HIPAA Compliance for Medical Practices
83.9K views | +13 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Hospital to pay $218,400 for HIPAA violations

Hospital to pay $218,400 for HIPAA violations | HIPAA Compliance for Medical Practices | Scoop.it

St. Elizabeth's Medical Center must pay $218,400 for HIPAA violations through an agreement with the Department of Health and Human Services' Office for Civil Rights.


In 2012, the OCR received a complaint alleging that the Brighton, Massachusetts-based health center did not analyze the risks of an Internet-based document sharing app, which stored protected health information for almost 500 individuals, according to anannouncement from OCR.


During its investigation, OCR found that the health center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome." In addition, St. Elizabeth's in 2014 submitted notification to OCR that a laptop and USB drive had been breached, putting unsecured protected health information for 595 consumers at risk.

OCR also is requiring that St. Elizabeth's adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.


"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," OCR Director Jocelyn Samuels said in an announcement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


A recent report from application security vendor Veracode found that the healthcare industry fares poorly compared to other industries in reducing application security risk.


Healthcare also is near the bottom of the pack when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated.


While Phase II of the federal HIPAA audit program remains "under development,"Samuels reiterated in March that OCR is "committed to implementing a robust audit program," FierceHealthIT previously reported.

No comment yet.
Scoop.it!

Hospital Slammed With $218,000 HIPAA Fine

Hospital Slammed With $218,000 HIPAA Fine | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators have slapped a Boston area hospital with a $218,000 HIPAA penalty after an investigation following two security incidents. One involved staff members using an Internet site to share documents containing patient data without first assessing risks. The other involved the theft of a worker's personally owned unencrypted laptop and storage device.


The Department of Health and Human Services' Office for Civil Rights says it has entered a resolution agreement with St. Elizabeth's Medical Center that also includes a "robust" corrective action plan to correct deficiencies in the hospital's HIPAA compliance program.

The Brighton, Mass.-based medical center is part of Steward Health Care System.


Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

Complaint Filed

On Nov. 16, 2012, OCR received a complaint alleging noncompliance with the HIPAA by medical center workforce members. "Specifically, the complaint alleged that workforce members used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice," the OCR statement says.


OCR's subsequent investigation determined that the medical center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome."


"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," says Jocelyn Samuels, OCR director in the statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


Separately, on Aug. 25, 2014, St. Elizabeth's Medical Center submitted notification to OCR regarding a breach involving unencrypted ePHI stored on a former hospital workforce member's personal laptop and USB flash drive, affecting 595 individuals. The OCR "wall of shame" website of health data breaches impacting 500 or more individuals says the incident involved a theft.

Corrective Action Plan

In addition to the financial penalty - which OCR says takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed - the agreement includes a corrective action plan "to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach."

The plan calls for the medical center to:


  • Conduct a "self-assessment" of workforce members' familiarity and compliance with the hospital's policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.


Lessons Learned

Other healthcare organizations and their business associates need to heed some lessons from OCR's latest HIPAA enforcement action, two compliance experts say.


Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The settlement indicates that OCR first learned of alleged noncompliance through complaints by the covered entity's workforce members. Entities should consider whether their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed. Otherwise, the employees' next stop may be complaining to the government."

The settlement also highlights the importance of having a cloud computing strategy, Greene points out. That strategy, he says, should include "policies, training and potential technical safeguards to keep PHI off of unauthorized online file-sharing services."


The enforcement action spotlights the continuing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach, he notes.


The case also sheds light on how OCR evaluates compliance issues, he says. "The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices."


Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement "serves as an important reminder that a covered entity or a business associate must make sure that the organization's risk assessment takes into account any relationship where PHI has been disclosed to a contractor or vendor so as to ensure that appropriate safeguards to protect the data are in place."


The alleged violations involving the document sharing vendor, he says, "involve failure to have a BA agreement in place prior to disclosing PHI to the vendor, as well as failing to have appropriate security management processes in place to evaluate when a BA agreement is needed when bringing on a new contractor that will handle PHI."

St. Elizabeth's Medical Center did not immediately respond to an Information Security Media Group request for comment.

Previous Settlements

The settlement with the Boston-area medical center is the second HIPAA resolution agreement signed by OCR so far this year. In April, the agency OK'd an agreement with Cornell Prescription Pharmacyfor an incident related to unsecure disposal of paper records containing PHI. In that agreement, Cornell was fined $125,000 and also adopted a corrective action plan to correct deficiencies in its HIPAA compliance program.


The settlement with St. Elizabeth is OCR's 25th HIPAA enforcement action involving a financial penalty and/or resolution agreement that OCR has taken since 2008.


But privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says OCR isn't doing enough to crack down on organizations involved in HIPAA privacy breaches.


"Assessing penalties that low - St. Elizabeth will pay $218,400 - guarantees that virtually no organizations will fix their destructive practices," she says. "Industry views low fines as simply a cost of doing business. They'll take their chances and see if they're caught."

The largest HIPAA financial penalty to date issued by OCR was a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for incidents tied to the same 2010 breach that affected about 6,800 patients. The incidents involved unsecured patient data on a network.

No comment yet.
Scoop.it!

10 ways to prevent a data breach and protect your small business

10 ways to prevent a data breach and protect your small business | HIPAA Compliance for Medical Practices | Scoop.it

Today, virtually all businesses collect personal information about customers, employees and others. This information is valuable to hackers – evidenced by the increasing frequency and severity of data breaches across the globe.

Big businesses are not the only ones who are vulnerable. Small and medium-sized businesses with fewer data security resources are often targets for cybercriminals. In fact, research we’ve conducted with the Ponemon Institute shows that more than half have experienced a data breach and nearly three out of four report they can’t restore all their data.


The good news is that businesses can take steps to protect themselves from destructive cyber intrusions. To preempt hacking activity, you must think like a hacker. Here are a few tips to get you started.

1. Think beyond passwords. Never reuse them and don’t trust any website to store them securely. To increase the level of security, set up a two-factor authentication for all your online business accounts. This authentication relies on something only you should know (your password) and authenticates something only you should have (typically your phone) to verify your identity.

2. Stop transmission of data that is not encrypted. Mandate encryption of all data. This includes data at “rest” and “in motion.” Consider encrypting email within your company if personal information is transmitted. Avoid using WiFi networks, as they may permit interception of data.

3. Outsource payment processing. Avoid handling credit card data on your own. Reputable vendors, whether it’s for point-of-sale or web payments, have dedicated security staff that can protect data better than you can.

4. Separate social media activity from financial activity. Use a dedicated device for online banking and other financial activities, and a different device for email and social media. Otherwise, just visiting one infected social site could compromise your banking machine and sensitive business accounts.

5. “Clean house” and update procedures. Evaluate your assets and valuable data to identify where your organization is most at risk. It’s important to reduce the volume of information you keep on hand (only keep what you need!) and properly destroy all paper documents, CDs/DVDs and disks before disposal. Consider assessing your business’s email infrastructure, browser vulnerability, and ID system. Do not use Social Insurance Numbers as employee ID numbers or client account numbers. You should also question the security posture of your business lines, vendors, suppliers or partners.

6. Secure your browser. Watering holes – malicious code installed on trusted websites – are a common method of attack against businesses. How do you know which websites to trust? Focus on keeping up-to-date with the latest version of your browser. Then, test your browser’s configuration for weakness.

7. Secure your computers and operating system. Implement password protection and “time out” functions (requires re-login after period of inactivity) for all business computers. Require strong passwords that must be changed on a regular basis. Also be sure to update all operating systems, which have major security improvements baked in. It’s far easier to break into older operating systems like Windows XP or OS X 10.6.

8. Secure your internet router. Make sure someone can’t intercept all the data sent through it. Consider configuring your wireless network so the Service Set Identifier (SSID) – the name the wireless network broadcasts to identify itself – is hidden.

9. Safeguard and back up your data. Lock physical records containing private information in a secure location and create backups. These should be encrypted and off-site in case there’s a fire or burglary.

10. Educate and train employees. Establish a written policy about data security, and communicate it to all employees. Educate them about what types of information are sensitive or confidential and what their responsibilities are to protect that data. In addition, restrict employee usage of computers for only business purposes. Do not permit use of file sharing peer-to-peer websites or software applications and block access to inappropriate websites.

