Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Government Surveillance and Privacy of Personal Data

Posted on April 6, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Dr. Deborah Peel from Patient Privacy Rights always keeps me updated on some of the latest news coverage around privacy and government surveillance. Obviously, it’s a big challenge in healthcare and she’s the leading advocate for patient privacy.

Today she sent me a link to this John Oliver interview with Snowden. The video is pretty NSFW with quite a bit of vulgarity in it (It’s John Oliver on HBO, so you’ve been warned). However, much like Stephen Colbert and John Stewart, they talk about some really important topics in a funny way. Plus, the part where he’s waiting to see if Snowden is going to actually show for the interview is hilarious.

The humor aside, about 10 minutes in John Oliver makes this incredibly insightful observation:

There are no easy answers here. We all naturally want perfect privacy and perfect safety, but those two things cannot coexist.

Either you have to lose one of them or you have to accept some reasonable restrictions on both of them.

This is the challenge of privacy and security. There are risks to having data available electronically and flowing between healthcare providers. However, there are benefits as well.

I’ve found the right approach is to keenly focused on the benefits you want to achieve in using technology in your organization. Then, after you’ve focused the technology on the benefits, work through all of the risks you face. Once you have that list of risks, you work to mitigate those risks as much as possible.

As my hacker friend said, “You’ll never be 100% secure. Someone can always get in if they’re motivated enough. However, you can make it hard enough for them to breach that they’ll go somewhere else.”

Human Error Healthcare Data Breach Infographic

Posted on March 26, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

You all know I’m a sucker for an infographic and this one illustrates a topic we’ve known for a long time: humans are one of the biggest breach challenges. All the encryption and firewalls in the world can’t solve for a human who already has access. This infographic really illustrates that point well.

Human Error and Healthcare Data Breaches
Infographic based on ICO FOI request data by Egress Software Technologies, providers of email security as well as large file transfer and encryption software.

There’s More to HIPAA Compliance Than Encryption

Posted on March 24, 2015 I Written By

The following is a guest blog post by Asaf Cidon, CEO and Co-Founder of Sookasa.
Asaf Cidon
The news that home care provider Amedisys had a HIPAA breach involving more than 100 lost laptops—even though they contained encrypted PHI—might have served as a wake-up call to many healthcare providers.  Most know by now that they need to encrypt their files to comply with HIPAA and prevent a breach. While it’s heartening to see increased focus on encryption, it’s not enough to simply encrypt data. To ensure compliance and real security, it’s critical to also manage and monitor access to protected health information.

Here’s what you should look for from any cloud-based solution to help you remain compliant.

  1. Centralized, administrative dashboard: The underlying goal of HIPAA compliance is to ensure that ­­organizations have meaningful control over their sensitive information. In that sense, a centralized dashboard is essential to provide a way for the practice to get a lens into the activities of the entire organization. HIPAA also stipulates that providers be able to get Emergency Access to necessary electronic protected health information in urgent situations, and a centralized, administrative dashboard that’s available on the web can provide just that.
  1. Audit trails: A healthcare organization should be able to track every encrypted file across the entire organization. That means logging every modification, copy, access, or share operation made to encrypted files—and associating each with a particular user.
  1. Integrity control: HIPAA rules mandate that providers be able to ensure that ePHI security hasn’t been compromised. Often, that’s an element of the audit trails. But it also means that providers should be able to preserve a complete history of confidential files to help track and recover any changes made to those files over time. This is where encryption can play a helpful role too: Encryption can render it impossible to modify files without access to the private encryption keys.
  1. Device loss / theft protection: The Amedisys situation illustrates the real risk posed by lost and stolen devices. Amedisys took the important first step of encrypting sensitive files. But it isn’t the only one to take. When a device is lost or stolen, it might seem like there’s little to be done. But steps can and should be taken to decrease the impact a breach in progress. Certain cloud security solutions provide a device block feature, which administrators can use to remotely wipe the keys associated with certain devices and users so that the sensitive information can no longer be accessed. Automatic logoff also helps, because terminating a session after a period of inactivity can help prevent unauthorized access.
  1. Employee termination help: Procedures should be implemented to prevent terminated employees from accessing ePHI. But the ability to physically block a user from accessing information takes it a step further. Technical tools such as a button that revokes or changes access permission in real-time can make a big impact.

