Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Emerging Health Apps Pose Major Security Risk

Posted on May 18, 2015 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As new technologies like fitness bands, telemedicine and smartphone apps have become more important to healthcare, the issue of how to protect the privacy of the data they generate has become more important, too.

After all, all of these devices use the public Internet to broadcast data, at least at some point in the transmission. Typically, telemedicine involves a direct connection via an unsecured Internet connection with a remote server (Although, they are offering doing some sort of encryption of the data that’s being sent on the unsecured connection).  If they’re being used clinically, monitoring technologies such as fitness bands use hop from the band across wireless spectrum to a smartphone, which also uses the public Internet to communicate data to clinicians. Plus, using the public internet is just the pathway that leads to a myriad of ways that hackers could get access to this health data.

My hunch is that this exposure of data to potential thieves hasn’t generated a lot of discussion because the technology isn’t mature. And what’s more, few doctors actually work with wearables data or offer telemedicine services as a routine part of their practice.

But it won’t be long before these emerging channels for tracking and caring for patients become a standard part of medical practice.  For example, the use of wearable fitness bands is exploding, and middleware like Apple’s HealthKit is increasingly making it possible to collect and mine the data that they produce. (And the fact that Apple is working with Epic on HealthKit has lured a hefty percentage of the nation’s leading hospitals to give it a try.)

Telemedicine is growing at a monster pace as well.  One study from last year by Deloitte concluded that the market for virtual consults in 2014 would hit 70 million, and that the market for overall telemedical visits could climb to 300 million over time.

Given that the data generated by these technologies is medical, private and presumably protected by HIPAA, where’s the hue and cry over protecting this form of patient data?

After all, though a patient’s HIV or mental health status won’t be revealed by a health band’s activity status, telemedicine consults certainly can betray those concerns. And while a telemedicine consult won’t provide data on a patient’s current cardiovascular health, wearables can, and that data that might be of interest to payers or even life insurers.

I admit that when the data being broadcast isn’t clear text summaries of a patient’s condition, possibly with their personal identity, credit card and health plan information, it doesn’t seem as likely that patients’ well-being can be compromised by medical data theft.

But all you have to do is look at human nature to see the flaw in this logic. I’d argue that if medical information can be intercepted and stolen, someone can find a way to make money at it. It’d be a good idea to prepare for this eventuality before a patient’s privacy is betrayed.

An Important Look at HIPAA Policies For BYOD

Posted on May 11, 2015 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Today I stumbled across an article which I thought readers of this blog would find noteworthy. In the article, Art Gross, president and CEO at HIPAA Secure Now!, made an important point about BYOD policies. He notes that while much of today’s corporate computing is done on mobile devices such as smartphones, laptops and tablets — most of which access their enterprise’s e-mail, network and data — HIPAA offers no advice as to how to bring those devices into compliance.

Given that most of the spectacular HIPAA breaches in recent years have arisen from the theft of laptops, and are likely proceed to theft of tablet and smartphone data, it seems strange that HHS has done nothing to update the rule to address increasing use of mobiles since it was drafted in 2003.  As Gross rightly asks, “If the HIPAA Security Rule doesn’t mention mobile devices, laptops, smartphones, email or texting how do organizations know what is required to protect these devices?”

Well, Gross’ peers have given the issue some thought, and here’s some suggestions from law firm DLA Piper on how to dissect the issues involved. BYOD challenges under HIPAA, notes author Peter McLaughlin, include:

*  Control:  To maintain protection of PHI, providers need to control many layers of computing technology, including network configuration, operating systems, device security and transmissions outside the firewall. McLaughlin notes that Android OS-based devices pose a particular challenge, as the system is often modified to meet hardware needs. And in both iOS and Android environments, IT administrators must also manage users’ tendency to connected to their preferred cloud and download their own apps. Otherwise, a large volume of protected health data can end up outside the firewall.

Compliance:  Healthcare organizations and their business associates must take care to meet HIPAA mandates regardless of the technology they  use.  But securing even basic information, much less regulated data, can be far more difficult than when the company creates restrictive rules for its own devices.

