Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The “Disconnects” That Threaten The Connected World

Posted on January 11, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I’m betting that most readers are intimately familiar with the connected health world. I’m also pretty confident that you’re pretty excited about its potential – after all, who wouldn’t be?  But from what I’ve seen, the health IT world has paid too little attention to problems that could arise in building out a connected health infrastructure. That’s what makes a recent blog post on connected health problems so interesting.

Phil Baumann, an RN and digital strategist at Telerx, writes that while the concept of connecting things is useful, there’s a virtually endless list of “disconnects” that could lead to problems with connected health. Some examples he cites include:

  • The disconnect between IoT hardware and software
  • The disconnect between IoT software and patches (which, he notes, might not even exist)
  • The disconnect between the Internet’s original purpose and the fast-evolving purposes created in the Connected World
  • The disconnects among communication protocols
  • The disconnect between influencers and reality (which he says is “painfully wide”)
  • The disconnects among IoT manufacturers
  • The disconnects among supply chains and vendors

According to Baumann, businesses that use IoT devices and other connected health technologies may be diving in too quickly, without taking enough time to consider the implications of their decisions. He writes:

Idea generation and deployment of IoT are tasks with enormous ethical, moral, economic, security, health and safety responsibilities. But without considering – deeply, diligently – the disconnects, then the Connected World will be nothing of the sort. It will be a nightmare without morning.

In his piece, Baumann stuck to general tech issues rather than pointing a finger at the healthcare industry specifically. But I’d argue that the points he makes are important for health IT leaders to consider.

For example, it’s interesting to think about vulnerable IoT devices posing a mission-critical security threat to healthcare organizations. To date, as Baumann rightly notes, manufacturers have often fallen way behind in issuing software updates and security patches, leaving patient data exposed. Various organizations – such as the FDA – are attempting to address medical device cybersecurity, but these issues won’t be addressed quickly.

Another item on his disconnect list – that connected health deployment goes far beyond the original design of the Internet – also strikes me as particularly worth taking to heart. While past networking innovations (say, Ethernet) have led to rapid change, the changes brought on by the IoT are sprawling and almost unmanageable under current conditions. We’re seeing chaotic rather than incremental or even disruptive change. And given that we’re dealing with patient lives, rather than, for example, sensors tracking packages, this is a potentially dangerous problem.

I’m not at all suggesting that healthcare leaders should pull the plug on connected health innovations. It seems clear that the benefits that derive from such approaches will outweigh the risks, especially over time. But it does seem like a good idea to stop and think about those risks more carefully.

FDA Weighs In On Medical Device Cybersecurity

Posted on January 5, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In the past, medical devices lived in a separate world from standard health IT infrastructure, typically housed in a completely separate department. But today, of course, medical device management has become much more of an issue for health IT managers, given the extent to which such devices are being connected to the Internet and exposed to security breaches.

This has not been lost on the FDA, which has been looking at medical device security problems for a long time. And now – some would say “at long last” – the FDA has released final guidance on managing medical device cybersecurity. This follows the release of earlier final guidance on the subject released in October 2014.

While the FDA’s advice is aimed at device manufactures, rather than the health IT managers who read this blog, I think it’s good for HIT leaders to review. (After all, you still end up managing the end product!)

In the guidance, the FDA argues that the best way to bake cybersecurity protections into medical devices is for manufacturers to do so from the outset, through the entire product lifecycle:

Manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.

Specifically, the agency is recommending that manufacturers take the following steps:

  • Have a way to monitor and detect cybersecurity vulnerabilities in their devices
  • Know assess and detect the level of risk vulnerabilities pose to patient safety
  • Establish a process for working with cybersecurity researchers and other stakeholders to share information about possible vulnerabilities
  • Issue patches promptly, before they can be exploited

The FDA also deems it of “paramount” importance that manufacturers and stakeholders consider applying core NIST principles for improving critical infrastructure cybersecurity.