Of course encryption is still fundamental to HIPAA compliance. In fact, it should be at the center of any sound security policy—but it’s not the only step to be taken. The right solution for your practice will integrate each of these security measures to help ensure HIPAA compliance—and overall cyber security.

About Asaf Cidon
Asaf Cidon is CEO and co-founder of cloud security company Sookasa, which encrypts, audits and controls access to files on Dropbox and connected devices, and complies with HIPAA and other regulations. Cidon holds a Ph.D. from Stanford University, where he specialized in mobile and cloud computing.

The Future Of…Healthcare Security

Posted on March 13, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is part of the #HIMSS15 Blog Carnival which explores “The Future of…” across 5 different healthcare IT topics.

Security is on the top of mind of most healthcare boards. I think the instruction from these boards to CIOs is simple: Keep Us Out of the News!

That’s an order that’s much easier said than done. If Google and Anthem can’t stay out of the news because of a breach, then a hospital or doctor’s office is fighting an uphill battle. Still don’t believe me, check out this visualization of internet attacks. It’s pretty scary stuff.

The reality is that you don’t really win a security battle. You can just defend against attacks as well as possible with the limited resources you have available. What is clear is that while still limited, healthcare will be investing more resources in security and privacy than they’ve ever done before.

The future of effective security in healthcare is going to be organizations who bake security into everything they do. Instead of hiring a chief security officer that worries about and advocates for security, we need a culture of security in healthcare organizations. This starts at the top where the leader is always asking about how we’re addressing security. That leadership will then trickle down into the culture of a company.

Let’s also be clear that security doesn’t have to be at odds with innovation and technology. In fact, technology can take our approach to security and privacy to the next level. Tell me how you knew who read the chart in a paper chart world? Oh yes, that sign out sheet that people always forgot to sign. Oh wait, the fingerprints on the chart were checked. It’s almost ludicrous to think about. Let’s be real. In the paper chart world we put in processes to try to avoid the wrong people getting their hands on the chart, but we really had no idea who saw it. The opposite is true in an EHR world. We know exactly who saw what and who changed what and when and where (Note: Some EHR are better than others at this, but a few lawsuits will get them all up to par on it).

The reality is that technology can take security and privacy to another level that we could have never dreamed. We can implement granular access controls that are hard and fast and monitored and audited. That’s a powerful part of the future of security and privacy in healthcare. Remember that many of the healthcare breaches come from people who have a username and password and not from some outside hacker.

A culture of security and privacy embraces the ability to track when and what happens to every piece of PHI in their organization. Plus, this culture has to be built into the procurement process, the implementation process, the training process, etc. Gone are the days of the chief security officer scapegoat. Technology is going to show very clearly who is responsible.

While I’ve described a rosy future built around a culture of privacy and security, I’m not naive. The future of healthcare security also includes a large number of organizations who continue to live a security life of “ignorance is bliss.” These people will pay lip service to privacy and security, but won’t actually address the culture change that’s needed to address privacy and security. They’ll continue the “Just Enough Culture of HIPAA Compliance.”

In the future we’ll have to be careful to not include one organization’s ignorance in a broad description of healthcare in general. A great example of this can be learned from the Sutter Health breach. In this incident, Sutter Health CPMC found the breach during a proactive audit of their EHR. Here’s the lesson learned from that breach:

The other lesson we need to take from this HIPAA breach notification is that we shouldn’t be so quick to judge an organization that proactively discovers a breach. If we’re too punitive with healthcare organizations that find and effectively address a breach like this, then organizations will stop finding and reporting these issues. We should want healthcare organizations that have a culture and privacy and security. Part of that culture is that they’re going to sometimes catch bad actors which they need to correct.

Healthcare IT software like EHRs have a great ability to track everything that’s done and they’re only going to get better at doing it. That’s a good thing and healthcare information security and privacy will benefit from it. We should encourage rather than ridicule organizations like CPMC for their proactive efforts to take care of the privacy of their patients’ information. I hope we see more organizations like Sutter Health who take a proactive approach to the security and privacy of healthcare information.

In fact the title of the blog post linked above is a warning for the future of healthcare IT: “Will Hospitals Be At Risk for HIPAA Audits If They Don’t Have HIPAA Violations?”

Security and privacy will be part of the fabric of everything we do in healthcare IT. We can’t ignore them. In order for patients to trust these healthcare apps, security will have to be a feature. Those in healthcare IT that don’t include security as a feature will be on shaky ground.

Are Legacy EHR Sytems the HIPAA Ticking Time Bomb?