It’s important to remember that no business is “too small” for a hacker–all businesses are vulnerable. The sooner you can get ahead of potential hacking activity, using the above steps, the sooner you’ll be prepared to thwart, mitigate and manage a data breach.

No comment yet.
Scoop.it!

Your Cyber-Risk Policy: What it Covers and What it Doesn't

Your Cyber-Risk Policy: What it Covers and What it Doesn't | HIPAA Compliance for Medical Practices | Scoop.it

In healthcare, we deal with highly sensitive and very private electronic information, so of course our ears perk up every time we see headlines about the latest cyber threat or breach. The natural question is whether this could happen to us. This is constructive if it leads to cyber risk-prevention. But all too often, folks are responding with, "it could not happen to me," or "my insurance policy covers this so I'm prepared." These folks are ignoring the growing cyber threat around all of us. They are whistling past the "cyber" graveyard.

We live in a digital age where almost everything is accessible — even more now with the evolution of EHRs — so we have to run our businesses as though we are all at risk. To be prepared, we must first understand the common sources of cyber risk. Second, we must understand the basics of cyber insurance policies we may or may not have in place.


There are several ways breaches at small healthcare organizations may occur:


1. Disgruntled employees are one of the leading reasons for cyber attacks. They know your systems — likely better than you do — so keep a close watch on them and what type of data they have access to. Really pay close attention to new staff and those that may be on their way out. Also make sure they know they are monitored.

2. Cyber criminals are looking for remote Internet access services with weak passwords. Require and enforce more complex passwords and require employees to change their passwords regularly.


A smart form of cyber protection is a cyber-risk insurance policy. These provide bundled services designed to help you quickly respond to a data breach. However, there are many cyber insurance product options to consider. These range from standalone policies with high limits and comprehensive services to policy add-on coverages typically offering less coverage.


Rather than stumbling through a maze of complicated cyber-related insurance rhetoric, do yourself a favor and review your options with an experienced broker:


• Carefully scrutinize "free" cyber coverage or riders added onto your base coverage. While not totally worthless, the majority come nowhere near covering the exposure of a potential cyber breach (which explains why they are typically thrown in at no additional cost). In reviewing your insurance coverages with your broker, it's easy to brush by this one and mentally check off the fact that you have cyber coverage. Drill into the details of what's covered, as outlined below.

• Find out how much you are covered for and what out-of-pocket expenses you could expect. A data breach at a small physician practice could run into the hundreds of thousands of dollars or even higher. This type of uncovered damage could put a small practice out of business. Some expenses physicians can expect to incur when a breach occurs include legal fees, IT forensic costs, notification costs, credit monitoring costs, and public relations and advertising expenses to reclaim patient goodwill as well as making the public aware of the steps taken to address the breach.


Cyber risk is not just a technology issue. It affects all elements of the healthcare business and needs to be well-planned and mitigated through ongoing education and risk-management programs.

No comment yet.
Scoop.it!

Physicians' Cybersecurity Should Begin With TAP

Physicians' Cybersecurity Should Begin With TAP | HIPAA Compliance for Medical Practices | Scoop.it

Recently, I read an article in the American Bar Association Journal, entitled "Net Risk — Cyber Liability Insurance Is an Increasingly Popular, Almost Necessary Choice for Law Firms." Like law firms, medical practices have data security requirements. Hence, HIPAA and the HITECH Act. Yet, I am still amazed at how many physicians have "ostrich syndrome" and look the other way when it comes to cybersecurity and HIPAA compliance.

In my various experiences in dealing with physicians, whether it was in the operating room or dealing with contract negotiations, most physicians simply want to practice medicine. It is what they went to school for and what most have a passion for. Dealing with the ever-changing regulations and billing procedures is daunting. Even though cybersecurity compliance in relation to HIPAA and the HITECH Act has been in effect for a while, many physicians (and business associates) still don't know where to start.


In order to assist with this process, I suggest that physicians focus on TAP — the technical, administrative, and physical requirements referenced in the CFR and Final Omnibus Rule (Jan. 25, 2013). Here are some key items from each of the areas:


• Technical. Establish access control policies and procedures and assign unique user names and passwords.


• Administrative. Establish audit logs, access reports, and security incident-tracking reports; assign security responsibility; make certain that everyone undergoes security awareness and HIPAA training; and to ensure that the office staff and contractors are above board, run a background check.


• Physical. Establish workstation security parameters; implement procedures for the removal, sanitization, and re-use of electronic media; and keep a record of completed maintenance, including having locks changed and cameras installed.


The most crucial items to address first are the policies and procedures, followed by encryption (both data at rest and in-transit, at the FIPS 140-2 Standard's 256bit requirement). By encrypting the data, the physician may mitigate liability by falling under the safe harbor. Cybersecurity policies are also a prudent choice for physicians, especially since many practices also accept credit cards. "[T]he loss of such data can have many negative repercussions, including lawsuits, regulatory investigations, fines and penalties, and the loss of a good reputation as a trusted fiduciary" and applies equally to medicine as it does to law. Taking cybersecurity seriously is imperative.

Physician take-aways


1. Start with TAP and assess compliance with each of the areas defined in the regulations.


2. Speak with a knowledgeable insurance broker about the different types of insurance policies.


3. When evaluating insurance policies look for what is excluded, as well as what is included.


No comment yet.
Scoop.it!

Misplaced USB drive leads to county health department breach

Misplaced USB drive leads to county health department breach | HIPAA Compliance for Medical Practices | Scoop.it

The Denton County (Texas) Health Department began notifying tuberculosis (TB) clinic patients of a breach that occurred in February when a health department employee left a USB drive containing PHI at a printing store, according to a press release.


The USB drive contained the names, dates of birth, addresses, and test results of 874 patients seen at a TB clinic associated with the county health department. The employee left the USB drive unattended at the printing store for approximately one hour, according to the press release.


The department launched an internal investigation after the employee voluntarily reported the potential breach. The press release states that the department does not believe the records were accessed during the time the USB drive was left unattended. However, it is notifying affected patients by mail and recommending that they obtain a credit report and monitor financial statements.


No comment yet.
Scoop.it!

Don't wait to be a data breach victim – take preventive measures now

Don't wait to be a data breach victim – take preventive measures now | HIPAA Compliance for Medical Practices | Scoop.it

February was Data Privacy Month, and though it may be behind us, consumers would be smart to consider every day as Data Privacy Day. From Anthem to Target and Otto Pizza to The Works Bakery Cafe, data breaches are becoming increasingly prevalent in Maine and across the country.


Legislative leadership in Maine is concerned with the financial security of our residents, particularly our older population. In 2013, the Maine Legislature passed a joint resolution recognizing Jan. 28 as Data Privacy Day, joining the many states and 28 countries that have made similar resolutions.


The resolution encourages all members of the community to learn about data privacy, the specific steps one can take to protect the privacy of their personal information, and to discuss data privacy with vulnerable citizens throughout Maine. It also calls upon businesses and agencies to better protect the privacy and security of their customers’ sensitive information.


In light of existing vulnerabilities in data security, the American Bankers Association has pushed Congress to pass data security legislation that holds retailers and others to higher and more consistent standards in order to safeguard customer information.


Last month in Maine, the Insurance and Financial Services Committee heard testimony regarding legislation that AARP Maine, a Maine Fraud Prevention Alliance member, introduced to amend the state’s credit freeze law to reduce the cost of a freeze to Mainers.


Fellow alliance member Jane Carpenter, CEO of Maine Identity Services, LLC, testified at the public hearing, and the Maine Council on Aging and the University Credit Union submitted written testimony. This bill, L.D. 382, is sponsored by Sen. Rodney Whittemore, R-Skowhegan.

A credit freeze is one of the best ways consumers can protect themselves from identity theft. Currently, it costs Mainers $10 to freeze credit with each of the three credit bureaus; $30 total. Freezing credit files protects this sensitive information and helps to prevent identities from being stolen.


The fee is waived for identity theft victims who can provide a copy of a police report, investigative report or complaint to a law enforcement agency. L.D. 382 would eliminate the fees, making this tool more accessible.