All of this sounds good. But considering the immensity of the medical device infrastructure – and the rate of its growth – don’t expect these guidelines to make much of an impact on the device cybersecurity problem.

After all, there are an estimated 10 million to 15 million medical devices in US hospitals today, according to health tech consultant Stephen Grimes, who spoke on biomedical device security at HIMSS ’16. Grimes, a past chair of the HIMSS Medical Device Security Task Force, notes that one 500-bed hospital could have 7,500 devices on board, most of which will be networked. And each networked monitor, infusion pump, ventilator, CT or MRI scanner could be vulnerable to attack.

Bottom line, we’re looking at some scary risks regardless of what manufacturers do next. After all, even if they do a much better job of securing their devices going forward, there’s a gigantic number of existing devices which can be hacked. And we haven’t even gotten into the vulnerabilities that can be exploited among home-based connected devices.

Don’t get me wrong, I’m glad to see the FDA stepping in here. But if you look at the big picture, it’s pretty clear that their guidance is clearly just a small step in a very long and complicated process.

Connected Wearables Pose Growing Privacy, Security Risks

Posted on December 26, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In the past, the healthcare industry treated wearables as irrelevant, distracting or worse. But over that last year or two, things have changed, with most health IT leaders concluding that wearables data has a place in their data strategies, at least in the aggregate.

The problem is, we’re making the transition to wearable data collection so quickly that some important privacy and security issues aren’t being addressed, according to a new report by American University and the Center for Digital Democracy. The report, Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security, and Consumer Protection, concludes that the “weak and fragmented” patchwork of state and federal health privacy regulations doesn’t really address the problems created by wearables.

The researchers note that as smart watches, wearable health trackers, sensor-laden clothing and other monitoring technology get connected and sucked into the health data pool, the data is going places the users might not have expected. And they see this as a bit sinister. From the accompanying press release:

Many of these devices are already being integrated into a growing Big Data digital health and marketing ecosystem, which is focused on gathering and monetizing personal and health data in order to influence consumer behavior.”

According to the authors, it’s high time to develop a comprehensive approach to health privacy and consumer protection, given the increasing importance of Big Data and the Internet of Things. If safeguards aren’t put in place, patients could face serious privacy and security risks, including “discrimination and other harms,” according to American University professor Kathryn Montgomery.

If regulators don’t act quickly, they could miss a critical window of opportunity, she suggested. “The connected health system is still in an early, fluid stage of development,” Montgomery said in a prepared statement. “There is an urgent need to build meaningful, effective, and enforceable safeguards into its foundation.”

The researchers also offer guidance for policymakers who are ready to take up this challenge. They include creating clear, enforceable standards for both collection and use of information; formal processes for assessing the benefits and risks of data use; and stronger regulation of direct-to-consumer marketing by pharmas.

Now readers, I imagine some of you are feeling that I’m pointing all of this out to the wrong audience. And yes, there’s little doubt that the researchers are most worried about consumer marketing practices that fall far outside of your scope.

That being said, just because providers have different motives than the pharmas when they collect data – largely to better treat health problems or improve health behavior – doesn’t mean that you aren’t going to make mistakes here. If nothing else, the line between leveraging data to help people and using it to get your way is clearer in theory than in practice.

You may think that you’d never do anything unethical or violate anyone’s privacy, and maybe that’s true, but it doesn’t hurt to consider possible harms that can occur from collecting a massive pool of data. Nobody can afford to get complacent about the downside privacy and security risks involved. Plus, don’t think the nefarious and somewhat nefarious healthcare data aggregators aren’t coming after provider stored health data as well.

How Many Points of Vulnerability Do You Have in Your Healthcare Organization?