Privacy:  When enterprises let employees use their own device to do company business, it’s highly likely that the employee will feel entitled to use the device as they see fit. However, in reality, McLaughlin suggests, employees don’t really have full, private control of their devices, in part because the company policy usually requires a remote wipe of all data when the device gets lost. Also, employees might find that their device’s data becomes discoverable if the data involved is relevant to litigation.

So, readers, tell us how you’re walking the tightrope between giving employees who BYOD some autonomy, and protecting private, HIPAA-protected information.  Are you comfortable with the policies you have in place?

Full Disclosure: HIPAA Secure Now! is an advertiser on this website.

Government Surveillance and Privacy of Personal Data

Posted on April 6, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Dr. Deborah Peel from Patient Privacy Rights always keeps me updated on some of the latest news coverage around privacy and government surveillance. Obviously, it’s a big challenge in healthcare and she’s the leading advocate for patient privacy.

Today she sent me a link to this John Oliver interview with Snowden. The video is pretty NSFW with quite a bit of vulgarity in it (It’s John Oliver on HBO, so you’ve been warned). However, much like Stephen Colbert and John Stewart, they talk about some really important topics in a funny way. Plus, the part where he’s waiting to see if Snowden is going to actually show for the interview is hilarious.

The humor aside, about 10 minutes in John Oliver makes this incredibly insightful observation:

There are no easy answers here. We all naturally want perfect privacy and perfect safety, but those two things cannot coexist.

Either you have to lose one of them or you have to accept some reasonable restrictions on both of them.

This is the challenge of privacy and security. There are risks to having data available electronically and flowing between healthcare providers. However, there are benefits as well.

I’ve found the right approach is to keenly focused on the benefits you want to achieve in using technology in your organization. Then, after you’ve focused the technology on the benefits, work through all of the risks you face. Once you have that list of risks, you work to mitigate those risks as much as possible.

As my hacker friend said, “You’ll never be 100% secure. Someone can always get in if they’re motivated enough. However, you can make it hard enough for them to breach that they’ll go somewhere else.”

Human Error Healthcare Data Breach Infographic

Posted on March 26, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

You all know I’m a sucker for an infographic and this one illustrates a topic we’ve known for a long time: humans are one of the biggest breach challenges. All the encryption and firewalls in the world can’t solve for a human who already has access. This infographic really illustrates that point well.

Human Error and Healthcare Data Breaches
Infographic based on ICO FOI request data by Egress Software Technologies, providers of email security as well as large file transfer and encryption software.

There’s More to HIPAA Compliance Than Encryption

Posted on March 24, 2015 I Written By

The following is a guest blog post by Asaf Cidon, CEO and Co-Founder of Sookasa.
Asaf Cidon
The news that home care provider Amedisys had a HIPAA breach involving more than 100 lost laptops—even though they contained encrypted PHI—might have served as a wake-up call to many healthcare providers.  Most know by now that they need to encrypt their files to comply with HIPAA and prevent a breach. While it’s heartening to see increased focus on encryption, it’s not enough to simply encrypt data. To ensure compliance and real security, it’s critical to also manage and monitor access to protected health information.

Here’s what you should look for from any cloud-based solution to help you remain compliant.

  1. Centralized, administrative dashboard: The underlying goal of HIPAA compliance is to ensure that ­­organizations have meaningful control over their sensitive information. In that sense, a centralized dashboard is essential to provide a way for the practice to get a lens into the activities of the entire organization. HIPAA also stipulates that providers be able to get Emergency Access to necessary electronic protected health information in urgent situations, and a centralized, administrative dashboard that’s available on the web can provide just that.
  1. Audit trails: A healthcare organization should be able to track every encrypted file across the entire organization. That means logging every modification, copy, access, or share operation made to encrypted files—and associating each with a particular user.
  1. Integrity control: HIPAA rules mandate that providers be able to ensure that ePHI security hasn’t been compromised. Often, that’s an element of the audit trails. But it also means that providers should be able to preserve a complete history of confidential files to help track and recover any changes made to those files over time. This is where encryption can play a helpful role too: Encryption can render it impossible to modify files without access to the private encryption keys.
  1. Device loss / theft protection: The Amedisys situation illustrates the real risk posed by lost and stolen devices. Amedisys took the important first step of encrypting sensitive files. But it isn’t the only one to take. When a device is lost or stolen, it might seem like there’s little to be done. But steps can and should be taken to decrease the impact a breach in progress. Certain cloud security solutions provide a device block feature, which administrators can use to remotely wipe the keys associated with certain devices and users so that the sensitive information can no longer be accessed. Automatic logoff also helps, because terminating a session after a period of inactivity can help prevent unauthorized access.
  1. Employee termination help: Procedures should be implemented to prevent terminated employees from accessing ePHI. But the ability to physically block a user from accessing information takes it a step further. Technical tools such as a button that revokes or changes access permission in real-time can make a big impact.