Considering the importance of keeping one’s data and credit safe, we encourage all Mainers to be proactive. Many individuals are unaware of a data breach until they are contacted by their bank or credit union. However, just by carefully monitoring monthly bank and credit card statements, consumers are more likely to spot a problem.


According to Carpenter, of Maine Identity Services, there are no guarantees that a hacker can be stopped from using your information once they have obtained it. Carpenter estimates that as many as 750,000 Mainers have become victims of identity theft over the last 18 months, yet by reacting quickly when you first learn about a breach, you can help decrease the chance of becoming a victim of this crime.

Along with initiating a credit freeze, there are other preventative measures one can take. Specifically, the Maine Fraud Prevention Alliance developed the “DASH Fraud” program, whose acronym is based upon four easy-to-remember measures to prevent fraud and protect information:


DELETE unsolicited emails and texts – no financial services company will ask for personal information via email. Never click on links; instead, go directly to websites by typing in the known Web address.

 ASK for permits from door-to-door salespeople – anyone involved in transient selling must have a permit. If in question, call your local municipality or law enforcement.

 SHRED personal information and documents, as well as junk mail – including pre-approved credit offers and prize offerings.

 HANG UP on unsolicited calls – many calls involve “claiming a prize,” wiring money or confirming personal information. If it appears legitimate, get the name and phone number of the company and conduct research. Never give personal information to a stranger.

Individuals can also sign up to receive free “Watchdog Alerts” through AARP’s Fraud Watch Network to stay up to date on the latest scam alerts – go to aarp.org/fraudwatchnetwork, which offers excellent resources and prevention tips.


We encourage everyone to take the necessary steps to protect their personal data. We also urge our legislators to support L.D. 382 to eliminate the current credit freeze costs, which will arm Maine residents with a more accessible way to protect their identities.


No comment yet.
Scoop.it!

BYOD and cloud are top data breaches and malware risks, survey shows

BYOD and cloud are top data breaches and malware risks, survey shows | HIPAA Compliance for Medical Practices | Scoop.it

With the influx of personal devices in the workplace and the unprecedented risk of data breach and malware, tightening IT security at a company can seem like a daunting task. Just how difficult of a task is it? What are the biggest security risks and what are the top minds in IT considering to combat them?



Security risks and data breaches are growing while the form factors of computing devices shrink—because

Wisegate, a crowdsourced IT research company, surveyed hundreds of its senior IT professional members to find out. Earlier this year, we shared with CSO readers that a lack of security metrics and reporting was undermining IT security programs. Now, we’ll take a look at what those top security risks are.


Data breaches and malware are at the top

In a not surprising response to a poll that asked IT professionals to name their top three security risks, 32 percent of respondents named data breaches and malware as their top threats and risks. Over half—51 percent—of respondents included not only data breaches and malware, but also insider and outsider threat, BYOD management and security, and advanced persistent threats as their companies’ top risks.

While data breaches and malware are not new risks to the industry, we wanted to get to the bottom of what technology and business trends are causing this concern over malware and information leaks.


Trends impacting security programs: BYOD and cloud

When asked to identify the trends that most impact their security programs, IT professionals revealed that the malware threat and its associated data breach risk is likely to get worse over the coming years specifically because of these trends:

  • The continuing evolution of BYOD practices 

  • Increasing adoption of cloud technology, both public and private 



Required BYOD


What we’ll see is a world where employers will actually require people to bring and use their own devices. Most companies already provide staff with equipment, and many currently tolerate BYOD. The trend will continue until eventually companies will choose to make the personal devices employees already use official.


But this leads to a tension between company and personal information held on the same device. The company will need to protect its own data, but the personal data will be in conflict with any device monitoring that the company does. In short, there is potential for a ‘Big Brother’ inspired kickback from the employee. However, the savvy security team will earn the user’s trust by demonstrating that the company can only monitor the corporate data, and not only doesn’t, but cannot monitor anything else.


Shying away from BYOD and using the cloud to defend against malware-inspired sensitive breaches is a strong argument. It is harder to infect the cloud than it is to infect an individual endpoint. But there is also a scale issue. If an attacker manages to infect the cloud, he could potentially get to impact many more customers and much larger datasets. The weakness in cloud security is less the cloud itself and more how the cloud is used. This is an aspect of something that is one of the biggest challenges to IT security: the difference between something working correctly and something working correctly and securely. This affects everything from malware prevention to proprietary apps, open source software, and websites.


The future of IT security is data security—not device security

When asked what infrastructure security controls would be prioritized over the next few years, nearly a third of respondents—32 percent—named information protection and control as their top priority. Web application firewall wasn’t far behind, with 26 percent naming this as a top priority.




This suggests a shift in emphasis from protecting devices to placing a greater emphasis on protecting applications and the data itself. Firewalls are now application firewalls rather than trusted network firewalls. If IT security professionals’ top security controls are designed to protect the data itself, even if there is a breach of sensitive information, that information will remain hidden from any attacker.


What next?


Faced with the impossibility of defending against malware attacks in the new cloud/BYOD paradigm, security teams are engaged in a massive shift from protecting devices to protecting data. Stay tuned for our breakdown of this new paradigm—data centric security in a future CSO article. We’ll take a deeper dive into the idea that if data itself is safe, it doesn’t matter if there is a breach.


No comment yet.
Scoop.it!

2015 is already the year of the health-care hack — and it’s only going to get worse.

2015 is already the year of the health-care hack — and it’s only going to get worse. | HIPAA Compliance for Medical Practices | Scoop.it
Last year, the fallout from a string of breaches at major retailers like Target and Home Depot had consumers on edge. But 2015 is shaping up to be the year consumers should be taking a closer look at who is guarding their health information.

Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009, according to Department of Health and Human Services data reviewed by The Washington Post.

"That's a third of the U.S. population -- this really should be a wake-up call," said Deborah Peel, the executive director of Patient Privacy Rights.

The data may double-count some individuals if they had their information compromised in more than incident, but it still reflects a staggering number of times Americans have been affected by breaches at organizations trusted with sensitive health information. And the data does not yet reflect the hack of Premera, which announced this week that hackers may have accessed information, including medical data, on up to 11 million people.

[Read: Premera Blue Cross says data breach could affect 11 million people]

Most breaches of data from health organizations are small and don't involve hackers breaking into a company's computer system. Some involve a stolen laptop or the inappropriate disposal of paper records, for example -- and not all necessarily involve medical information. But hacking-related incidents disclosed this year have dramatically driven up the number of people exposed by breaches in this sector.

When Anthem, the nation's second-largest health insurer, announced in February that hackers broke into a database containing the personal information of nearly 80 million records related to consumers, that one incident more than doubled the number of people affected by breaches in the health industry since the agency started publicly reporting on the issue in 2009.

"We are certainly seeing a rise in the number of individuals affected by hacking/IT incidents," Rachel Seeger, a spokesperson for HHS's Office for Civil Rights, said in a statement. "These incidents have the potential to affect very large numbers of health care consumers, as evidenced by the recent Anthem and Premera breaches."

And some cybersecurity experts warn this may only be the beginning. "We're probably going to see a lot more of these happening in the coming few months," said Dave Kennedy, the chief executive of TrustedSEC.

Health organizations are targets because they maintain troves of data with significant resale value in black markets, Kennedy said, and their security practices are often less sophisticated than other industries. Now that some major players in the market have come forward as victims of cyberattacks other organizations are likely to take a close look at their own networks -- potentially uncovering other compromises, he said.

"The information that companies like Anthem and Premera had is more valuable than just payment card information held by retailers or financial institutions," said Scott Vernick, who heads up the data security and privacy practice at law firm Fox Rothschild. Credit card information has a relatively short shelf life, with new cards issued on a regular basis, he explained. But a health organizations often have complete profiles of people including Social Security numbers and medical health information that is much more difficult if not impossible to change.

[Related: Yes, we’re still using dumb passwords. But not nearly as much as before.]

Some of the data can be used to pursue traditional financial crimes -- like setting up fraudulent lines of credit, Kennedy said. But it can also be used for medical insurance fraud, like purchasing medical equipment for resale or obtaining pricey medical care for another person.