Posted on December 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Far too often I hear healthcare CIOs talk about all of the various electronic devices they have in their organization and how this device proliferation has created a really large risk surface that makes their organization vulnerable to breaches and other nefarious actions. This is true to some extent since organizations now have things like:

  • Servers
  • Desktops
  • Mobile Devices
  • Network Devices
  • Internet Access
  • Medical Devices
  • Internet of Thing Devices
  • etc

As tech progresses, the number of devices we have in our healthcare organizations is only going to continue to grow. No doubt this can pose a challenge to any Chief Security Officer (CSO). However, I actually think this is the easiest part of a CSO’s job when it comes to making sure a healthcare organization is secure. I think it’s much harder to make sure the people in your organization are acting in a way that doesn’t compromise your organization’s security.

As one hospital CIO told me, “I’m most concerned with the 21,000 security vulnerabilities that existed in my organization. I’m talking about the 21,000 employees.

Granted, this CIO worked at a very large organization. However, I think he’s right. Creating a security plan for a device is pretty easily accomplished. It will never be perfect, but you can put together a really good, effective plan. People are wild cards. It’s much harder to keep them from doing something that compromises your organization. Especially since the hackers have gotten so pernicious and effective in the tactics they use.

At the end of the day, I look at security as similar to child proofing your house when you have a young child. You’ll never make it 100% completely safe, but you can really mitigate most of the issues that could cause harm to your child. The same is true in your approach to securing your healthcare organization. You can never ensure you won’t have any security incidents, but you can mitigate a lot of the really dangerous things. Then, you just have to deal with the times something surprising happens. Now if we would just care as much about keeping our healthcare organizations secure as we do keeping our children safe, then we’d be in a much better place.

E-Patient Update:  Is Technology Getting Ahead Of Medical Privacy?

Posted on December 9, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I don’t know about y’all, but I love, love, love interacting with Google’s AI on my smartphone. It’s beyond convenient – it seems to simply read my mind and dish out exactly the content I needed.

That could have unwelcome implications, however, when you bear in mind that Google might be recording your question. Specifically, for a few years now, Google’s AI has apparently been recording users’ conversations whenever it is triggered. While Google makes no secret of the matter, and apparently provides directions on how to erase these recordings, it doesn’t affirmatively ask for your consent either — at least not in any terribly conspicuous way — though it might have buried the request in a block of legal language.

Now, everybody has a different tolerance for risk, and mine is fairly high. So unless an entity does something to suggest to me that it’s a cybercrook, I’m not likely to lose any sleep over the information it has harvested from my conversations. In my way of looking at the world, the odds that gathering such information will harm me are low, while the odds collection will help me are much greater. But I know that others feel much differently than myself.

For these reasons, I think it’s time to stop and take a look at whether we should regulate potential medical conversations with intermediaries like Google, whether or not they have a direct stake in the healthcare world. As this example illustrates, just because they’re neither providers, payers or business associates doesn’t mean they don’t manage highly sensitive healthcare information.

In thinking this over, my first reaction is to throw my hands in the air and give up. After all, how can we possibly track or regulate the flow of medical information falls outside the bounds of HIPAA or state privacy laws? How do we decide what behavior might constitute an egregious leak of medical information, and what could be seen as a mild mistake, given that the rules around provider and associate behavior may not apply? This is certainly a challenging problem.

But the more I consider these issues, the more I am convinced that we could at least develop some guidelines for handling of medical information by non-medical third parties, including what type of consumer disclosures are required when collecting data that might include healthcare information, what steps the intermediary takes to protect the data and how to opt out of data collection.

Given how complex these issues are, it’s unlikely we would succeed at regulating them effectively the first time, or even the fourth or fifth. And realistically, I doubt we can successfully apply the same standards to non-medical entities fielding health questions as we can to providers or business associates. That being said, I think we should pay more attention to such issues. They are likely to become more important, not less, as time goes by.

Quality Reporting: A Drain on Practice Resources, New Study Shows

Posted on November 17, 2016 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
If time is money, medical practices are sure losing a lot of both based on the findings in a new study published in Health Affairs. The key take-a-way, practices spend an average of 785 hours per physician and $15.4 billion per year reporting quality measures to Medicare, Medicaid and private payers.