Of course encryption is still fundamental to HIPAA compliance. In fact, it should be at the center of any sound security policy—but it’s not the only step to be taken. The right solution for your practice will integrate each of these security measures to help ensure HIPAA compliance—and overall cyber security.

About Asaf Cidon
Asaf Cidon is CEO and co-founder of cloud security company Sookasa, which encrypts, audits and controls access to files on Dropbox and connected devices, and complies with HIPAA and other regulations. Cidon holds a Ph.D. from Stanford University, where he specialized in mobile and cloud computing.

The Future Of…Healthcare Security

Posted on March 13, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is part of the #HIMSS15 Blog Carnival which explores “The Future of…” across 5 different healthcare IT topics.

Security is on the top of mind of most healthcare boards. I think the instruction from these boards to CIOs is simple: Keep Us Out of the News!

That’s an order that’s much easier said than done. If Google and Anthem can’t stay out of the news because of a breach, then a hospital or doctor’s office is fighting an uphill battle. Still don’t believe me, check out this visualization of internet attacks. It’s pretty scary stuff.

The reality is that you don’t really win a security battle. You can just defend against attacks as well as possible with the limited resources you have available. What is clear is that while still limited, healthcare will be investing more resources in security and privacy than they’ve ever done before.

The future of effective security in healthcare is going to be organizations who bake security into everything they do. Instead of hiring a chief security officer that worries about and advocates for security, we need a culture of security in healthcare organizations. This starts at the top where the leader is always asking about how we’re addressing security. That leadership will then trickle down into the culture of a company.

Let’s also be clear that security doesn’t have to be at odds with innovation and technology. In fact, technology can take our approach to security and privacy to the next level. Tell me how you knew who read the chart in a paper chart world? Oh yes, that sign out sheet that people always forgot to sign. Oh wait, the fingerprints on the chart were checked. It’s almost ludicrous to think about. Let’s be real. In the paper chart world we put in processes to try to avoid the wrong people getting their hands on the chart, but we really had no idea who saw it. The opposite is true in an EHR world. We know exactly who saw what and who changed what and when and where (Note: Some EHR are better than others at this, but a few lawsuits will get them all up to par on it).

The reality is that technology can take security and privacy to another level that we could have never dreamed. We can implement granular access controls that are hard and fast and monitored and audited. That’s a powerful part of the future of security and privacy in healthcare. Remember that many of the healthcare breaches come from people who have a username and password and not from some outside hacker.

A culture of security and privacy embraces the ability to track when and what happens to every piece of PHI in their organization. Plus, this culture has to be built into the procurement process, the implementation process, the training process, etc. Gone are the days of the chief security officer scapegoat. Technology is going to show very clearly who is responsible.

While I’ve described a rosy future built around a culture of privacy and security, I’m not naive. The future of healthcare security also includes a large number of organizations who continue to live a security life of “ignorance is bliss.” These people will pay lip service to privacy and security, but won’t actually address the culture change that’s needed to address privacy and security. They’ll continue the “Just Enough Culture of HIPAA Compliance.”