This type of scheme is often not caught as quickly as financial fraud, experts said, and could have a lasting affect if it results in a person's medical history containing false information. "In theory you could end up in an emergency situation, and if your records are contaminated by someone else's information that could cause serious problems -- like medical professionals believing you have a different blood type," said Peel.

If a hacker is able to obtain information about a person's medical condition, as it appears may have happened in the Premera breach but not the Anthem breach, there are additional risks. Information about mental health or HIV treatments could be made public, and there's no way to truly make the information private again. "There's almost no way to remedy this; there's no recourse," said Peel.

Health care providers already have to comply with government rules on protecting patient privacy, including HIPAA, which are enforced by HHS.

"Health care organizations need to make data security central to how they manage their information systems and to be vigilant in assessing and addressing the risks to data on a regular basis," said Seeger, the HHS official. "In addition, organizations need to ensure they are able to identify and respond appropriately to security incidents when they do happen to mitigate harm to affected individuals and prevent future similar incidents from occurring."

State-level officials are also increasingly involved in enforcement in this area, said Vernick, and consumers may have additional legal avenues depending on state laws.

But privacy and cybersecurity advocates say the industry and the government still aren't doing enough to protect consumers.

"HIPAA required security be addressed, but it wasn't spelled it out exactly how, so there was no culture of using ironclad security," said Peel. "We have systems that are engineered as though this data is not sensitive and valuable."

Health organizations sometimes rely on legacy systems, and some have not invested in cybersecurity at a rate that matches the urgency of the threats they face, Kennedy said. "The medical industry is years and years behind other industries when it comes to security."

Even before the Anthem breach, major health insurers had become aware of the rising risk of cyberattacks. Aetna and United Health Group both cited the risks of hackers and breaches in their respective 2013 financial reports.

And the industry is already taking steps to coordinate how it responds to such incidents through groups designed to share information about digital threats -- like the National Health Information Sharing and Analysis Center, or NHISAC. The organization is one of several efforts related to critical infrastructure that works with the Department of Homeland Security to share data about current threats, such as what sort of tactics are used and forensic information about attackers.

Members are able to share details about security incidents in "machine time" using an automated system, according to NHISAC executive director Deborah Kobza, and the group sends out daily threat updates. When a major cyberattack is disclosed, NHISAC erupts into a flurry of activity -- trying to find out as much as possible so its members have information that can make it easier to see if they've been the victims of a similar attack.

And 2015 has already kept NHISAC busy: "We just caught our breath from the Anthem hack, and here we go again," said Kobza about responding to the Premera breach.
No comment yet.
Scoop.it!

Seven Tips for Avoiding HIPAA Penalties in 2015

Seven Tips for Avoiding HIPAA Penalties in 2015 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA violations may result in penalties of $100 to $50,000 per violation, depending on the conduct at issue.  If the violation results from “willful neglect” the party is subject to mandatory fines of $10,000 to $50,000 per violation. 

A single data breach may result in numerous violations.  For example, the loss of a laptop containing PHI of 2,000 patients may constitute 2,000 violations.  Additional penalties may be assessed if the breach resulted from failure to implement required policies or practices.  To make matters worse, covered entities must self-report breaches of unsecured protected health information (PHI) to the affected individual and HHS. 

The good news is that a covered entity may avoid HIPAA penalties if it does not act with “willful neglect” and corrects the violation within 30 days. 

Here are seven tips for avoiding “willful neglect” penalties, especially those arising from breaches of electronic PHI:


1. Conduct or update your security risk assessment required by the security rules.  This is a first step in identifying and preventing potential security breaches.  In 2014, HHS made available a risk assessment tool to help providers conduct and document their own risk analysis. 


2. Implement the administrative, technical, and physical safeguards required by the HIPAA security rule.  Most physician practices have polices required by the privacy rule, but comparatively few have properly addressed the safeguards required by the security rule.  Implementing the required safeguards is necessary not only for regulatory compliance; it is also simply a good business practice given the potentially disastrous consequences of system failures or cybercrimes.  Again, the government’s HealthIT website, HealthIT.gov, contains helpful tools and guides that practices may use to achieve compliance. 


3. Execute business associate agreements (BAAs) with business associates.  A good BAA is not only required by HIPAA; it will also help insulate the practice from HIPAA liability if its business associate violates HIPAA.  Ensure the BAA confirms that the business associate is acting as an independent contractor, not an agent of the practice.


4. Train your employees and monitor their performance.  According to HHS commentary, covered entities may avoid HIPAA penalties based on the misconduct of a rogue employee so long as the covered entity implemented appropriate policies and adequately trained the employee.  Unfortunately, there is no similar guarantee that policies and training will protect a provider from liability for state privacy claims:  An Indiana jury recently returned a $1.44 million verdict against Walgreens based on an employed pharmacist’s privacy violations despite Walgreens’ policies and training.  Thus, physician groups need to ensure their training is effective.


5. Respond immediately to any suspected breach. This is critical for several reasons. First, HIPAA requires covered entities and business associates to investigate privacy complaints, mitigate any breach, and impose appropriate sanctions against any agent who violates HIPAA.  Second, an entity may be able to prevent the data from being compromised by taking swift action, thereby avoiding the obligation to self-report HIPAA violations.  Third, a covered entity or business associate may avoid HIPAA penalties altogether if it does not act with willful neglect and corrects the violation within 30 days.  Corrective action may include modifying policies, implementing additional safeguards, disciplining employees, and providing additional training.


6. Report breaches in a timely manner. While the initial action resulting in the breach may not have been willful, the failure to timely report a reportable breach as required by the rules may constitute willful neglect. Under HIPAA, the unauthorized access, use, or disclosure of unsecured PHI is presumed to be reportable to the individual and HHS unless the covered entity can demonstrate there is a low probability that the data has been compromised based on factors such as the type of PHI disclosed; the recipient of the PHI; whether the PHI was actually accessed or disclosed; and steps taken to mitigate any breach. 


7. Document your actions. Documenting proper actions will help providers defend against HIPAA claims. Covered entities and business associates are required to maintain documentation required by HIPAA for six years.

Although there is no guarantee that these steps will protect against breaches, they will help physician groups mitigate resulting liability under the HIPAA rules.


No comment yet.
Scoop.it!

Bill That Changes HIPAA Passes House

Bill That Changes HIPAA Passes House | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. House of Representatives on July 10 passed a bill aimed at accelerating the advancement of medical innovation that contains a controversial provision calling for significant changes to the HIPAAPrivacy Rule.


The House approved the 21st Century Cures bill by a vote of 344 to 77. Among the 309-page bill's many provisions is a proposal that the Secretary of Health and Human Services "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.


Under HIPAA, PHI is allowed to be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If the proposed legislation is eventually signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if only covered entities or business associates, as defined under HIPAA, are involved in exchanging and using the data.


That provision - as well as many others in the bill - aim to help fuel more speedy research and development of promising medical treatments and devices.


"The act says ... if you're sharing [patient PHI] with a covered entity [or a BA], you don't necessarily need the individual's consent prior to sharing - and that's something our members have been receptive too," notes Leslie Krigstein, interim vice president of public policy at the College of Healthcare Information Management Executives, an organization that represents 1,600 CIOs and CISOs.


"The complexity of consent has been a barrier [to health information sharing] ... and the language [contained in the bill] will hopefully move the conversation forward," she says.


Some privacy advocates, however, have opposed the bill's HIPAA-altering provision.


Allowing the use of PHI by researchers without individuals' consent or knowledge only makes the privacy and security of that data less certain, says Deborah Peel, M.D., founder of Patient Privacy Rights, an advocacy group,.


"Researchers and all those that take our data magnify the risks of data breach, data theft, data sale and harms," she says. "Researchers are simply more weak links in the U.S. healthcare system which already has 100s of millions of weak links."

Changes Ahead?

If the legislation is signed into law in its current form, healthcare entities and business associateswould need to change their policies related to how they handle PHI.