Posted on February 20, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Healthcare IT and EHR security is a really important topic right now. Many organizations have started to spend time and resources on this problem after a series of healthcare and non-healthcare breaches. The Anthem breach being the most recent. Overall, this is a great thing for the industry since I think there’s more that could be done in every organization to shore up the privacy and security of patient health data.

In a recent conversation I had with Mike Semel, we talked about some of the challenges associated with legacy EHR and Healthcare IT systems in offices. Our conversation prompted to me to ask the question of whether these legacy EHR systems are the ticking time bombs of many healthcare organizations.

Think about what happens to many of these legacy EHR systems. They get put in some back office or under someone’s desk or in some nondescript closet where they’re largely forgotten. In many cases there are only 1-2 people who regularly use them and in many cases the word “regularly” equates to accessing it a few times a month. These few people are usually not technically savvy and know very little about IT security and privacy.

Do I need to ask the question about how good the security is on a system for which most people have forgotten?

These forgotten systems often don’t get any software updates to the application or the operating system. The former is an issue, but the later is a major problem. Remember that when updates to an operating system are issued, it’s essentially blasted out to the public that there are issues that a hacker can exploit. If you’re not updating the O/S, then these systems make for easy pickings for hackers.

Forget about great audit log tracking and other more advanced security on these legacy systems. In most cases, organizations are just trying to limp them along until they can decommission them and put them out to pasture. It makes for one massive security hole for most organizations.

Of course, this doesn’t even take into the account the fear that many organizations have that these systems will just give up the ghost and stop working all together. There’s nothing quite like security on a Windows 2000 Server box sitting under someone’s desk just waiting for it to die. Hopefully those hard drives and other mechanical elements don’t stop before the data’s end of life requirements.

These legacy systems aren’t pretty and likely present a massive HIPAA privacy and security hole in many organizations. If you don’t have a good handle on your legacy systems, now might be a good time to take a look. Better to do it now than to deal with it after a HIPAA breach or HIPAA audit.

HIPAA Compliance and Windows Server 2003

Posted on February 12, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Last year, Microsoft stopped updating Windows XP and so we wrote about how Windows XP would no longer be HIPAA compliant. If you’re still using Windows XP to access PHI, you’re a braver person that I. That’s just asking for a HIPAA violation.

It turns out that Windows Server 2003 is 5 months away from Microsoft stopping to update it as well. This could be an issue for many practices who have a local EHR install on Windows Server 2003. I’d be surprised if an EHR vendor or practice management vendor was running a SaaS EHR on Windows Server 2003 still, but I guess it’s possible.

However, Microsoft just recently announced another critical vulnerability in Windows Server 2003 that uses active directory. Here are the details:

Microsoft just patched a 15-year-old bug that in some cases allows attackers to take complete control of PCs running all supported versions of Windows. The critical vulnerability will remain unpatched in Windows Server 2003, leaving that version wide open for the remaining five months Microsoft pledged to continue supporting it.

There are a lot more technical details at the link above. However, I find it really interesting that Microsoft has chosen not to fix this issue in Windows Server 2003. The article above says “This Windows vulnerability isn’t as simple as most to fix because it affects the design of core Windows functions rather than implementations of that design.” I assume this is why they’re not planning to do an update.

This lack of an update to a critical vulnerability has me asking if that means that Windows Server 2003 is not HIPAA compliant anymore. I think the answer is yes. Unsupported systems or systems with known vulnerabilities are an issue under HIPAA as I understand it. Hard to say how many healthcare organizations are still using Windows Server 2003, but this vulnerability should give them a good reason to upgrade ASAP.

Will Hospitals Be At Risk for HIPAA Audits If They Don’t Have HIPAA Violations?

Posted on February 5, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Sutter Health’s California Pacific Medical Center (CPMC) recently announced an employee accessing patient files without a business or treatment purpose. Here are the details from their press release:

California Pacific Medical Center (CPMC) recently notified 844 patients of its discovery that a pharmacist employee may have accessed their records without a business or treatment purpose.

CPMC first learned of the incident through a proactive audit of its electronic medical record system on October 10, 2014. The initial audit resulted in identification and notification of 14 individuals on October 21, 2014. Following its policy, CPMC terminated its relationship with the employee and broadened the investigation

The expanded investigation identified a total of 844 patients whose records the employee may have accessed without an apparent business or treatment purpose. It is unclear whether all of these records were accessed inappropriately but, out of an abundance of caution, CPMC notified all of these patients.