In the future we’ll have to be careful to not include one organization’s ignorance in a broad description of healthcare in general. A great example of this can be learned from the Sutter Health breach. In this incident, Sutter Health CPMC found the breach during a proactive audit of their EHR. Here’s the lesson learned from that breach:

The other lesson we need to take from this HIPAA breach notification is that we shouldn’t be so quick to judge an organization that proactively discovers a breach. If we’re too punitive with healthcare organizations that find and effectively address a breach like this, then organizations will stop finding and reporting these issues. We should want healthcare organizations that have a culture and privacy and security. Part of that culture is that they’re going to sometimes catch bad actors which they need to correct.

Healthcare IT software like EHRs have a great ability to track everything that’s done and they’re only going to get better at doing it. That’s a good thing and healthcare information security and privacy will benefit from it. We should encourage rather than ridicule organizations like CPMC for their proactive efforts to take care of the privacy of their patients’ information. I hope we see more organizations like Sutter Health who take a proactive approach to the security and privacy of healthcare information.

In fact the title of the blog post linked above is a warning for the future of healthcare IT: “Will Hospitals Be At Risk for HIPAA Audits If They Don’t Have HIPAA Violations?”

Security and privacy will be part of the fabric of everything we do in healthcare IT. We can’t ignore them. In order for patients to trust these healthcare apps, security will have to be a feature. Those in healthcare IT that don’t include security as a feature will be on shaky ground.

Are Legacy EHR Sytems the HIPAA Ticking Time Bomb?

Posted on February 20, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Healthcare IT and EHR security is a really important topic right now. Many organizations have started to spend time and resources on this problem after a series of healthcare and non-healthcare breaches. The Anthem breach being the most recent. Overall, this is a great thing for the industry since I think there’s more that could be done in every organization to shore up the privacy and security of patient health data.

In a recent conversation I had with Mike Semel, we talked about some of the challenges associated with legacy EHR and Healthcare IT systems in offices. Our conversation prompted to me to ask the question of whether these legacy EHR systems are the ticking time bombs of many healthcare organizations.

Think about what happens to many of these legacy EHR systems. They get put in some back office or under someone’s desk or in some nondescript closet where they’re largely forgotten. In many cases there are only 1-2 people who regularly use them and in many cases the word “regularly” equates to accessing it a few times a month. These few people are usually not technically savvy and know very little about IT security and privacy.

Do I need to ask the question about how good the security is on a system for which most people have forgotten?

These forgotten systems often don’t get any software updates to the application or the operating system. The former is an issue, but the later is a major problem. Remember that when updates to an operating system are issued, it’s essentially blasted out to the public that there are issues that a hacker can exploit. If you’re not updating the O/S, then these systems make for easy pickings for hackers.

Forget about great audit log tracking and other more advanced security on these legacy systems. In most cases, organizations are just trying to limp them along until they can decommission them and put them out to pasture. It makes for one massive security hole for most organizations.

Of course, this doesn’t even take into the account the fear that many organizations have that these systems will just give up the ghost and stop working all together. There’s nothing quite like security on a Windows 2000 Server box sitting under someone’s desk just waiting for it to die. Hopefully those hard drives and other mechanical elements don’t stop before the data’s end of life requirements.

These legacy systems aren’t pretty and likely present a massive HIPAA privacy and security hole in many organizations. If you don’t have a good handle on your legacy systems, now might be a good time to take a look. Better to do it now than to deal with it after a HIPAA breach or HIPAA audit.

HIPAA Compliance and Windows Server 2003

Posted on February 12, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Last year, Microsoft stopped updating Windows XP and so we wrote about how Windows XP would no longer be HIPAA compliant. If you’re still using Windows XP to access PHI, you’re a braver person that I. That’s just asking for a HIPAA violation.

It turns out that Windows Server 2003 is 5 months away from Microsoft stopping to update it as well. This could be an issue for many practices who have a local EHR install on Windows Server 2003. I’d be surprised if an EHR vendor or practice management vendor was running a SaaS EHR on Windows Server 2003 still, but I guess it’s possible.