"If the bill is enacted, it will not place additional responsibilities on covered entities and business associates. Rather, it will provide them with greater flexibility to use and disclose protected health information for research," says privacy attorney Adam Greene, partner at law firm Davis Wright Tremaine. "Covered entities and business associates who seek to take advantage of these changes would need to revise their policies and procedures accordingly." For instance, some covered entities also may need to revise their notices of privacy practices if their notices get into great detail on research, Greene notes.

Other Provisions

In addition to the privacy provisions, the bill also calls for penalizing vendors of electronic health records and other health IT systems that fail to meet standards for interoperable and secureinformation exchange.


The bill calls for HHS to develop methods to measure whether EHRs and other health information technology are interoperable, and authorizes HHS to penalize EHR vendors with decertification of their products if their software fails to meet interoperability requirements.


In addition, the bill also contains provisions for "patient empowerment," allowing individuals to have the right to "the entirety" of their health information, including data contained in an EHR, whether structured and unstructured. An example of unstructured data might include physician notes, for instance, although that is not specifically named in the legislation.


"Healthcare providers should not have the ability to deny a patient's request for access to the entirety of such health information," the bill says.


A House source tells Information Security Media Group that the Senate has been working on an "Innovation Agenda" for the past few months calling for policies similar to those contained in the 21st Century Cures bill. House leaders say it's their goal to have a bill sent to the president's desk by the end of the year, the source says.

No comment yet.
Scoop.it!

Data breach costs on the rise, according to annual Ponemon Institute study

Data breach costs on the rise, according to annual Ponemon Institute study | HIPAA Compliance for Medical Practices | Scoop.it

Given the number and severity of publicized data breaches over the past year, it should come as little surprise that the average cost of a data breach is on the rise. According to the “2015 Cost of Data Breach Study: Global Analysis,” which was conducted by the Ponemon Institute and sponsored by IBM, the average cost of a data breach increased from $3.52 million in last year’s study to $3.79 million in this year’s edition.


While the year-over-year jump may seem small, the rise actually represents a 23 percent increase in the total cost of a data breach since 2013. The research, which included responses from personnel at 350 companies spanning 11 different countries, also found that lost business as the result of a data breach potentially has the most severe financial consequences for organizations as these costs increased from an average of $1.33 million last year to $1.57 million in 2015. Lost business costs include; abnormal turnover of customers; increased customer acquisition activities; reputation losses; and diminished goodwill.      


Diana Kelley, executive security advisor for IBM Security, said one thing that really stood out to her was the root causes of data breaches examined in the study, the majority of which (47 percent) were found to be the result of malicious or criminal attacks. The study found that the average cost per record to resolve such an attack is $170, compared to system glitches which cost $142 per record to resolve and human error or negligence that cost $134 per record to correct.  

“That indicates something that we’ve seen in other studies that this is organized criminal activity for data breaches,” she said. “We’re moving past the random, somebody left their laptop in a car, and we’re really looking at very targeted attacks from organized criminals.”

Kevin Beaver, an IT security consultant with Atlanta-based Principle Logic LLC, said that data breaches continue to persist on such a massive scale because many companies mistakenly believe they can just buy a piece of security technology that will take care of all of their problems.


“It doesn't work that way,” he said “Even if you have the very best of security controls you still have to have ongoing oversight and vulnerability testing because things are going to fall through the cracks.”


Another common issue, according to Beaver, is that companies simply place too much trust in employees and vendors.



“It's always best to err on the side of caution and put the proper controls in place so everyone, and especially the business, are setup for success. Another big issue I see is all the organizations, especially in the healthcare industry, that believe their high-level audits and policies are sufficient for minimizing their risks. It's not. Unless and until you test for - and resolve - the growing amount of security vulnerabilities on your network, you're a sitting duck waiting to be made to look bad,” said Beaver. “This is especially true to social engineering (i.e. phishing) testing. It's unbelievable how many people are still gullible and give up their network credentials or other sensitive info without question.”


Although data breaches that involve the theft of credit or debit card numbers seem to carry a greater amount of weight with the media and public in general, Kelley said the data shows that things such as protected health Information (PHI) and other personal data are more coveted by hackers as they have a longer lifespan for resale. Kelley advises companies to identify what their “crown jewels” are from a data perspective and to conduct threat assessments and risk modeling around protecting those assets.


“I think organizations need to look at the big picture. We do see evidence of more sophisticated criminal, organized attacks. On the other hand, we can’t forget all of the good security hygiene and just try and focus on what’s the next big scary attack,” said Kelley. “We have to do a very robust, layered set of security throughout our organization to include security awareness and training and monitoring. You’re looking for anywhere in that stack where there could be an exposure or there could be a vulnerability. Companies need to not just think about the big attack, but really think about a robust security model because that is going to help prevent the smaller attacks, as well as the larger attacks.”


Perhaps one of the study’s silver linings is that the involvement of a company’s board-level managers was found to help reduce costs associated with data breaches by $5.5 per record. Insurance protection was also found to reduce cost by $4.4 per record. Despite the increased awareness and involvement by senior leadership, Kelley said companies cannot completely protect against the threats posed by hackers.


“It’s important to remember that awareness and ability to stop something aren’t necessarily always aligned. If we look in the real world, we’re all very aware and highly concerned about something like cancer, but preventing it is very, very difficult,” said Kelley. “We can have the C-suite be very aware of security, but still some companies are at different levels of maturity. Attackers, they are, again, organized and sophisticated, so the level of prevention and controls you need in place to stop the attacks is very high. The fact that we still have attacks going on doesn’t mean companies aren’t putting security controls into place.”   


However, Beaver adds that while some executives may say and do all of the right things in public when it comes to their data protection efforts, the reality is some of them are just paying lip service to the issue.



“It's all about policies and related security theater to appease those not savvy enough - or politically powerful enough - to look deeper or question things further,” said Beaver.  


Conversely, Beaver said that there are a lot of companies who are taking the right approach to cybersecurity, which involves recognition by senior management of the seriousness of the issue.


“I see many organizations doing security well,” he added. “The key characteristics of well-run security are: executive acknowledgement of the challenges, ongoing financial and political support for IT and security teams, periodic and consistent security testing, and the willingness to make changes where changes need to be made - even if it's not politically favorable.”


Another bright spot in the study was that it found a correlation between organizational preparedness and reduced financial impact of a data breach. Companies that employed some level of business continuity management (BCM) within their organization were able to reduce their costs by an average of $7.1 per compromised record.


“Companies that brought in an incident response team or had an incident response program in place were able to save $12.60 per record,” added Kelley. “The biggest takeaway is to get some kind of plan in place. Have business continuity, have an incident response plan in place and be continually detecting and monitoring activity on the network so that if a breach is occurring, you can either see the very beginning of it or you can see one in process and respond as quickly as possible to reduce the impact to the business.”

No comment yet.
Scoop.it!

Beacon Health Is Latest Hacker Victim

Beacon Health Is Latest Hacker Victim | HIPAA Compliance for Medical Practices | Scoop.it

Yet another large hacker attack has been revealed in the healthcare sector. But unlike three recent cyber-attacks, which targeted health insurers, this latest breach, which affected nearly a quarter-million individuals, involved a healthcare provider organization.


South Bend, Ind.-based Beacon Health System recently began notifying 220,000 patients that their protected health information was exposed as a result of phishing attacks on some employees that started in November 2013, leading to hackers accessing "email boxes" that contained patient data.


The Beacon Health incident is a reminder that healthcare organizations should step up staff training about phishing threats as well as consider adopting multi-factor authentication, shifting to encrypted email and avoiding the use of email to share PHI.

"Email - or at least any confidential email - going outside the organization's local network should be encrypted. And increasingly, healthcare organizations are doing just that," says security and privacy expert Kate Borten.


Unfortunately, in cases where phishing attacks fool employees into giving up their email logon credentials, encryption is moot, she says. "Although encryption is an essential protection when PHI is sent over public networks, and stored somewhere other than within IT control, it is only one of many, many security controls. There's no silver bullet."

At the University of Vermont Medical Center, which has seen an uptick in phishing scams in recent months, the organization has taken a number of steps to bolster security, including implementing two-factor authentication "for anything facing the Web, because that can pretty much render phishing attacks that are designed to steal credentials useless," says CISO Heather Roszkowski.

