regard to private rights of action, the Court did not find that limitation dispositive of the negligence claim brought by the patient.  The Court hinted that a  violation of the standards promulgated under HIPAA may support a deviation from the standard of care required for a negligence claim.

Will New Jersey Follow Connecticut?

Given the proliferation of electronic medical records and the overwhelming amount of paperwork that healthcare providers deal with on a daily basis, the odds of falling victim to a HIPAA breach have markedly increased.  New Jersey health care providers should be mindful of the Connecticut case because New Jersey may follow this trend of reviewing HIPAA guidelines as a standard of care that may be considered to support a negligence action.

Problem Prevention
  1. Review and update HIPAA policies.
  2. Educate staff on the significance of the policies and demand 100% compliance.
  3. Develop a process to deal with subpoenas to ensure that the practice is in compliance with all applicable standards under federal and state law.


more...
No comment yet.