However, Microsoft just recently announced another critical vulnerability in Windows Server 2003 that uses active directory. Here are the details:

Microsoft just patched a 15-year-old bug that in some cases allows attackers to take complete control of PCs running all supported versions of Windows. The critical vulnerability will remain unpatched in Windows Server 2003, leaving that version wide open for the remaining five months Microsoft pledged to continue supporting it.

There are a lot more technical details at the link above. However, I find it really interesting that Microsoft has chosen not to fix this issue in Windows Server 2003. The article above says “This Windows vulnerability isn’t as simple as most to fix because it affects the design of core Windows functions rather than implementations of that design.” I assume this is why they’re not planning to do an update.

This lack of an update to a critical vulnerability has me asking if that means that Windows Server 2003 is not HIPAA compliant anymore. I think the answer is yes. Unsupported systems or systems with known vulnerabilities are an issue under HIPAA as I understand it. Hard to say how many healthcare organizations are still using Windows Server 2003, but this vulnerability should give them a good reason to upgrade ASAP.

Will Hospitals Be At Risk for HIPAA Audits If They Don’t Have HIPAA Violations?

Posted on February 5, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Sutter Health’s California Pacific Medical Center (CPMC) recently announced an employee accessing patient files without a business or treatment purpose. Here are the details from their press release:

California Pacific Medical Center (CPMC) recently notified 844 patients of its discovery that a pharmacist employee may have accessed their records without a business or treatment purpose.

CPMC first learned of the incident through a proactive audit of its electronic medical record system on October 10, 2014. The initial audit resulted in identification and notification of 14 individuals on October 21, 2014. Following its policy, CPMC terminated its relationship with the employee and broadened the investigation

The expanded investigation identified a total of 844 patients whose records the employee may have accessed without an apparent business or treatment purpose. It is unclear whether all of these records were accessed inappropriately but, out of an abundance of caution, CPMC notified all of these patients.

This was a fascinating breach of HIPAA. In fact, it starts with the question of whether we should call this a breach. In the HIPAA sense, it’s a breach of HIPAA. In the IT systems security sense, I could see how people wouldn’t consider it a breach since the person didn’t visit anything he wasn’t authorized by the IT system to see. Semantics aside, this is a HIPAA issue and is likely happening in pretty much every organization in the US.

My last statement is particularly true in larger organizations. The shear number of staff means that it’s very likely that some users of your IT systems are looking at patient records that don’t have a specific “business or treatment purpose.” I’m sure some will use this as a call for a return to paper. As if this stuff didn’t happen in the paper world as well. It happened in the paper world, but we just had no way to track it. With technology we can now track every record everyone touches. That’s why we’re seeing more issues like the one reported above. In the paper world we’d have just been ignorant to it.

With this in mind, I start to wonder if we won’t see some HIPAA audits for organizations that haven’t reported any violations like the ones above. Basically, the auditors would assume that if you hadn’t reported anything, then you’re probably not proactively auditing this yourself and so they’re going to come in and do it for you. Plus, if you’re not doing this, then you’re likely not doing a whole slew of other HIPAA requirements. On the other hand, if your security policies and procedures are good enough to proactively catch something like this, then you’re probably above average in other areas of HIPAA privacy and security. Sounds reasonable to me. We’ll see if it plays out that way.

The other lesson we need to take from the above HIPAA breach notification is that we shouldn’t be so quick to judge an organization that proactively discovers a breach. If we’re too punitive with healthcare organizations that find and effectively address a breach like this, then organizations will stop finding and reporting these issues. We should want healthcare organizations that have a culture and privacy and security. Part of that culture is that they’re going to sometimes catch bad actors which they need to correct.

Healthcare IT software like EHRs have a great ability to track everything that’s done and they’re only going to get better at doing it. That’s a good thing and healthcare information security and privacy will benefit from it. We should encourage rather than ridicule organizations like the one mentioned above for their proactive efforts to take care of the privacy of their patients’ information. I hope we see more organizations like Sutter Health who take a proactive approach to the security and privacy of healthcare information.