The Latest Hacker Attack

On March 26, Beacon Health's forensic team discovered the unauthorized access to the employees' email accounts while investigating a cyber-attack. On May 1, the team determined that the affected email accounts contained PHI. The last unauthorized access to any employee email account was on Jan. 26, the health system says.


"While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes," Beacon Health says in a statement posted on its website. "The majority of accessible information related only to patient name, doctor's name, internal patient ID number, and patient status (either active or inactive). The accessible information, which was different for different individuals, included: Social Security number, date of birth, driver's license number, diagnosis, date of service, and treatment and other medical record information."


The provider organization says it has reported the incident to the U.S. Department of Health and Human Services, various state regulators, and the FBI.

Hospital Patients Affected

A Beacon Health spokeswoman tells Information Security Media Group that the majority of those affected by the breach were patients of Memorial Hospital of South Bend or Elkhart General Hospital, which combined have more than 1,000 beds. The two facilities merged in 2012 to form the health system. Individuals who became patients of Beacon Health after Jan. 26 were not affected by the breach, she says.


The breach investigation is being conducted by the organization's own forensics team, the spokeswoman says.

Affected individuals are being offered one year of identity and credit monitoring.


The news about similar hacker attacks earlier this year that targeted health insurers Anthem Inc. and Premera Blue Cross prompted Beacon's forensics investigation team to "closely review" the organization's systems after discovering it was the target of a cyber-attack, the Beacon spokeswoman says.


In the wake of the incident, the organization has been bolstering its security, including making employees better aware of "the sophisticated tactics that are used by attackers," she says. That includes instructing employees to change passwords and warning staff to be careful about the websites and email attachments they click on.

The Phishing Threat

Security experts say other healthcare entities are also vulnerable to phishing.


"The important takeaway is that criminals are using fake email messages - phishing - to trick recipients into clicking links taking them to fake websites where they are prompted to provide their computer account information," says Keith Fricke, principle consultant at consulting firm tw-Security. "Consequently, the fake website captures those credentials for intended unauthorized use. Or they are tricked into opening attachments of these fake emails and the attachment infects their computer with a virus that steals their login credentials."

As for having PHI in email, that's something that, while common, is not recommended, Fricke notes. "Generally speaking, most employees of healthcare organizations do not have PHI in email. In fact, many healthcare organizations do not provide an email account to all of their clinical staff; usually managers and directors of clinical departments have email," he says. "However, for those workers that have a company-issued email account, some may choose to send and receive PHI depending on business process and business need."

Recent Hacker Attacks

As of May 28, the Beacon Health incident was not yet posted on the HHS' Office for Civil Rights'"wall of shame" of health data breaches affecting 500 or more individuals.


OCR did not immediately respond to an ISMG request to comment on the recent string of hacker attacks in the healthcare sector.

Other recent hacker attacks, which targeted health insurers, include:


  • An attack on Anthem Inc. , which affected 78.8 million individuals, and is the largest breach listed on OCR's tally.
  • A cyber-assault on Premera Blue Cross announced on March 17, that resulted in a breach affecting 11 million individuals.
  • An "unauthorized intrusion" on a CareFirst BlueCross BlueShield database disclosed on May 20. The Baltimore-based insurer says the attack dated back to June 2014, but wasn't discovered until April 2015. The incident resulted in a breach affecting 1.1 million individuals.


But the recent attack on Beacon Health is yet another important reminder to healthcare provider organizations that it's not just insurers that are targets. Last year, a hacking assault on healthcare provider Community Health System affected 4.5 million individuals.

Smaller hacker attacks have also been disclosed recently by other healthcare providers, includingPartners HealthCare. And a number of other healthcare organizations in recent months have also reported breaches involving phishing attacks. That includes a breach affecting nearly 760 patients at St. Vincent Medical Group.


"Healthcare provider organizations are also big targets - [they have] more complex environments, and so have more vulnerabilities that the hackers can exploit," says security and privacy expert Rebecca Herold, CEO of The Privacy Professor. "Another contributing factor is insufficient funding for security within most healthcare organizations, resulting in insufficient safeguards for PHI in all locations where it can be stored and accessed."

Delayed Detection

A delay in detecting hacker attacks seems to be a common theme in the healthcare sector. Security experts say several factors contribute to the delayed detection.


"Attacks that compromise an organization's network and systems are harder to detect these days for a few reasons," says Fricke, the consultant. "Criminals wait longer periods of time before taking action once they successfully penetrate an organization's security defenses. In addition, the attack trend is to compromise the accounts of legitimate users rather than gaining unauthorized access to a system via a brute force attack."


When criminals access a system with an authorized account, it's more difficult to detect the intrusion, Fricke notes. "Network security devices and computer systems generate huge volumes of audit log events daily. Proactively searching for indicators of compromise in that volume of log information challenges all organizations today."

As organizations step up their security efforts in the wake of other healthcare breaches, it's likely more incidents will be discovered and revealed, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"The challenge that many healthcare entities face is that oftentimes, the better they do at information security, the more likely it is they find potential problems. Implementing new information security tools sometimes can detect problems that may be years old," he says. "But the alternative - keeping your head in the sand - can lead to far worst results for patients and the organization."


However, as more of these delayed-detection incidents are discovered, "regulators and plaintiffs may question why any particular security issue was not identified and corrected earlier," he warns.

Accordingly, organizations should consider if there were reasonable issues that led to any delays in identifying or correcting any security lapses and maintain any related documentation supporting the cause of any delays, he suggests.


"Hindsight is 20-20, and it is always easy for regulators to question why more wasn't done sooner, and it could be challenging for the organization if it is asked to justify why it spent resources on other projects," Greene says.

No comment yet.
Scoop.it!

HIPAA guidance for small to mid-size medical practices

HIPAA guidance for small to mid-size medical practices | HIPAA Compliance for Medical Practices | Scoop.it

For small and mid-size medical practices, HIPAA compliance has long been a small problem. After all, it wasn’t very long ago that all but the largest practices could rest relatively easy, knowing their very smallness made them unappealing targets for regulators looking for bigger fish to fry. As long as they didn’t blatantly, repeatedly or intentionally violate HIPAA’s strictures, they rarely rated government action beyond (at most) a warning letter.


Those days are now over. The federal government is cracking down harder on practices that violate HIPAA privacy and security regulations by scheduling more frequent audits and issuing stiffer fines. And practices are being forced to respond with more rigorous compliance plans.


The same federal stimulus law that offered incentives for practices to purchase electronic health records (EHR) systems also beefed up HIPAA’s privacy and security regulations. If your practice hasn’t reviewed and updated your HIPAA policy recently, then now’s the time.


The good news? Most of the time what catches the attention of the Office for Civil Rights (OCR) in the U.S. Department of Health & Human Services are things that should be common sense. Was the OCR trying to send a message by fining an independent Arizona cardiac practice $100,000 for a HIPAA violation in 2012? You bet. But the practice placed sensitive patient information, including names and medical procedures, on an online scheduling system that was accessible by anyone who was adept at guessing passwords.

It’s been 10 years since the April 14, 2003, compliance date for the HIPAA Privacy Rule, so most, if not all, physician practices should know better than to post protected health information (PHI) in a public forum such as Google Docs or Dropbox.


Here are some other common-sense tips for keeping your practice on the right side of the law:


  • Train your staff. HIPAA requires that you have a training program in place regarding the proper handling of PHI. All staff members must know what they are authorized to view, how to manage computer passwords, what they may and may not say in front of patients, and so on. Providing an annual refresher on this type of training is highly recommended. Make sure everyone, including physicians, receives the training. Document it.
  • Establish written protocols for information access. Staff should have access to the portions of patients’ PHI that are necessary to perform their jobs -- and that’s all. This should be perfectly clear and in writing. And your protocols should include examples of the specific types of information that different staff members are authorized to view, based on job function.
  • Use discretion in the reception area. Don’t use public sign-in sheets. Don’t make any mention of the reason for a patient’s appointment until you’re both out of earshot of the waiting room. Make sure computer screens aren’t visible to non-staff members in any public areas of the office.
  • Plan for breaches. What would happen if there were an accidental breach of patient information? Say, someone mistakenly includes patient information in an email attachment, and the attached document includes patient names and Social Security numbers? Or how would you handle an intentional breach? For example, maybe a staffer has some personal grudge against one of your patients (an ex-boyfriend, perhaps) and posts something embarrassing about the patient on Facebook. You should prepare a specific response for scenarios like these because they do happen.
  • Use computer passwords correctly. If you have any centralized computer terminals that get used by more than one staffer, make sure everyone logs out whenever they’re finished. To be safe, set up those computers so a login is required after brief periods of inactivity, say two or three minutes. Even if you don’t have centralized computer stations (and most small practices don’t), you should require your employees to change their own passwords every few months.
  • Hire a consultant to help you comply with HIPAA’s security provisions, which are far more technical than the Privacy Rule. Alas, mere common sense won’t help you determine whether your computer network is properly encrypted. Get help.