The study, conducted by researchers from Weill Cornell Medical College, assessed the quality reporting of 1,000 practices, including primary care, cardiology, orthopedic and multi-specialty and the findings are staggering.

Practices reported spending on average 15.1 hours per week per physician on quality measures. Of that 15.1 hours per week, physicians account for 2.6 hours with the rest of the administrative work divided between nurses and medical assistants. About 12 of those 15.1 hours are spent logging data into medical records solely for quality reporting purposes. Additionally, despite a wealth of software tools on the market today, about 80 percent of practices spend more time managing quality measures than they did three years ago and half call it a “significant burden.”

Aside from the major drain on administrative resources, there are heavy financial ramifications for such lengthy and cumbersome reporting as well. The report found practices spend an average of $40,069 per physician for an annual national total of $15.4 billion.

The findings of this study clearly demonstrate the need for greater reporting automation in the healthcare industry. By embracing technology to manage labor-intensive, error-prone and mundane tasks; practices free up their staff to focus on patient care. In the past few years, we have watched electronic medical record (EMR) companies do just that by embracing cloud-based software solutions.
physician-and-administrator-growth-over-time
This overwhelming administrative bloat and financial burden can be addressed by implementing software tools and solutions designed to streamline reporting and compliance management. For example, if your practice or organization is still conducting your annual risk analysis through spreadsheets and other manual methods, it is time to embrace automation and a Security Risk Analysis software solution. Designed to control costs, a cloud based Security Risk Analysis solution automates 78% of the manual labor needed to calculate risk for organizations of all size.

There’s no time like the present to embrace best practices for your quality reporting. Allow technology to do the heavy lifting and free up your resources.

About Steven Marco
Steven Marco is the President of HIPAA One®, leading provider of HIPAA Risk Assessment software for practices of all sizes.  HIPAA One is a proud sponsor of EMR and HIPAA and the effort to make HIPAA compliance more accessible for all practices.  Are you HIPAA Compliant?  Take HIPAA One’s 5 minute HIPAA security and compliance quiz to see if your organization is risk or learn more at HIPAAOne.com.

The Teeter Totter of Security and Usability – Tony Scott, US CIO at #CHIME16

Posted on November 15, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I was recently at the CHIME Fall Forum and had the privilege of hearing a keynote presentation by Tony Scott, US Federal CIO, that was made possible by Infinite Computer Solutions. Tony Scott has a fascinating background at VM Ware, Microsoft, Disney and GM which gives him a pretty unique perspective on technology and his topic of cybersecurity.

During Tony’s keynote, he made a great plea for all of us working in healthcare IT when he said:

Cybersecurity is important and there’s something that each one of us can do about it!

When it comes to Cybersecurity I think that many people throw up their arms and think that there’s not much they can do. However, if we all do our small part in improving cybersecurity, then the aggregate result would be powerful. That’s something each of us in healthcare should take seriously as we think of how cybersecurity issues could literally impact the care patients receive going forward.

Along these same lines, Tony Scott also suggested that members of CHIME (largely healthcare CIOs) should work to share with peers. Cybersecurity is such a challenging problem, we have to share and learn from each other. I saw this happening first hand in a few of the cybersecurity sessions I attended at the conference. Healthcare CIOs were happily sharing security best practices with each other. The reality is that everyone in healthcare suffers when healthcare organizations suffer a breach and erode the confidence of patients. So, we all benefit by sharing our experience and knowledge about cybersecurity with each other.

Tony Scott also framed the cybersecurity challenge when he said, “Every time we have a breach, we could think of it as a quality issue.” No doubt this was calling back to his days at GM when quality issues were a major challenge, but what a great way to frame a breach. When there’s a breach, there’s something wrong with the quality of the product we provide our healthcare organizations and ultimately patients. With that mindset, we can go about making sure that the health IT product we provide is of the highest quality.

