Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Amazing Live Visualization of Internet Attacks

Posted on October 22, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently heard Elliot Lewis, Dell’s Chief Security Architect, comment that “The average new viruses per day is about 5-10k appearing new each day.” To be honest, I wasn’t quite sure how to process that type of volume of viruses. It felt pretty unbelievable to me even though, I figured he was right.

Today, I came across this amazing internet attack map by Norse which illustrates a small portion of the attacks that are happening on the internet in real time. I captured a screenshot of the map below, but you really need to check out the live map to get a feel for how many internet attacks are happening. It’s astounding to watch.

Norse - Internet Attack Map

For those tech nerds out there, here’s the technical description of what’s happening on the map:

Every second, Norse collects and analyzes live threat intelligence from darknets in hundreds of locations in over 40 countries. The attacks shown are based on a small subset of live flows against the Norse honeypot infrastructure, representing actual worldwide cyber attacks by bad actors. At a glance, one can see which countries are aggressors or targets at the moment, using which type of attacks (services-ports).

It’s worth noting that these are the attacks that are happening. Just because something is getting attacked doesn’t mean that the attack was successful. A large majority of the attacks aren’t successful. However, when you see the volume of attacks (and that map only shows a small portion of them) is so large, you only need a small number of them to be successful to wreak a lot of havoc.

If this type of visualization doesn’t make you stop and worry just a little bit, then you’re not human. There’s a lot of crazy stuff going on out there. It’s actually quite amazing that with all the crazy stuff that’s happening, the internet works as well as it does.

Hopefully this visualization will wake up a few healthcare organizations to be just a little more serious about their IT security.

CMS’ HIPAA Risk Analysis Myths and Truths

Posted on October 21, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been writing about the need to do a HIPAA Risk Assessment since it was included as part of meaningful use. Many organizations have been really confused by this requirement and no doubt it will be an issue for many organizations that get a meaningful use audit. It’s a little ironic since this really isn’t anything that wasn’t already part of the HIPAA security rule. Although, that illustrates how well we’re doing at complying with the HIPAA security rule.

It seems that CMS has taken note of this confusion around the HIPAA risk assessment as well. Today, they sent out some more guidance, tools and resources to hopefully help organizations better understand the Security Risk Analysis requirement. Here’s a portion of that email that provides some important clarification:

A security risk analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside OR during the EHR reporting period timeframe, but must take place no earlier than the start of the reporting year and no later than the end of the reporting year.

For example, an eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st and December 31st in 2014. Fore more information, read this FAQ.

Please note:
*Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year.
*In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted.

CMS also created this Security Risk Analysis Tipsheet that has a lot of good information including these myths and facts which address many of the issues I’ve seen and heard:
CMS HIPAA Security Risk Analysis Myths and Facts

Finally, it’s worth reminding people that the HIPAA Security Risk Analysis is not just for your tech systems. Check out this overview of security areas and example measures to secure them to see what I mean:
CMS HIPAA Security Risk Analysis Overview

Have you done your HIPAA Risk Assessment for your organization?

Is Your EMR Compromising Patient Privacy?

Posted on November 20, 2013 I Written By

James Ritchie is a freelance writer with a focus on health care. His experience includes eight years as a staff writer with the Cincinnati Business Courier, part of the American City Business Journals network. Twitter @HCwriterJames.

Two prominent physicians this week pointed out a basic but, in the era of information as a commodity, sometimes overlooked truth about EMRs: They increase the number of people with access to your medical data thousands of times over.

Dr. Mary Jane Minkin said in a Wall Street Journal video panel on EMR and privacy that she dropped out of the Yale Medical Group and Medicare because she didn’t want her patients’ information to be part of an EMR.

She gave an example of why: Minkin, a gynecologist, once treated a patient for decreased libido. When the patient later visited a dermatologist in the Yale system, that sensitive bit of history appeared on a summary printout.

“She was outraged,” she told Journal reporter Melinda Beck. “She felt horrible that this dermatologist would know about her problem. She called us enraged for 10 or 15 minutes.”

