Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Are You HIPAA Secure?

Posted on October 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I was recently asked to provide some tips on health IT and data security for a healthcare lawyer’s website. You can see the final blog post here, but I thought I’d share the 3 suggestions and tips I sent to them.

1. Encrypt all of your computers that store PHI (Protected Health Information) – If your hard drive is lost or stolen and it’s not encrypted, you’ll pay the price big time. However, if it’s encrypted you won’t have to worry nearly as much.

2. Avoid Sending SMS Messages with PHI – SMS is not HIPAA secure and there are plenty of high quality secure, HIPAA compliant text message options out there. Find one you like and use it. While being secure it also has other features like the ability to see if the recipient has read the message or not.

3. Do a HIPAA Risk Assessment – Not only is this required by HIPAA and meaningful use, it’s a good thing to do for your patients. Don’t fake your way through the assessment. Really dig into the privacy and security risks of your organization and make reasonable choices to make sure that you’re protecting your health data.

No doubt there’s a lot more that could be said about this topic, but I think these three areas are a good place to start. A huge portion of the HIPAA breaches that have occurred could have been prevented by doing these three things.

If you have other suggestions for people, I’d love to hear them in the comments. I’m sure there are some more obvious ones that I’ve missed.

Confusing HIPAA Compliance With Security

Posted on October 2, 2014 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Most people  who read this publication know that while HIPAA compliance is necessary, it’s not sufficient to protect your data. Too many healthcare leaders, especially in hospitals, seem satisfied with the song and dance their cloud vendor gave them, or the business associate that promises on a stack of Bibles that it’s in compliance.

I was reminded of this just the other day when Reuters came out with some shocking statistics. One particularly discomforting stat it reported was the fact that medical data is now worth 10 times more than your credit card number on the black market (even if John has argued otherwise). Why? Well, among other things, because medical identity theft isn’t tracked well by providers and payers, which means that a stolen identity can last for months or years before it’s closed down.

Healthcare is not only lagging behind other industries in terms of its hardware and software infrastructure, but the extent to which its executives give a care as to how exposed they are to a breach. Security experts note that senior executives in hospitals see security as a tactical, not a strategic problem, and they don’t spend much time or money on it.

But this could be a deadly mistake. As Jeff Horne, vice president at cybersecurity firm Accuvant, noted to Reuters, “healthcare providers and hospitals are just some of the easiest networks to break into. When I’ve looked at hospitals, and when I’ve talked to other people inside of a breach, they are using very old legacy systems – Windows systems that are 10+ years old that have not seen a patch.”

As if that wasn’t enough, it’s been increasingly demonstrated that medical devices — from infusion pumps to MRIs — are also frighteningly vulnerable to cyber attacks. The vulnerabilities might not be found for months, and when they are, the hapless provider has to wait for the vendor to do the patching to stay in FDA compliance.

So far, even the biggest HIPAA breaches — notably the 4.5 million patient records stolen from hospital giant Community Health Systems — don’t seem to have generated much change. But the sad truth is that unless hospitals get their act together, focused senior executive attention on the issue, and spend enough money to fix the many vulnerabilities that exist, we’re likely to be at the forefront of a very ugly time indeed.

How Secure Are Wearables?

Posted on October 1, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

JaneenB asks a really fantastic question in this tweet. Making sure that wearables are secure is going to be a really hot topic. Yesterday, I was talking with Mac McMillan from Cynergistek and he suggested that the FDA was ready to make medical device security a priority. I’ll be interested to see what the FDA does to try and regulate security in medical devices, but you can see why this is an important thing. Mac also commented that while it’s incredibly damaging for someone to hack a pacemaker like the one Vice President Cheney had (has?), the bigger threat is the 300 pumps that are installed in a hospital. If one of them can be hacked, they all can be hacked and the process for updating them is not simple.