The Privacy Rule notwithstanding, HIPAA continues to be mostly a common-sense law. What’s new is that the government is no longer limiting its enforcement actions to hospitals and the biggest practices. But since most private practices should have been following HIPAA plans for at least 10 years now, it’s likely they’ll need to do little more than review, update, and continue to implement their plan.

No comment yet.
Scoop.it!

Health system sees 7th HIPAA data breach

Health system sees 7th HIPAA data breach | HIPAA Compliance for Medical Practices | Scoop.it

How many breaches, how many compromises of patients' confidential medical information does it take before there are some questions asked of an organization and its security policies? One health system recently announced its seventh large HIPAA breach.

 
The 20-hospital St. Vincent health system in Indianapolis, part of Ascension Health, most recently notified 760 of its medical group patients that their Social Security numbers and clinicaldata was compromised in an email phishing incident. The breach, which was discovered by hospital officials back in December 2014, marked the seventh breach for the health system in a less than five years.
 
It wasn't until March 12, 2015, that officials said they discovered which patients were impacted by the breach, which involved the compromise of an employee's network username and password. 
 
"St.Vincent Medical Group sincerely apologizes for any inconvenience this unfortunate incident may cause," St. Vincent officials wrote in the patient notification letter. 
 
According to data from the Office for Civil Rights, which keeps track of HIPAA breaches involving 500 people or more, St. Vincent health system has been a repeat HIPAA offender. Its most recent breach, reported in July 2014, compromised the health data of 63,325 patients after a clerical error sent patients letters to the wrong patients. 
 
The health system has also reported two breaches involving the theft of unencrypted laptops, which collectively compromised the health data of 2,341 patients. 


No comment yet.
Scoop.it!

Why Understanding HIPAA Rules Will Help With ONC Certification

Why Understanding HIPAA Rules Will Help With ONC Certification | HIPAA Compliance for Medical Practices | Scoop.it

Understanding HIPAA rules will have far reaching benefits for covered entities. Not only will they be compliant in terms of keeping patient PHI secure, but it will also ensure that those facilities are able to adhere to other federal certification programs. With the push for nationwide interoperability, it is extremely important that organizations of all sizes understand how they can exchange information in a secure and federally compliant way.


Earlier this year, the Office of the National Coordinator (ONC) released its proposal for the 2015 Health IT Certification Criteria. The ONC said that it will “ensure all health IT presented for certification possess the relevant privacy and security capabilities.” Moreover, certified health IT will be more transparent and reliable through surveillance and disclosure requirements.


ONC Senior Policy Analyst Michael Lipinski spoke with HealthITSecurity.com at HIMSS last week, and broke down why understanding HIPAA rules will help covered entities on their way to compliance and with ONC certification.


The ONC certification program has certain capabilities that it certifies to, Lipinski explained, and the way the ONC set up its approach depends on what a facility is bringing forward to be certified.

“What we’ve always said about our privacy and security criteria is that it helps support compliance, but it doesn’t guarantee compliance with the HIPAA Privacy or Security rules,” Lipinski said. “Or even with meeting your requirements under the EHR incentive program.”


One complaint that the ONC has received in terms of information sharing is that covered entities claim they cannot exchange data because of HIPAA rules. However, that likely stems from a lack of understanding what the HIPAA Privacy and Security Rules actually entail, Lipinski said. If that misunderstanding of what HIPAA compliance actually is exists, it can make it more difficult for healthcare organizations to move forward.


“I think that issue is not so much a certification issue, because it’s about payment, treatment, and operations, and you can exchange for those reasons,” Lipinski said. “I think maybe what they found is that there are those instances where they could do it, and they’re making the misinterpretation that they could have done that for treatment and exchange that information.”


Healthcare facilities are using that as an excuse not to exchange, when under HIPAA they could have done so for payment, treatment or operations options, he added.


“It’s not so much in the wheelhouse of certification, but more like we said in the report that we would work with OCR and make sure there’s appropriate guidance and understanding of the HIPAA Privacy and Security rules so that hopefully that will enable more free flow of the information.”


That sentiment echoes what ONC Chief Privacy Officer Lucia Savage said about interoperability and the future of information sharing for healthcare. In a HIMSS interview Savage explained that HIPAA supports information sharing, but that support depends on the decisions made by healthcare providers.


However, a difficult aspect of creating nationwide interoperability will be in relation to state law and state policies on health IT privacy, Savage said, mainly because states have diverse rules.


“That’s a very long dialogue, and has a very long time frame in where we can accomplish what we want to accomplish,” Savage said. “I think people are concerned about that.”


No comment yet.
Scoop.it!

TigerText bringing HIPAA compliant messaging to Apple Watch

TigerText bringing HIPAA compliant messaging to Apple Watch | HIPAA Compliance for Medical Practices | Scoop.it

TigerText announced this week that its bringing its HIPAA compliant messaging platform to the Apple Watch.


TigerText is a secure enterprise text messaging platform that meets HIPAA requirements for electronic communication. In his review of TigerText, Dr. Eli Sprecher described how the app is used at Boston Children’s Hospital. The app can be used to communicate protected patient health information, send media such as pictures and video, or send group texts. And everyone on the care team can use it – physicians, nurses, social workers, case managers, patient advocates, and so on.


According to TigerText, the Apple Watch app will give users the ability to read as well as dictate messages. Specifically, the app will include:

  • Speech-to-text: An alternative to typing out a message, users can speak into the watch, and the TigerText app will dictate their speech to text, helping them save time when corresponding with others.
  • Receive notifications & alerts: Automated alerts and notifications from the TigerText app can be directly received on the Apple Watch.
  • View photos: Users can quickly view photos sent via TigerText on the Apple Watch.


With the increasingly multidisciplinary nature of the care team, improved communication is critical to effective care. That’s why HIPAA-compliant messaging was included in our wishlist of apps for the Apple Watch. Doximity recently announced that they would be launching an Apple Watch app that enables secure communication among physicians as well as delivering notifications when you get a fax on your secure Doximity e-fax line.


TigerText is already a popular tool at many healthcare institutions. And that is open to any team member, not just physicians, makes it a better fit for communication within a care team at a hospital or clinic.

Given the cost of the Apple Watch, it seems unlikely that we’ll see an enterprise level deployment within healthcare in the near future though I wouldn’t be surprised if we see a few pilots pop up here and there. As recognized by TigerText, its far more likely to start out much the same way as the iPhone and iPad did – in a “bring your own device” model. And with physicians’ enthusiastic uptake of iOS devices, we’ll probably see a fair number of Apple Watches in the clinic and on the wards.


No comment yet.
Scoop.it!

Using E-mail at Your Medical Practice: 5 Security Tips

Using E-mail at Your Medical Practice: 5 Security Tips | HIPAA Compliance for Medical Practices | Scoop.it

Methods for transferring protected health information (PHI) have been broken for a long time. Even with the advent of EHRs, data exchange methods haven't kept pace with industry expectations for privacy and convenience.

It's time to retire the usual stable of secure alternatives to e-mail, like patient portals, faxes, or snail mail. They're far too burdensome for both practitioner and patient. Like it or not, e-mail is synonymous with accessibility. To deliver the best care possible, it's essential to meet patients on their terms. It's harder than ever to ignore e-mail, just as it's becoming more difficult to embrace it in good conscience.