Dr. Deborah Peel, an Austin psychiatrist and founder of the nonprofit group Patient Privacy Rights, said she’s concerned about the number of employees, vendors and others who can see patient records. Peel is a well-known privacy advocate but has been accused by some health IT leaders of scaremongering.

“What patients should be worried about is that they don’t have any control over the information,” she said. “It’s very different from the paper age where you knew where your records were. They were finite records and one person could look at them at a time.”

She added: “The kind of change in the number of people who can see and use your records is almost uncountable.”

Peel said the lack of privacy causes people to delay or avoid treatment for conditions such as cancer, depression and sexually transmitted infections.

But Dr. James Salwitz, a medical oncologist in New Jersey, said on the panel that the benefits of EMR, including greater coordination of care and reduced likelihood of medical errors, outweigh any risks.

The privacy debate doesn’t have clear answers. Paper records are, of course, not immune to being lost, stolen or mishandled.

In the case of Minkin’s patient, protests aside, it’s reasonable for each physician involved in her care to have access to the complete record. While she might not think certain parts of her history are relevant to particular doctors, spotting non-obvious connections is an astute clinician’s job. At any rate, even without an EMR, the same information might just as easily have landed with the dermatologist via fax.

That said, privacy advocates have legitimate concerns. Since it’s doubtful that healthcare will go back to paper, the best approach is to improve EMR technology and the procedures that go with it.

Plenty of work is underway.

For example, at the University of Texas at Arlington, researchers are leading a National Science Foundation project to keep healthcare data secure while ensuring that the anonymous records can be used for secondary analysis. They hope to produce groundbreaking algorithms and tools for identifying privacy leaks.

“It’s a fine line we’re walking,” Heng Huang, an associate professor at UT’s Arlington Computer Science & Engineering Department, said in a press release this month “We’re trying to preserve and protect sensitive data, but at the same time we’re trying to allow pertinent information to be read.”

When it comes to balancing technology with patient privacy, healthcare professionals will be walking a fine line for some time to come.

Atlanta Hospital Sues Exec Over Allegedly Stolen Health Data

Posted on November 1, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In most cases of hospital data theft, you usually learn that a laptop was stolen or a PC hacked. But in this case, a hospital is claiming that one of its executives stole a wide array of data from the facility, according to the Atlanta Business Chronicle.

In a complaint filed last week in Atlanta federal court, Children’s Healthcare of Atlanta asserts that corporate audit advisor Sharon McCray stole a boatload of proprietary information. The list of compromised data includes PHI of children, DEA numbers, health provider license numbers for over 500 healthcare providers, financial information and more, the newspaper reports.

According to the Children’s complaint, McCray announced her resignation on October 16th, then on the 18th, began e-mailing the information to herself using a personal account. On the 21st, Children’s cut off her access to her corporate e-mail account, and the next day she was fired.

Not surprisingly, Children’s has demanded that McCray return the information, but as of the date of the filing, McCray had neither returned or destroyed the data nor permitted Children’s to inspect her personal computer, the hospital says. Children’s is asking a federal judge to force McCray to give back the information.

According to IT security firm Redspin, nearly 60 percent of the PHI breaches reported to HHS under notification rules involved a business associate, and 67 percent were the result of theft or loss. In other words, theft by an executive with the facility — if that is indeed what happened — is still an unusual occurrence.

But given the high commercial value of the PHI and medical practitioner data, I wouldn’t be surprised if hospital execs were tempted into theft. Hospitals are just going to have to monitor execs as closely they do front-line employees.

Healthcare Cloud Spending To Ramp Up Over Next Few Years

Posted on October 4, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For years, healthcare IT executives have wrestled with the idea of deploying cloud services, concerned that the cloud would not offer enough security for their data. However, a new study suggests that this trend is shifting direction.

A new study by market research firm MarketsandMarkets has concluded that the healthcare industry will invest $5.4 billion in cloud computing by 2017.  This year should see a particularly big change, with total healthcare cloud investment moving from 4 percent to 20.5 percent of the industry, according to an article in the Cloud Times.