Of course, Mac was talking about medical device security from more of an enterprise perspective. Now, let’s think about this across millions of wearable devices that are used by consumers. Plus, many of these consumer wearable devices don’t require FDA clearance and so the FDA won’t be able to impose more security restrictions on them.

I’m not really sure the answer to this problem of wearable security. Although, I think two steps in the right direction could be for health wearable companies to first build a culture of security into their company and their product. This will add a little bit of expense on the front end, but it will more than pay off on the back end when they avoid security issues which could literally leave the company in financial ruins. Second, we could use some organization to take on the effort of reporting on the security (or lack thereof) of these devices. I’m not sure if this is a consumer reports type organization or a media company. However, I think the idea of someone holding organizations accountable is important.

We’re definitely heading towards a world of many connected devices. I don’t think we have a clear picture of what this means from a security perspective.

What’s the Black Market Value of a Health Record?

Posted on September 22, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Somewhere in the past, an article put the value of a health record at $50. I’m really not sure who or what wrote the original article or set the price at $50, but that value has been perpetuated in article after article on the internet. Yes, that’s one of the features of the internet. It perpetuates misinformation (kind of like an EMR).

When people make the claim that a compromised health record is worth $50, they usually then say that it’s more valuable than a credit card which is only worth $5 (probably something else that’s debatable). When I hear this, I’ve always wondered how they got the $50 price tag. The reality is that the value of a health record is only what someone is willing to pay. You can say something has a certain value, but without a market to validate that people will consistently pay that price, then does it really have that value?

I’ve always wanted to dig into the black market of health records to try and validate the $50 price tag that everyone likes to claim for health records. However, there are some obvious reasons why I don’t want to dig around in the black market of health records. So, I’ve avoided touching that story.

The good news is that HIStalk discovered a great story by Krebs on Security that puts a value on the health record. Here’s an excerpt from the story:

How much are your medical records worth in the cybercrime underground? This week, KrebsOnSecurity discovered medical records being sold in bulk for as little as $6.40 apiece. The digital documents, several of which were obtained by sources working with this publication, were apparently stolen from a Texas-based life insurance company that now says it is working with federal authorities on an investigation into a possible data breach.

When you read the rest of the article, it’s amazing the sophisticated methods they’re using to sale, pay for and distribute these records. Reminds me of how many incredible things society could create if these smart people turned their efforts to good instead of bad, but I digress.

I love the last line of the article, “Incidentally, even at $8 per record, that’s cheaper than the price most stolen credit cards fetch on the underground markets.”

Like most markets, prices fluctuate based on supply and demand. So, I’m sure we could find various prices for health records. However, I hope we can do away with the blanket statement that health records are worth $50 and worth more than credit cards. Articles like this illustrate why I’m not sure that’s the case.

5 Elements of an Effective HIPAA Audit Program Infographic

Posted on September 18, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This week is National Health IT Week (#NHITWeek), but I think it might be better to call it National Health IT Infographic week. I’m not complaining. I love a good infographic. For example, I posted the Rise of the Digital Patient Infographic and the Healthcare IT Leadership Infographic – A 25 Year History already this week. I figured I might as well round out the week and post an infographic on EMR and HIPAA as well. Coalfire sent me the following infographic looking at HIPAA audits. I don’t think most people realize the HIPAA audits that are coming. HIPAA audits have had a slow start, but I think the momentum is growing. If you’re an organization that ever touches healthcare data, you better be ready. Enjoy the HIPAA audit infographic below.
5 Elements of an Effective HIPAA Audit Program

The Just Enough Culture of HIPAA Compliance

Posted on September 10, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Today I was lucky to finally have a long lunch with Mike Semel from Semel Consulting. Ironically, Mike has a home in Las Vegas, but with all of his travel, we’d never had a chance to meet until today. However, we’ve exchanged a lot of emails over the years as he regularly responds to my blog posts. As Mike told me, “It feels like I’ve known you for a long time.” That’s the power of social media in action.