This was a fascinating breach of HIPAA. In fact, it starts with the question of whether we should call this a breach. In the HIPAA sense, it’s a breach of HIPAA. In the IT systems security sense, I could see how people wouldn’t consider it a breach since the person didn’t visit anything he wasn’t authorized by the IT system to see. Semantics aside, this is a HIPAA issue and is likely happening in pretty much every organization in the US.

My last statement is particularly true in larger organizations. The shear number of staff means that it’s very likely that some users of your IT systems are looking at patient records that don’t have a specific “business or treatment purpose.” I’m sure some will use this as a call for a return to paper. As if this stuff didn’t happen in the paper world as well. It happened in the paper world, but we just had no way to track it. With technology we can now track every record everyone touches. That’s why we’re seeing more issues like the one reported above. In the paper world we’d have just been ignorant to it.

With this in mind, I start to wonder if we won’t see some HIPAA audits for organizations that haven’t reported any violations like the ones above. Basically, the auditors would assume that if you hadn’t reported anything, then you’re probably not proactively auditing this yourself and so they’re going to come in and do it for you. Plus, if you’re not doing this, then you’re likely not doing a whole slew of other HIPAA requirements. On the other hand, if your security policies and procedures are good enough to proactively catch something like this, then you’re probably above average in other areas of HIPAA privacy and security. Sounds reasonable to me. We’ll see if it plays out that way.

The other lesson we need to take from the above HIPAA breach notification is that we shouldn’t be so quick to judge an organization that proactively discovers a breach. If we’re too punitive with healthcare organizations that find and effectively address a breach like this, then organizations will stop finding and reporting these issues. We should want healthcare organizations that have a culture and privacy and security. Part of that culture is that they’re going to sometimes catch bad actors which they need to correct.

Healthcare IT software like EHRs have a great ability to track everything that’s done and they’re only going to get better at doing it. That’s a good thing and healthcare information security and privacy will benefit from it. We should encourage rather than ridicule organizations like the one mentioned above for their proactive efforts to take care of the privacy of their patients’ information. I hope we see more organizations like Sutter Health who take a proactive approach to the security and privacy of healthcare information.

Beware: Don’t Buy In to Myths about Data Security and HIPAA Compliance

Posted on January 22, 2015 I Written By

The following is a guest blog post by Mark Fulford, Partner in LBMC’s Security & Risk Services practice group.
Mark Fulford
Myths abound when it comes to data security and compliance. This is not surprising—HIPAA covers a lot of ground and many organizations are left to decide on their own how to best implement a compliant data security solution. A critical first step in putting a compliant data security solution in place is separating fact from fiction.  Here are four common misassumptions you’ll want to be aware of:

Myth #1: If we’ve never had a data security incident before, we must be doing OK on compliance with the HIPAA Security Rule.

It’s easy to fall into this trap. Not having had an incident is a good start, but HIPAA requires you to take a more proactive stance. Too often, no one is dedicated to monitoring electronic protected health information (ePHI) as prescribed by HIPAA. Data must be monitored—that is, someone must be actively reviewing data records and security logs to be on the lookout for suspicious activity.

Your current IT framework most likely includes a firewall and antivirus/antimalware software, and all systems have event logs. These tools collect data that too often go unchecked. Simply assigning someone to review the data you already have will greatly improve your compliance with HIPAA monitoring requirements, and more importantly, you may discover events and incidents that require your attention.

Going beyond your technology infrastructure, your facility security, hardcopy processing, workstation locations, portable media, mobile device usage and business associate agreements all need to be assessed to make sure they are compliant with HIPAA privacy and security regulations. And don’t forget about your employees. HIPAA dictates that your staff is trained (with regularly scheduled reminders) on how to handle PHI appropriately.

Myth #2: Implementing a HIPAA security compliance solution will involve a big technology spend.

This is not necessarily the case.  An organization’s investment in data security solutions can vary, widely depending on its size, budget and the nature of its transactions. The Office for Civil Rights (OCR) takes these variables into account—certainly, a private practice will have fewer resources to divert to security compliance than a major corporation. As long as you’ve justified each decision you’ve made about your own approach to compliance with each of the standards, the OCR will take your position into account if you are audited.

Most likely, you already have a number of appropriate technical security tools in place necessary to meet compliance. The added expense will more likely be associated with administering your data security compliance strategy.