While I enjoyed each of these insights from Tony Scott’s keynote, I had the unique opportunity to be able to head backstage to the green room to talk privately with Tony Scott and the team from Infinite Computer Solutions that was hosting him as keynote. We had a brief but interesting discussion about his keynote and the challenges of cybersecurity in healthcare.

During our discussion, Tony Scott offered an important insight about the balance of cybersecurity and usability when he compared it to a teeter totter. Far too many organizations treat cybersecurity and usability like a teeter totter. If you make something more secure, then that makes things less usable. If you make things more usable, then they’re going to be less secure. Or at least that’s how many people look at cybersecurity.

In my discussion with Tony, he argued that we need to look at ways to raise the teeter totter up so that there’s not this give and take between security and usability. We should look for ways to make things extremely usable, but also secure. I’d suggest that this is the challenge we must face head on in healthcare over the next decade. Let’s not just settle ourselves with the teeter totter effect of security and usability, but let’s strive to raise the teeter totter up so we preserve both.

Locking Down Clinician Wi-Fi Use

Posted on November 1, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Now that Wi-Fi-based Internet connections are available in most public spaces where clinician might spend time, they have many additional opportunities to address emerging care issues on the road, be they with their family in a mall or a grabbing a burger at McDonald’s.

However, notes one author, there are many situations in which clinicians who share private patient data via Wi-Fi may be violating HIPAA rules, though they may not be aware of the risks they are taking. Not only can a doctor or nurse end up exposing private health information to the public, they can open a window to their EMR, which can violate countless additional patients’ privacy. Like traditional texting, standard Wi-Fi offers hackers an unencrypted data stream, and that puts their connected mobile device at risk if they’re not careful to take other precautions like a VPN.

According to Paul Cerrato, who writes on cybersecurity for iMedicalApps, Wi-Fi networks are by their design open. If the physician can connect to the network, hostile actors could connect to the network and in turn their device, which would allow them to open files, view the files and even download information to their own device.

It’s not surprising that physicians are tempted to use open public networks to do clinical work. After all, it’s convenient for them to dash off an email message regarding, say, a patient medication issue while having a quick lunch at a coffee shop. Doing so is easy and feels natural, but if the email is unsecured, that physician risks exposing his practice to a large HIPAA-related fine, as well as having its network invaded by intruders. Not only that, any HIPAA problem that arises can blacken the reputation of a practice or hospital.

What’s more, if clinicians use an unsecured public wireless networks, their device could also acquire a malware infection which could cause harm to both the clinician and those who communicate with their device.

Ideally, it’s probably best that physicians never use public Wi-Fi networks, given their security vulnerabilities. But if using Wi-Fi makes sense, one solution proposed by Cerrato is for physicians is to access their organization’s EMR via a Citrix app which creates a secure tunnel for information sharing.

As Cerrato points out, however, smaller practices with scant IT resources may not be able to afford deploying a secure Citrix solution. In that case, HHS recommends that such practices use a VPN to encrypt sensitive information being sent or received across the Wi-Fi network.

But establishing a VPN isn’t the whole story. In addition, clinicians will want to have the data on their mobile devices encrypted, to make sure it’s not readable if their device does get hacked. This is particularly important given that some data on their mobile devices comes from mobile apps whose security may not have been vetted adequately.

Ideally, managing security for clinician devices will be integrated with a larger mobile device management strategy that also addresses BYOD, identity and access management issues. But for smaller organizations (notably small medical groups with no full-time IT manager on staff) beginning by making sure that the exchange of patient information by clinicians on Wi-Fi networks is secured is a good start.

Don’t Worry About HIPAA – When Your License Is At-Risk!

Posted on October 24, 2016 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.
medical-license-revoked
Not long ago I was at an ambulance service for a HIPAA project when one of their paramedics asked what the odds were that his employer would get a HIPAA fine if he talked about one of his patients. I replied that the odds of a HIPAA penalty were very slim compared to him losing his state-issued paramedic license, that would cost him his job and his career. He could also be sued. He had never thought of these risks.