At lunch we covered a lot of ground. Mostly related to HIPAA security and compliance. As I try to process everything we discussed, the thing that stands out most to me is the just enough culture of HIPAA compliance that exists in healthcare. I’ve seen this over and over again and many of the stories Mike shared with me confirm this as well. Many healthcare organizations are doing just enough to get by when it comes to HIPAA compliance.

You might frame this as the “ignorance is bliss” mentality. In fact, I’m not sure if it’s even fair to say that healthcare organizations are doing just enough to comply with HIPAA. Most healthcare organizations are doing just enough to make their conscience feel good about their HIPAA compliance. People like to talk about Steve Jobs “reality distortion field” where he would distort reality in order to accomplish something. I think many in healthcare try and distort the realities of HIPAA compliance so they can sleep good at night and not worry about the consequences that could come upon them.

Ever since HIPAA ombnibus, business associates have to be HIPAA compliant as well. Unfortunately, many of these business associates have their own “reality distortion field” where they tell themselves that their organization doesn’t have to be HIPAA compliant. I don’t see this ending well for many business associates who have a breach.

The solution is not that difficult, but does take some effort and commitment on the part of the organization. The key question shouldn’t be if you’re HIPAA compliant or not. Instead you should focus on creating a culture of security and privacy. Once you do that, the compliance part is so much easier. Those organizations that continue this “just enough” culture of HIPAA compliance are walking a very thin rope. Don’t be surprised when it snaps.

Proving HIPAA Compliance

Posted on September 9, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Given the name of this blog, I get a lot of people asking me about HIPAA compliance. Many of them that are new to the industry are looking for some sort of regulating or certifying body that they can go to in order to be HIPAA compliant.

Unfortunately, there is no body that can audit you and basically certify that you’re HIPAA compliant. HIPAA is basically a self certification, so you can just claim “compliance.” However, if a real audit happens, you better make sure your ducks are all in a row and that you are actually complying. While there is no body that certifies HIPAA compliance, there are pretty specific guidelines on what you need to do to be HIPAA compliant.

When companies and organizations ask me what they need to do to be HIPAA compliant, I usually suggest they start with these HIPAA trainings from one of my partner companies, 4MedApproved: http://bit.ly/191zR9N (20% discount if you use the code healthcare20 since I’m a partner). The HIPAA compliance officer training will teach you what you need to do and it includes HIPAA documentation templates you can use along with business associate agreement forms. Then, the HIPAA workforce trainings are good to train the rest of your staff. With this training and documentation, you’ll feel much more comfortable saying you’re HIPAA compliant and having something to show for it. You’ll also learn what other places you might be lacking when it comes to HIPAA compliance.

I had someone on a LinkedIn discussion about a breach suggest that organization should regularly train their staff on HIPAA. Turns out that doing so isn’t just a good idea, but is also a HIPAA requirement. Having some sort of proven HIPAA training that you’ve completed is one step in the right direction of proving your HIPAA compliance.

The other major step an organization should take is doing a full HIPAA risk assessment. Many organizations are doing this since they’ve had to in order to get meaningful use money. However, even those organization who aren’t asking for the EHR incentive handout are still required to do a HIPAA risk assessment.

What are you doing in your organization or company to prove HIPAA compliance?

OCR Fines Are the Least of Your Worries in a HIPAA Related Breach

Posted on August 27, 2014 I Written By

The following is a guest blog post by Art Gross, Founder of HIPAA Secure Now!.
Art Gross Headshot
Ask any medical professional about their biggest concern for protecting patient information and they will probably tell you about the threat of a random audit conducted by the Office of Civil Rights (OCR). OCR is tasked with enforcing HIPAA regulations and has the ability to hand out fines up to $1.5 million per violation for a HIPAA breach and failing to comply with HIPAA regulations.