Beware: Don’t Buy In to Myths about Data Security and HIPAA Compliance

Posted on January 22, 2015 I Written By

The following is a guest blog post by Mark Fulford, Partner in LBMC’s Security & Risk Services practice group.
Mark Fulford
Myths abound when it comes to data security and compliance. This is not surprising—HIPAA covers a lot of ground and many organizations are left to decide on their own how to best implement a compliant data security solution. A critical first step in putting a compliant data security solution in place is separating fact from fiction.  Here are four common misassumptions you’ll want to be aware of:

Myth #1: If we’ve never had a data security incident before, we must be doing OK on compliance with the HIPAA Security Rule.

It’s easy to fall into this trap. Not having had an incident is a good start, but HIPAA requires you to take a more proactive stance. Too often, no one is dedicated to monitoring electronic protected health information (ePHI) as prescribed by HIPAA. Data must be monitored—that is, someone must be actively reviewing data records and security logs to be on the lookout for suspicious activity.

Your current IT framework most likely includes a firewall and antivirus/antimalware software, and all systems have event logs. These tools collect data that too often go unchecked. Simply assigning someone to review the data you already have will greatly improve your compliance with HIPAA monitoring requirements, and more importantly, you may discover events and incidents that require your attention.

Going beyond your technology infrastructure, your facility security, hardcopy processing, workstation locations, portable media, mobile device usage and business associate agreements all need to be assessed to make sure they are compliant with HIPAA privacy and security regulations. And don’t forget about your employees. HIPAA dictates that your staff is trained (with regularly scheduled reminders) on how to handle PHI appropriately.

Myth #2: Implementing a HIPAA security compliance solution will involve a big technology spend.

This is not necessarily the case.  An organization’s investment in data security solutions can vary, widely depending on its size, budget and the nature of its transactions. The Office for Civil Rights (OCR) takes these variables into account—certainly, a private practice will have fewer resources to divert to security compliance than a major corporation. As long as you’ve justified each decision you’ve made about your own approach to compliance with each of the standards, the OCR will take your position into account if you are audited.

Most likely, you already have a number of appropriate technical security tools in place necessary to meet compliance. The added expense will more likely be associated with administering your data security compliance strategy.

Myth #3: We’ve read the HIPAA guidelines and we’ve put a compliance strategy in place. We must be OK on compliance.

Perhaps your organization is following the letter of the law. Policies and procedures are in place, and your staff is well-trained on how to handle patient data appropriately. By all appearances, you are making a good faith effort to be compliant.

But a large part of HIPAA compliance addresses how the confidentiality, integrity, and availability of ePHI is monitored in the IT department. If no one on the team has been assigned to monitor transactions and flag anomalies, all of your hard work at the front of the office could be for naught.

While a ‘check the box’ approach to HIPAA compliance might help if you get audited, unless it includes the ongoing monitoring of your system, your patient data may actually be exposed.

Myth #4: The OCR won’t waste their time auditing the ‘little guys.’ After all, doesn’t the agency have bigger fish to fry?

This is simply not true. Healthcare organizations of all sizes are eligible for an audit. Consider this cautionary tale: as a result of a reported incident, a dermatologist in Massachusetts was slapped with a $150,000 fine when an employee’s thumb drive was stolen from a car.

Fines for non-compliance can be steep, regardless of an organization’s size. If you haven’t done so already, now might be a good time to conduct a risk assessment and make appropriate adjustments. The OCR won’t grant you concessions just because you’re small, but they will take into consideration a good faith effort to comply.

Data Security and HIPAA Compliance: Make No Assumptions

As a provider, you are probably aware that the audits are starting soon, but perhaps you aren’t quite sure what that means for you. Arm yourself with facts. Consult with outside sources if necessary, but be aware that the OCR is setting the bar higher for healthcare organizations of all sizes. You might want to consider doing this, too. Your business—and your patients—are counting on it.

About Mark Fulford
Mark Fulford is a Partner in LBMC’s Security & Risk Services practice group.  He has over 20 years of experience in information systems management, IT auditing, and security.  Marks focuses on risk assessments and information systems auditing engagements including SOC reporting in the healthcare sector.  He is a Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP).   LBMC is a top 50 Accounting & Consulting firm based in Brentwood, Tennessee.