Doctors, dentists, lawyers, accountants, psychologists, nurses, EMT’s, paramedics, social workers, mental health counselors, and pharmacists, are just some of the professions that have to abide by confidentiality requirements to keep their licenses.

License and ethical requirements have required patient and client confidentiality long before HIPAA and other confidentiality laws went into effect.  HIPAA became effective in 2003, 26 years after I became a New York State certified Emergency Medical Technician (EMT). Way back in 1977, the very first EMT class I took talked about my responsibility to keep patient information confidential, or I would risk losing my certification.

While licensed professionals may not talk about an individual patient or client, weak cybersecurity controls could cause a breach of ALL of their patient and client information – instantly.
health-data-encryption
Most certified and licensed professionals will agree that they are careful not to talk about patients and clients, but how well do they secure their data? Are their laptops encrypted? Are security patches and updates current? Do they have a business-class firewall protecting their network? Do they have IT security professionals managing their technology?
psychologist-loses-license-prostitute-takes-laptop
Lawyers have been sanctioned for breaching confidentiality. Therapists have lost their licenses. In one well-publicized case a psychologist lost his license when a prostitute stole his laptop. In rare cases a confidentiality breach will result in a jail sentence, along with the loss of a license.

Cyber Security Ethics Requirements
Lawyers are bound by ethical rules that apply to confidentiality and competence. The competence requirements typically restrict lawyers from taking cases in unfamiliar areas of the law. However, The American Bar Association has published model guidance that attorneys not competent in the area of cyber security must hire professionals to help them secure their data.

The State Bar of North Dakota adopted technology amendments to its ethics rules in early 2016. The State Bar of Wisconsin has published a guide entitled Cybersecurity and SCR Rules of Professional Conduct. In 2014, The New York State Bar Association adopted Social Media Ethics Guidelines. Lawyers violating these ethical requirements can be sanctioned or disbarred.

A State Bar of Arizona ethics opinion said “an attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.”

Some licensed professionals argue that their ethical and industry requirements mean they don’t have to comply with other requirements. Ethical obligations do not trump federal and state laws. Lawyers defending health care providers in malpractice cases are HIPAA Business Associates. Doctors that have to comply with HIPAA also must adhere to state data breach laws. Psychiatric counselors, substance abuse therapists, pharmacists, and HIV treatment providers have to comply with multiple federal and state confidentiality laws in addition to their license requirements.

There are some exemptions from confidentiality laws and license requirements when it comes to reporting child abuse, notifying law enforcement when a patient becomes a threat, and in some court proceedings.

While the odds of a federal penalty for a confidentiality breach are pretty slim, it is much more likely that someone will complain to your licensing board and kill your career. Don’t take the chance after all you have gone through to earn your license.

About Mike Semel
mike-semel-ambulance
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.

States Strengthen Data Breach Laws & Regulations

Posted on October 18, 2016 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.

If your cyber security and compliance program is focused on just one regulation, like HIPAA or banking laws, many steps you are taking are probably wrong.

Since 2015 a number of states have amended their data breach laws which can affect ALL BUSINESSES, even those out of state, that store information about their residents. The changes address issues identified in breach investigations, and public displeasure with the increasing number of data breaches that can result in identity theft.

Forty-seven states, plus DC, Puerto Rico, Guam, and the US Virgin Islands, protect personally identifiable information, that includes a person’s name plus their Driver’s License number, Social Security Number, and the access information for bank and credit card accounts.

Many organizations mistakenly focus only on the data in their main business application, like an Electronic Health Record system or other database they use for patients or clients. They ignore the fact that e-mails, reports, letters, spreadsheets, scanned images, and other loose documents contain data that is also protected by laws and regulations. These documents can be anywhere – on servers, local PC’s, portable laptops, tablets, mobile phones, thumb drives, CDs and DVDs, or somewhere up in the Cloud.