With recent fines of $4.8 million handed out to New York and Presbyterian Hospital and $1.7 million fine to Concentra Health Services, physicians have good reason to worry.  These massive fines were levied not as the result of a random audit, but for the mandatory reporting of patient data breaches to the Department of Health and Human Services (HHS), and the investigation that followed.  So physicians need to reconsider where their real concerns should lie.

Ponemon Study

The 2013 Cost of a Data Breach Study by the Ponemon Institute calculated lost or stolen patient records at $233 per record. Let’s take a look at how quickly the cost of a HIPAA breach can add up:

# of Records Breached Cost
1 $233
10 $2,330
100 $23,300
1,000 $233,000
10,000

100,000

$2,330,000

$23,330,000

The cost of the recent Community Health Systems 4.5 million patient records breach could cost more than $1 billion!

Whether a medical provider loses 1,000 or 10,000 patient records the financial impact could easily set back the organization or even put it out of business.  But the “hidden cost” of a HIPAA breach that shouldn’t be overlooked is the damage to the provider’s reputation, lost trust from patients and the resulting sharp decline in revenues.

Lost patient records sparks negative publicity.  Take Phoenix Cardiac Surgery (PCS) for example. The Arizona medical practice with five physicians got slapped with a $100,000 fine for a HIPAA breach in 2012. A current search on Google returns the practice’s website plus 28 links to negative news stories related to the HIPAA fine. The consequences? A patient searching a referred cardiac surgeon from PCS finds the negative publicity and decides to continue searching for another surgeon. Or, an existing patient of PCS decides to look for another medical practice that takes every measure to safeguard his privacy.

Other Cost Factors

Beyond revenue loss and a damaged reputation are the direct overhead costs associated with a breach. The cost of discovering and stopping a breach may involve IT services, forensic investigative services to determine which systems and patients were affected, and legal counsel if patients file a lawsuit. There are also hard costs associated with notifying patients affected by the breach, including time spent to pull together their contact information, mailing out notifications and providing toll-free inbound phone numbers to handle complaints. Most organizations also provide identity and credit monitoring services for affected patients. All of these expenses add up, not to mention the cost of lost productivity due to the diverted attention of employees tasked with managing these processes.

Today it’s not uncommon for laptops, tablets and USB drives with patient records to disappear.  Or, for crime rings to hack into EHR systems to steal patient information and commit tax fraud, and for meth dealers to steal patient identities to obtain prescriptions.  If a large hospital system can lose 4.5 million patient records think how easy it is for a hacker to grab thousands of patient records from smaller medical practices and turn them into cash. The threat of a HIPAA breach has never been greater and all organizations should take heed.

Risk Assessment as a First Step

Healthcare organizations, particularly smaller medical practices, should perform a HIPAA risk assessment to look at where patient information is stored and accessed, and how the organization protects that information. It examines the risks of a breach and recommends steps to lower them. Without performing a risk assessment an organization may be lulled into a false sense of security, mistakenly believing they won’t suffer the consequences of a HIPAA breach.  At $233 per lost or stolen record that could be a costly miscalculation.

About Art Gross

Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started his second company HIPAA Secure Now! to focus on the unique IT requirements of medical practices.  Email Art at artg@hippasecurenow.com.

Full Disclosure: HIPAA Secure Now! is an advertiser on EMR and HIPAA.

Can We Start Being Human?

Posted on August 19, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Excuse a moment of somewhat personal commentary, but this story in the New York Times has been making the rounds. Basically, the boards full of smiling babies in a doctor’s office are considered a privacy violation. Here’s an excerpt from the article:

Under the law, the Health Insurance Portability and Accountability Act, baby photos are a type of protected health information, no less than a medical chart, birth date or Social Security number, according to the Department of Health and Human Services. Even if a parent sends in the photo, it is considered private unless the parent also sends written authorization for its posting, which almost no one does.