The current US cloud market for healthcare is dominated by SaaS vendors such as CareCloud, Carestream Health and Merge Healthcare, according to MarketsandMarkets. These vendors are tapping into an overall cloud computing market which should grow at a combined annual growth rate of 20.5 percent between 2012 and 2017, the researchers say.

As the report notes, there are good reasons why healthcare IT leaders are taking a closer look at cloud computing. For example, the cloud offers easy access to high-performance computing and high-volume storage, access which would be very costly to duplicate with on-premise computing.

On the other hand, the MarketsandMarkets researchers admit, healthcare still has particularly stringent data security requirements, and a need for strict confidentiality, access control and long-term data storage. Cloud vendors will need to offer services and products which meet these unique needs, and just as importantly, change and adapt as regulatory requirements shift. And they’ll have to have an impeccable reputation.

That last item — the cloud vendor’s reputation — will play a major role in the coming shift to cloud-based deployments. If giants like AT&T, IBM and Verizon stay in the healthcare cloud business, which seems likely to me, then healthcare institutions will be able to admit that they’re engaged in cloud deployments without suffering a public black eye over potential security problems.

On the other hand, if the giants were to get cold feet, cloud adoption would probably slow substantially, and remain at the trickle it has been for several years. While vendors like Merge and Carestream may be doing well, I’d argue that the presence of the 2,000-pound gorilla vendors ultimately dictates whether a market thrives.

A Primer On HIPAA Compliance For BYOD

Posted on June 13, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Here’s a statistic that caught me off guard: according to IDC Healthcare Insights, clinicians on average use 6.4 mobile devices in a day. That stat, courtesy of HIT Consultant, underscores the need for a smart and thorough security policy for clinicians who use their own devices at work.

Increasingly, healthcare organizations are crafting security policies for BYOD, but they vary greatly in how much such devices are allowed to access the hospital network, which hospital applications they can access and which devices can access the Internet, HIT Consultant notes.

However, according to Andrew Shearer, CTO at Care Thread, there’s some do’s and don’ts which should be common to all BYOD programs. Here’s some thoughts from Shearer, below.

DO:

Make sure your vendor and its sub-vendors are compliant with the new HIPAA Omnibus requirements

Be aware that under the new rules, HIPAA requirements now extend to business associates of entities that receive  protected health informatoin, such as contractors and subcontractors. Also new, not only vendors to healthcare organizations required to have business associate agreements, vendors must also hold BAAs with their sub-vendors.

Use two levels of security when users login to enterprise applications

Shearer recommends using Active Directory for the first level, allowing providers to use their hospital login credentials.  The second stage, he suggests, is to use a separate PIN for quick access to mobile apps which are in use, one which should disconnect when it goes idle.

Have the ability to remotely wipe a device if it is missing

This isn’t required by HIPAA, but it’s still an essential part of a strong mobile/BYOD security management program. Be prepared to do anything from deleting data in selected folders to turning the device into a brick (removing all programming or returning it to factor settings).

DON’T:

Allow PHI to be written to the mobile device

While it’s very common for clinicians to use mobile messaging apps to share patient information, such sharing is generally not HIPAA-compliant, Shearer notes.  In his view, the ideal healthcare communication app should allow access to messages and PHI only when the use is logged in.

Permit integration with insecure file-sharing / hosting services

Cloud-based hosting and file-sharing services like Evernote and Dropbox are very popular, but they’re not HIPAA compliant. To be HIPAA compliant, organizations must use multiple security protocols, including physical security, technical security in PHI storage and user authentication.

Ignore security updates

Make sure you do periodic audits of mobile devices to make sure any that transmit work-related information meet regulatory standards. Also, make sure apps on mobile devices are up to date, as older versions may not meet current security threats.

HIPAA Omnibus – What Should You Know?

Posted on March 26, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I had the great opportunity to sit down with HIPAA expert, Rita Bowen from HealthPort, at HIMSS 2013 and learn more about the changes that came from the recently released HIPAA Omnibus rule. The timing for this video is great, because today is the day the HIPAA Omnibus rule goes into effect. In the video embedded below, Rita talks about what you should know about the new HIPAA changes, the new business associate requirements, and restricting the flow of sequestered health information.