Most e-mail security solutions focus on simple text, but the real risk comes with files and attachments. That's because sensitive data typically resides in files. Files, in turn, often get duplicated and cached on devices, making them hard to easily track or protect. So when we talk about the risks facing medical practices when it comes to communicating, it's about files—not simple text messages. The question, of course, is where all that leaves most practices.

The key lies with file encryption. Encryption essentially scrambles messages so that they're only legible by intended users. That's why encryption is so often the means through which healthcare providers guarantee HIPAA compliance. Although most secure e-mail tools focus on the body text of an e-mail, that part might not even be necessary to encrypt. After all, the real threat lies in what comes appended to the e-mail. Whether they're voice recordings, digital X-rays, intake forms, or medical bills, it's essential to encrypt the files themselves.


Seeking Solutions


Finding the right solution, though, is another story. E-mail encryption services exist for handling simple text correspondence with patients by scrambling the messages and sending them through a secure connection. But even these have risks. Many HIPAA-compliant e-mail providers are simply adding yet another system to your already disconnected work flows, rather than integrating seamlessly or solving some of the other problems you have, like storing files and auditing access. What's more, they aren't foolproof.


Here are five tips to help practices communicate with patients and other provider and business associates while maintaining airtight security.


1. Look for file encryption. File-level encryption ensures that protections follow the file no matter where it ends up. With built-in authentication controls, file-level encryption also eliminates the threats associated with mistakenly entering the wrong e-mail address.


2. Don't forget about secure file storage. Many encrypted e-mail services that purport to comply with HIPAA destroy messages after a set period of time. The issue, of course, is that practices need to keep detailed records — and the best place for that, in my humble opinion, is the cloud. Which brings us to …


3. The best solutions will integrate seamlessly with other work flows. The cost of inconvenience is too high, because inconvenience often leads users to seek out workarounds that aren't compliant, including popular cloud services like Dropbox. So the expensive EHR system you've built or bought is nothing more than a loophole to circumvent. In some ways, the cloud presents the ideal all-in-one solution, eliminating the need for e-mail attachments by allowing you to store and share links or folders themselves. In those deployments, it's essential to ensure that your Dropbox files are encrypted and HIPAA-compliant. If you have file encryption, you can use e-mail and Dropbox the same way you would in your personal life — just more securely.


4. Many easy-to-use secure providers don't include a safety net for mistakes. We're all familiar with the horror stories and HIPAA fines that have been levied against practices that mistakenly e-mailed lab results to the wrong patient or faxed a form to the wrong number. That's why the best HIPAA-compliant sharing tools will help prevent or create solutions for mistakes by showing just what was attached and offering the ability to revoke access to the wrong recipient. If a file itself is encrypted, access and modification can be audited even if it was mistakenly downloaded.


5. You don't need to encrypt everything. It isn't necessary — and maybe even inappropriate — to treat all information equally. Flexible solutions that allow you to set permissions according to their sensitivity are ideal.


There's no shortage of options for communicating, but many secure e-mail technologies can leave much to be desired. The key in striking a balance between convenience and compliance lies in finding a solution that does the hard work of communicating securely for you. The onus should be on the technology — not the patient or your employees — to strike that balance.


No comment yet.
Scoop.it!

EHR Compliance And HIPAA Compliance Help Your Healthcare IT Clients Understand The Difference

EHR Compliance And HIPAA Compliance Help Your Healthcare IT Clients Understand The Difference | HIPAA Compliance for Medical Practices | Scoop.it

Your clients likely have concerns around the Health Insurance Portability and Accountability Act (HIPAA) that extend beyond the reach of your influence. Unfortunately, many may be thinking those concerns are being covered by the HIPAA compliant EHR (electronic health records) solutions you offer.


Healthcare IT News explores that topic in an article by Security Metrics security analyst, Tod Ferran. The piece is written as an advisory to healthcare entities tackling HIPAA compliance and EHR implementations, and is good insight for solutions providers looking to address the deepest needs of their clients.

“Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them — it’s just not true.”


Advice To Maintain Security


Ferran makes sure to advise organizations to prioritize security, warning them about the new HIPAA Security Rule that requires they protect their system against 75 specific security controls.

He urges them to “assess their security programs as a whole” and make sure that procedures, policies, and security measures are best configured to protect patient information and shield them against potentially costly regulatory penalties. At the same time though, he acknowledges that organizations frequently do not prioritize addressing risks to electronic patient data, and stresses the importance of an approach that goes beyond “simply checking a box.”


Selling The Importance Of Risk Management


Ferran frames approaching risk management in an organization around two timelines, the reality of the present and the optimal future.

“No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.”

He puts the responsibility of understanding the features of their medical devices and IT assets directly on their shoulders — a weight solutions providers could easily help them bear. Some of the areas they will need help with include:

  • intrusion prevention
  • anti-malware
  • identity management
  • integrating data loss prevention tools


Attaining True Compliance


Ferran also includes a basic roadmap for attaining HIPAA compliance, and suggests that organizations implement a regular, weekly routine, starting with as few as 30 minutes each session to meet and discuss priorities. Other specific actions he suggests include:

  • designating a HIPAA compliance officer or team member
  • conducting annual HIPAA security risk analyses
  • checking organizational policies and procedures against HIPAA requirements
  • encrypting patient information using a key accessible only by authorized individuals
  • implementing workstation security

For solutions providers who do communicate regularly with their clients, this would be an article many would likely find useful, and a good way to start a conversation about current and future solutions they’re considering.


No comment yet.
Scoop.it!

Data Breach Reporting Requirements for Medical Practices

Data Breach Reporting Requirements for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

Are we ready to replace passwords with biometrics for access to our facilities' networks and EHRs? I know that I'm ready for something easier and more secure than my ever-changing facility login, a byproduct of being forced by the system to change my password every couple of months.

In its current iteration, the EHR at my facility takes three separate login steps to get into the record to document a patient encounter or retrieve information. This doesn't seem like much, but multiply it by 20 or 30 patients and it becomes burdensome and a significant time waster.

If a terminal is locked, I have to enter my credentials to access the system and from there, I have to enter my credentials to open the EHR. Then if I want to dictate any notes, I have to again enter my credentials to open the dictation software. It gets old in a hurry, and is a major complaint among members of the medical staff at my community hospital.

The IT team in our organization is experimenting with using the embedded "near field" chip in our ID cards as a way in which to log in to the EHR. It would be a big step forward and would eliminate the majority of authentication to access our EHR. It would also have the added advantage of encouraging all members of the medical staff to carry their hospital IDs, but not all software needed for charting supports this mode of authentication.

Fast Identity Online (FIDO) is the current buzz phrase that refers to all of the biometric authentication technology currently available or planned. We are already using our fingerprints in a variety of ways to unlock our phones and doors, and there are readily available technologies that rely on retinas, irises, face recognition, or voice recognition that are being developed to solve authentication and security problems. We have seen the future in a variety of science fiction films, and much of it is working and available technology.

While there is a tremendous upside to FIDO technology, there are also significant downsides in the form of privacy. We constantly see that passwords are not 100 percent secure, and companies tasked with protecting our personal data stored on their servers also fail. It is not too much of a stretch to raise concerns about personal biometric data being stored on vulnerable servers, and the privacy vulnerability that this represents to us all as individuals.

There should be similar concerns with biometric security data. My fingerprints are stored on my phone as a security measure, but could an enterprising criminal find a way to use that data to reconstruct my fingerprints?

As always, computer technology and software are well ahead of privacy protections and personal security, and will remain so for some time, possibly forever.

To make it work on an EHR, we need enterprise level solutions, as the thought of customizing my FIDO login separately at each terminal in the hospital, defeats the purpose and intent of making this simultaneously easier and more secure.

It seems that an enterprising technology company would see the opportunity in allowing medical providers to quickly and securely sign into an EHR. I know that there are a lot of smart people working on this problem in an attempt to make this both easier and more secure for those of us in the trenches.

As the pace of technology development and implementation becomes more rapid, so does the need for increasing security and privacy, as well as reducing the technological burden on the healthcare providers who daily have the use this technology in the performance of their jobs. These competing trends get more important everyday as the penetration of the EHR becomes more ubiquitous.


No comment yet.