Myth #3: We’ve read the HIPAA guidelines and we’ve put a compliance strategy in place. We must be OK on compliance.

Perhaps your organization is following the letter of the law. Policies and procedures are in place, and your staff is well-trained on how to handle patient data appropriately. By all appearances, you are making a good faith effort to be compliant.

But a large part of HIPAA compliance addresses how the confidentiality, integrity, and availability of ePHI is monitored in the IT department. If no one on the team has been assigned to monitor transactions and flag anomalies, all of your hard work at the front of the office could be for naught.

While a ‘check the box’ approach to HIPAA compliance might help if you get audited, unless it includes the ongoing monitoring of your system, your patient data may actually be exposed.

Myth #4: The OCR won’t waste their time auditing the ‘little guys.’ After all, doesn’t the agency have bigger fish to fry?

This is simply not true. Healthcare organizations of all sizes are eligible for an audit. Consider this cautionary tale: as a result of a reported incident, a dermatologist in Massachusetts was slapped with a $150,000 fine when an employee’s thumb drive was stolen from a car.

Fines for non-compliance can be steep, regardless of an organization’s size. If you haven’t done so already, now might be a good time to conduct a risk assessment and make appropriate adjustments. The OCR won’t grant you concessions just because you’re small, but they will take into consideration a good faith effort to comply.

Data Security and HIPAA Compliance: Make No Assumptions

As a provider, you are probably aware that the audits are starting soon, but perhaps you aren’t quite sure what that means for you. Arm yourself with facts. Consult with outside sources if necessary, but be aware that the OCR is setting the bar higher for healthcare organizations of all sizes. You might want to consider doing this, too. Your business—and your patients—are counting on it.

About Mark Fulford
Mark Fulford is a Partner in LBMC’s Security & Risk Services practice group.  He has over 20 years of experience in information systems management, IT auditing, and security.  Marks focuses on risk assessments and information systems auditing engagements including SOC reporting in the healthcare sector.  He is a Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP).   LBMC is a top 50 Accounting & Consulting firm based in Brentwood, Tennessee.

Top 4 HIT Challenges and Opportunities for Healthcare Organizations in 2015 – Breakaway Thinking

Posted on January 15, 2015 I Written By

The following is a guest blog post by Mitchell Woll, Instructional Designer at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Mitchell Woll - The Breakaway Group
Healthcare organizations face numerous challenges in 2015: ICD-10 implementation, HIPAA compliance, new Meaningful Use objectives, and the Office of the National Coordinator’s (ONC) interoperability road map.  To adapt successfully, organizations must take advantage of numerous opportunities to prepare.

Healthcare leaders must thoroughly assess, prioritize, prepare, and execute in each area:

  1. Meaningful Use Stage 2 objectives require increased patient engagement and reporting for a full year before earning incentives.
  2. The ONC’s interoperability road map demands a new framework to achieve successful information flow between healthcare systems over the next ten years.
  3. There are 10 months left in which to prepare for the October 1 ICD-10 deadline.
  4. HIPAA compliance will be audited.

1. Meaningful Use
For those who have already implemented an EHR, Meaningful Use Stage 2 focuses new efforts on patient access to personal health data and emphasizes the exchange of health information between patient and providers. Stage 2 also imposes financial penalties for failure to meet requirements.

CMS’s latest deadline for Stage 2 extends through 2016, so healthcare organizations have additional time to fulfill Stage 2 requirements. Stage 3 requirements begin in 2017, so healthcare organizations should take the extra time to build interoperability and foster an internal culture of collaboration between providers and patients. For Stage 3, Medicare incentives will not apply in 2017 and EHR penalties will rise to 3 percent.

CMS has also proposed a 2015 EHR certification, which requests interoperability enhancement to support transitions of care.  Complying with this certification is voluntary, but provides the opportunity to become certified for Medicare and Medicaid EHR incentive programs at the same time.

Meaningful Use Stage 2 and the ONC roadmap require that 2015 efforts concentrate on interoperability. Healthcare organizations should prepare for health information exchange by focusing efforts on building patient portals and integrating communications by automating phone, text, and e-mail messages. After setting up successful exchange methods, healthcare organizations should train staff how to use patient portals. The delay in Stage 2 means providers have more time to become comfortable using the technology to correspond with patients. Hospitals should also educate patients about these resources, describing the benefits of collaboration between providers and patients. Positive collaboration and successful data exchange helps achieve desired health outcomes faster.