The Final HIPAA Omnibus Rule: A Sharing of Accountability

Posted on February 25, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest post by Rita Bowen, MA, RHIA, CHPS, SSGB, SVP of HIM and Chief Privacy Officer, HealthPort. If you’re attending HIMSS, I’ll be doing an interview with Rita at HealthPort’s Booth 6841 at Noon on Tuesday 3/5/13. Come by and learn more about the HIPAA Omnibus Rule and get any questions you have answered.

It seems an eternity ago, four years to be exact, that the HITECH Act introduced changes to HIPAA. After much speculation, rumor, innuendo and anticipation, HHS released the final HIPAA omnibus rule, which significantly amends the original HIPAA Privacy, Security, Breach and Enforcement Rules. HHS Secretary Kathleen Sebelius introduced the new rule by stating:

“The final rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”

Ms. Sebelius conceded that healthcare has changed dramatically since HIPAA was first enacted and that the new rule is necessary to “protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The new rule, at 563 pages, is not brief, but covered entities can’t let that inhibit them from becoming intimately acquainted with this document. I’ve made an initial review of the rule and culled what I feel are its key concepts:

  • Business Associates (BAs) of covered entities are now, for the first time, directly liable for compliance with certain requirements of HIPAA Privacy and Security rules, including the cost of remediation of breaches for which they are responsible.
  • The rule goes so far as to revise the definition of a “breach.” This new definition promises to make the occurrence of breaches – and the required notification of breaches — more common.
  • The use and disclosure of protected health information for marketing and fundraising purposes is further limited, as is the sale of protected information without individual authorization.
  • The rule expands patients’ rights to receive electronic copies of their health information and to restrict disclosures to health plans regarding treatment for which they’ve already paid.
  • Covered entities are required to modify and redistribute their notice of privacy practice to reflect the new rule.
  • The new rule modifies Individual authorizations and other requirements to facilitate research, expedite the disclosure of child immunization proof to schools, and enable access to decedent information by family members and others.
  • The additional HITECH Act enhancements to the Enforcement Rule are adopted, including provisions addressing enforcement of noncompliance with HIPAA rules due to willful neglect.

Getting to Compliance

And now comes the challenging part – compliance! The new rule goes into effect on March 26, and covered entities and BAs are expected to comply by September 23, so there is much work to do. Hospitals and clinics need to thoroughly comprehend — and then prepare for — the sweeping changes in BA liability. They’ll need to communicate these changes and new requirements to BAs and update their BA agreements accordingly. And since BAs are now directly liable for breaches, organizations must decide how they’ll enforce their BA agreements with regard to privacy and security. Additionally, comparable agreements must now be shared between BAs and their subcontractors.

What are the keys to successful compliance?  The following tips should ensure your smooth transition into the new rule:

  • Become intimately acquainted with the new rule — and its ramifications for your organization, your BAs, and their subcontractors.
  • Identify a privacy officer within all of your partner organizations.
  • Define a process for the notification of patients in the event of a breach of their protected health information (PHI).
  • Update breach notification materials to reflect the new Rule.
  • Update, repost and redistribute your Notice of Privacy Practices.
  • Document current privacy and security practices, and conduct a risk assessment.
  • Make certain your healthcare security technology solution is flexible, secure, and scalable to handle the growing volume of audit inquiries promised by the RACs.
  • Encrypt all devices that store patient information.
  • Communicate new HIPAA requirements and expectations to BAs.
  • Update business associate agreements (BAAs) to clarify that BAs pay the cost of breach remediation, when the BA is responsible for the breach.
  • Provide a template of a comparable agreement for BAs to use with their subcontractors.
  • Monitor your partners’ efforts to protect patient data.

The new HPAA omnibus rule has arrived and the challenges it presents should not be underestimated. Communication and organization will be your keys to success!