When I read stories like this, I ask myself “Have we lost all common sense? Can’t we be human?” I get how privacy is important. I’ve written this blog for 9 years and so I know the consequences of HIPAA breaches. Although, I think Dr. Moritz covers my view really well:

“I think we have to have some common sense with this HIPAA business,” Dr. Moritz continued. “To leave medical records open to the public, to throw lab results in the garbage without shredding them, that makes sense” to prohibit. “But if somebody wants to post a picture of something that’s been going on for a millennium and is a tradition, it seems strange to me not to do that,” he said.

I know there are ways to comply with the law and preserve the baby board. Have the parents sign a release form when they drop off the picture. I think you could also add this note in your HIPAA notice that the patient signs before their first visit. However, I think this is missing the point. Isn’t it common sense that someone who sends a picture of their baby to the office isn’t afraid of having that picture shared?

Certainly this change is not life or death stuff. Although, I think the baby boards did provide some humanity to an otherwise sterile office. However, I hate the trend of where this leads. In far too many things we can’t be human anymore. Common sense is missing in so many areas of life and instead of giving people the benefit of the doubt we’re too easy to condemn people who had no ill intent.

I realize there are bad people out there that do bad things. However, they’re the minority and its sad when the minority is able to have such an impact on the majority.

Chinese Hackers Reportedly Access 4.5 Million Medical Records

Posted on August 18, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The headline of a tech startup blog I read pretty regularly caught my attention today, “Another day, another Chinese hack: 4.5M medical records reportedly accessed at national hospital operator“. The title seems to say it all. It’s almost like the journalist sees the breach as the standard affair these days. Just to be clear, I don’t think he thinks breaches are standard in healthcare, I think he thinks breaches are standard in all IT. As he says at the end of the article:

Community Health Systems joins a long list of large companies suffering from major cybersecurity breaches. Among them, Target, Sony, Global Payment Systems, eBay, Visa, Adobe, Yahoo, AOL, Zappos, Marriott/Hilton, 7-Eleven, NASDAQ, and others.

Yes, healthcare is not alone in their attempt to battle the powers of evil (and some not so evil, but possibly dangerous) forces that are hacking into systems large and small. We can certainly expect this trend to continue and likely get worse as more and more data is stored electronically.

For those interested in the specific story, Community Health Systems, a national hospital provider based in Nashville reported the HIPAA breach in their latest SEC filings. Pando Daily reported that “Chinese Hackers” used a “highly sophisticated malware” to breach Community Health Systems between April and June. What doesn’t make sense to me is this part of the Pando Daily article:

The outside investigators described the breach as dealing with “non-medical patient identification data,” adding that no financial data was stolen. The data, which includes patient names, addresses, birth dates, telephone numbers, and Social Security numbers, was, however, protected under the Health Insurance Portability and Accountability Act (HIPPA).

I’m not sure what they define as financial data, but social security numbers feel like financial data to me. Maybe they meant hospital financial data, but that’s an odd comment since a stack of social security numbers is likely a lot more valuable than some hospital financial data. The patient data they describe could be an issue for HIPAA though.

As is usually the case in major breaches like this, I can’t imagine a chinese hacker is that interested in “patient data.” In fact, from the list, I’d define the data listed as financial data. I’ve read lots of stories that pin the value of a medical record on the black market as $50 per record. A credit card is worth much less. However, I bet if I were to dig into the black market of data (which I haven’t since that’s not my thing), I bet I’d find a lot of buyers for credit card data tied to other personal data like birth date and addresses. I bet it would be hard to find a buyer for medical data. As in many parts of life, something is only as valuable as what someone else is willing to pay for it. People are willing to pay for financial data. We know that.

We shouldn’t use this idea as a reason why we don’t have to worry about the security and privacy of healthcare data. We should take every precaution available to create a culture of security and privacy in our institutions and in our healthcare IT implementations. However, I’m just as concerned with the local breach of a much smaller handful of patient data as I am the 4.5 million medical record breach to someone in China. They both need to be prevented, but the former is not 4.5 million times worse. Well, unless you’re talking about potential HIPAA penalties.