Some businesses also mistakenly believe that moving data to the cloud means that they do not have to have a secure office network. This is a fallacy because your cloud can be accessed by hackers if they can compromise the local devices you use to get to the cloud. In most cases there is local data even though the main business applications are in the cloud. Local computers should have business-class operating systems, with encryption, endpoint protection software, current security patches and updates, and strong physical security. Local networks need business-class firewalls with active intrusion prevention.

States are strengthening their breach laws to make up for weaknesses in HIPAA and other federal regulations. Between a state and federal law, whichever requirement is better for the consumer is what those storing data on that state’s residents (including out of state companies) must follow.

Some states have added to the types of information protected by their data breach reporting laws. Many states give their residents the right to sue organizations for not providing adequate cyber security protection. Many states have instituted faster reporting requirements than federal laws, meaning that incident management plans that are based on federal requirements may mean you will miss a shorter state reporting deadline.

In 2014, California began requiring mandatory free identity theft prevention services even when harm cannot be proven. This year Connecticut adopted a similar standard. Tennessee eliminated the encryption safe harbor, meaning that the loss of encrypted data must be reported. Nebraska eliminated the encryption safe harbor if the encryption keys might have been compromised. Illinois is adding medical records to its list of protected information.

Massachusetts requires every business to implement a comprehensive data protection program including a written plan. Texas requires that all businesses that have medical information (not just health care providers and health plans) implement a staff training program.

REGULATIONS

Laws are not the only regulations that can affect businesses.

The New York State Department of Financial Services has proposed that “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” comply with new cyber security regulations. This includes banks, insurance companies, investment houses, charities, and even covers organizations like car dealers and mortgage companies who handle consumer financial information.

The new rule will require:

  • A risk analysis
  • An annual penetration test and quarterly vulnerability assessments
  • Implementation of a cyber event detection system
  • appointing a Chief Information Security Officer (and maintaining compliance responsibility if outsourcing the function)
  • System logging and event management
  • A comprehensive security program including policies, procedures, and evidence of compliance

Any organization connected to the Texas Department of Health & Human Services must agree to its Data Use Agreement, which requires that a suspected breach of some of its information be reported within ONE HOUR of discovery.

MEDICAL RECORDS

People often assume that their medical records are protected by HIPAA wherever they are, and are surprised to find out this is not the case. HIPAA only covers organizations that bill electronically for health care services, validate coverage, or act as health plans (which also includes companies that self-fund their health plans).

  • Doctors that only accept cash do not have to comply with HIPAA.
  • Companies like fitness centers and massage therapists collect your medical information but are not covered by HIPAA because they do not bill health plans.
  • Health information in employment records are exempt from HIPAA, like letters from doctors excusing an employee after an injury or illness.
  • Workers Compensation records are exempt from HIPAA.

Some states protect medical information with every entity that may store it. This means that every business must protect medical information it stores, and must report it if it is lost, stolen, or accessed by an unauthorized person.

  • Arkansas
  • California
  • Connecticut
  • Florida
  • Illinois (beginning January 1, 2017)
  • Massachusetts
  • Missouri
  • Montana
  • Nevada
  • New Hampshire
  • North Dakota
  • Oregon
  • Puerto Rico
  • Rhode Island
  • Texas
  • Virginia
  • Wyoming

Most organizations are not aware that they are governed by so many laws and regulations. They don’t realize that information about their employees and other workforce members are covered. Charities don’t realize the risks they have protecting donor information, or the impact on donations a breach can cause when it becomes public.

We have worked with many healthcare and financial organizations, as well as charities and general businesses, to build cyber security programs that comply with federal and state laws, industry regulations, contractual obligations, and insurance policy requirements. We have been certified in our compliance with the federal NIST Cyber Security Framework (CSF) and have helped others adopt this security framework, that is gaining rapid acceptance.

About Mike Semel
mike-semel-hipaa-consulting
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.