2. Interoperability
The three-year goal of the ONC’s 10-year roadmap is for providers and patients to be able to send, receive, find, and use basic health information. The six and ten-year goals then build on the initial objectives, improving interoperability into the future.

Congress has also shown initiative on promoting interoperability asking the ONC to investigate information blocking by EHRs. Most of the ONC’s roadmap for the next three years is similar to Meaningful Use Stage 2 goals.

Sixty-four percent of Americans do not use patient portals, so for 2015 healthcare organizations should focus on creating them, refining their workflows, and encouraging patients to use them. Additionally, 35 percent of patients said they are unaware of patient portals, while 31 percent said their physician has never mentioned them. Fifty-six percent of patients ages 55-64, and 46 percent of patients 65 and older, said they would access medical information more if it were available online. Hospitals need their own staff to use and promote patient portals in order to conquer the challenges of interoperability and Stage 2.

3. HIPAA Compliance
In 2015, the Office of the Inspector General (OIG) will audit EHR use, looking closely at HIPAA security, incentive payments, possible fraud, and contingency plan requirements. Also during the HIPAA compliance audit, the Office of Civil Rights (OCR) will confirm whether hospitals’ policies and procedures meet updated security criteria.  Healthcare organizations should take this opportunity to verify compliance with 2013 HIPAA standards to prepare for upcoming audits. Many helpful resources exist, including HIPAA compliance toolkits, available from several publishers. These kits include advice on privacy and security models. Healthcare organizations and leaders can also take advantage of online education, or hire consultants to help review and implement the necessary measures. It’s important that action be taken now to educate staff about personal health information security and how to remain HIPAA compliant.

4. ICD-10 Deadline
The new ICD-10 deadline comes as no surprise now that it was delayed several times. In July 2014, the US Department of Health and Human Services (HHS) implemented the most recent delay and set a new date of Oct. 1, 2015, giving hospitals a 10-month window to prepare for the eventual ICD-10 rollout. Because healthcare organizations are more adaptable than ever, they can use their practiced flexibility and experience to meet these demands successfully.

As Health Information and Management Systems Society (HIMSS) suggests, communication, education and testing must be part of an ICD-10 implementation plan. Informing internal staff and external partners of the transition is a crucial first step. ICD-10 should be tested internally and externally to verify the system works with the new codes before the transition. Healthcare organizations should outline and develop an ICD-10 training program by selecting a training team and assessing the populations who need ICD-10 education. They should perform a gap analysis to understand the training needed and utilize role-based training to educate the proper populations. Finally, organizations should establish the training delivery method, whether online, in the classroom, one-on-one, or some combination of these to teach different topics or levels of proficiency. In my experience at The Breakaway Group, I’ve seen that the most effective and efficient education is role-based, readily-accessible, and offers learners hands-on experience performing tasks essential to their role. This type of targeted education ensures learners are proficient before the implementation. As with any go-live event, healthcare organizations must prepare and deliver the new environment, providing support throughout the event and beyond.

Facing 2015
These challenges require the same preparation, willingness, and audacity needed for prior HIT successes, including EHR implementation and meeting Meaningful Use Stage 1 requirements. ICD-10, HIPAA compliance, Stage 2, and interoperability all have the element of education in common. Healthcare organizations and leaders should apply the same tenacity and discipline to inform, educate, and prepare clinicians for upcoming obligations.

Targeted role-based education will best ensure proficiency and avoid comprehensive, costly, and time-consuming system training. Through role-based education, healthcare organizations gain more knowledgeable personnel who are up to speed on new applications. These organizations probably already have at least a foundation for 2015 expectations, and they should continue to recall the strategies used for prior go-live events. What was successful? It’s important to plan to replicate successful strategies, alleviating processes that caused problems.  This is great opportunity to capitalize efforts for organizational improvements. Healthcare leaders must let the necessity of 2015 government requirements inspire invention and innovation, ultimately strengthening their organizations.

Xerox is a sponsor of the Breakaway Thinking series of blog posts.

HIPAA Security and Compliance Thoughts from the Healthcare Cyber Security Summit

Posted on January 12, 2015 I Written By

The following is a guest blog post by Anna Drachenberg, Founder and CEO of HIPAA Risk Management.
Anna Drachenberg
It’s taken a while to collect our team’s thoughts, feedback and reactions to the SANS Institute Healthcare Cyber Security Summit 2014 held last month in San Francisco. The holidays, end-of-year, and beginning-of-the-year craziness played a part, but it also required several team discussions to produce a concise wrap-up of the event because it covered so many topics.

The healthcare community needs to get active in SANS Institute’s events and programs. SANS Institute was created in 1989 as a cooperative research and education organization. The organization is focused on information security for all industries. However, SANS needs industry participation in order for that industry to benefit from its research and information-sharing programs. Most of the SANS healthcare community is made up of IT executives and professionals who started in the financial sector and have moved to healthcare in the past couple of years at some of the largest organizations – Kaiser Permanente, Aetna, etc. It’s a great start, and the recent summit, while only in its 2nd year, was a well-developed, well-organized event. But, SANS needs more participation from different healthcare organizations including smaller covered entities.

We asked the three members of our team who attended the conference to provide their top “take-aways” from the Summit.

“Stop focusing on compliance and start focusing on security”
This concept was repeated in several presentations, and for the most part, it is true. So many organizations and HIPAA Security Officers focus on whether or not they are in compliance with the regulation – documenting why they are not implementing an addressable standard like encryption – instead of securing the information that is at risk. That said, the presenters missed an important reality of healthcare information security: owners and management understand compliance; they don’t understand security. Until the healthcare community fears the cost of the breach more than the cost of a HIPAA fine, covered entities will spend money on “compliance” before they spend money on “security.” I would not recommend that a healthcare IT professional start his or her next presentation to the executive team with “Forget Compliance – Focus on Security!” any time soon.

“No one had a good answer when asked how small businesses could implement effective information security programs when most don’t even have a dedicated IT staff person”
Yes, our team asked several presenters and panelists how the majority of covered entities were supposed to implement the technology, tool and/or process being discussed when, according to Census.gov, 89% of healthcare businesses in the U.S. have less than 25 employees. The answers varied, from “use cloud technology,” from a cloud technology vendor; to “participate in the NH-IASC,” from a board member of the National Health Information Sharing and Analysis Center. The most honest answer was from Rob Foster, Deputy Chief Information Officer and Acting Chief – Information Security, U.S. Dept. of Health and Human Services. Mr. Foster acknowledged that small covered entities would need to look outside their organization to consultants and other experts. We have to give the folks from HHS and ONC credit – they suffered many jabs at healthcare.gov, meaningful use and CMS with good humor and professionalism.

“Healthcare software and technology vendors are decades behind when it comes to security”
There was a panel of healthcare software and technology vendors from some of the most widely-used products, including McKesson and Siemens Healthcare. We were shocked at the level of self-congratulation these panelists had when they admitted that their software security initiatives were all less than five years old – some less than a year. They were seriously proud of the fact that they had implemented a formal software security process “last year.” There should have been a lot more heads hung in shame rather than pats on the back. Covered entities need to start demanding accountability from vendors on the security of their products, especially if you are entrusting your patient data to a cloud vendor. A business associate agreement is not enough – ask them specific questions about their risk analysis process, if they’ve had a third-party perform a penetration/vulnerability test on their software and infrastructure and if they have off-shore development teams.

“The healthcare community needs to get more involved with the information security community”
Jim Routh, CISO, Aetna & Board Member, NH-ISAC, used a common analogy about information security, “I don’t have to run faster than the bear; I just have to run faster than you.” The reality is that most covered entities don’t know that they are in the woods, not to mention the fact that they are supposed to be running from a bear. The healthcare industry is not the same as the financial industry and we need effective solutions to our industry’s problems. Until the healthcare industry commits to information security and is more active in the information security community, we aren’t going to get the same level of education, information and technology specific to our needs that is available to the financial industry.

In summary, the SANS Healthcare Cyber Security Summit was well worth the investment for our team; however, it highlighted a need for the healthcare industry to make information security a higher priority and get more involved in the information security community.

About Anna Drachenberg
Anna Drachenberg has more than 20 years in the software development and healthcare regulatory fields, having held management positions at Pacificare Secure Horizons, Apex Learning and the Food and Drug Administration. Anna co-founded HRM Services, Inc., (hipaarisk.com) a data security and compliance company for healthcare. HRM offers online risk management software for HIPAA compliance and provides consulting services for covered entities and business associates. HRM has clients nationwide and also partners with IT providers, medical associations and insurance companies. Anna is available via email at adrache@hipaarisk.com