Rita Bowen, MA, RHIA, CHPS, SSGB

Ms. Bowen is a distinguished professional with 20+ years of experience in the health information management industry.  She serves as the Sr. Vice President of HIM and Privacy Officer of HealthPort where she is responsible for acting as an internal customer advocate.  Most recently, Ms. Bowen served as the Enterprise Director of HIM Services for Erlanger Health System for 13 years, where she received commendation from the hospital county authority for outstanding leadership.  Ms. Bowen is the recipient of Mentor FORE Triumph Award and Distinguished Member of AHIMA’s Quality Management Section.  She has served as the AHIMA President and Board Chair in 2010, a member of AHIMA’s Board of Directors (2006-2011), the Council on Certification (2003-2005) and various task groups including CHP exam and AHIMA’s liaison to HIMSS for the CHS exam construction (2002).

Ms. Bowen is an established speaker on diverse HIM topics and an active author on privacy and legal health records.  She served on the CCHIT security and reliability workgroup and as Chair of Regional Committees East-Tennessee HIMSS and co-chair of Tennessee’s e-HIM group.  She is an adjunct faculty member of the Chattanooga State HIM program and UT Memphis HIM Master’s program.  She also serves on the advisory board for Care Communications based in Chicago, Illinois.

Health Data Hacking Likely To Increase

Posted on February 15, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Wondering about trends in the various protected health information breaches you seen in the news every now and then? Here’s some hard numbers, courtesy of IT security firm Redspin, which has pulled together data on incidents reported to HHS since breach notification rules went into effect in August 2009.

According to Redspin research, a total of 538 large breaches of PHI, affecting 21.4 million patient records, have been reported to HHS since the notification rule when into effect as part of the HITECH Act.  The largest breach in 2012 resulted in exposure of 780,000 records.

Between 2011 and 2012, there was a 21.5 percent increase in the number of large breaches reported, but interestingly, a 77 percent decrease in the number of patient records impacted, Redspin reports.

More than half of the breaches (57 percent) involved a business associate, and 67 percent were the result of theft or loss. Thirty-eight percent of incidents took place due to data on a laptop or other portable electronic device which wasn’t encrypted.

During 2012, the top five incidents contributed almost two-thirds of the total number of patient records exposed. They each had different causes, however, making it hard to draw any  broad conclusions as to how PHI gets breached.

Meanwhile, if that business associate stat intrigues you, check this out: historically, the firm concludes, breaches at business associates have impacted 5 times as many patient records as those at a covered entity. (It certainly encourages one to take a second look at how skilled their business associates are at maintaining security.)

While all of this is interesting, perhaps the most important info I came away with was that Redspin thinks health data hacking is likely to increase in coming years. From 2009 to the date of the report, hacking has contributed to only 6 percent of breaches, but the biggest breach, an Eastern European-based attack on the State of Utah “should end any complacency,” Redspin advises.

Mixing Physical, Mental Health Data Lowers Readmissions

Posted on January 14, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Ordinarily, it makes sense to treat psychiatric records with particular sensitivity, given how private these issues are for most patients.  Also, one might assume that medical doctors simply don’t need access to psychiatric records — and if so, why increase the risk of a  HIPAA breach by giving them needless data access?

Apparently, however, these assumptions may be working against patients, according to a new study by researchers at Johns Hopkins. A new study by researchers at the university found that in some cases, keeping mental health records separately from physical health records in an EMR as a privacy measure may actually decrease quality of care.

To examine this issue, researchers at Johns Hopkins surveyed the psychiatric departments at 18 of the hospitals ranked most highly by U.S. News & World Report’s Best Hospitals of 2007, according to blogger Melissa Le Furge. The survey concluded that less than 25 percent of the hospitals allowed non-psychiatric physicians to have full access to patients’ mental health EMR data.  Not so surprising, given the current state of practice.

What’s really interesting, though, is that at the hospitals that allowed non-psychiatric clinicians to have access to mental health records, patients were 40 percent less likely to be admitted within a week of discharge than industry baseline.

Melissa notes that there are many reasons why this might be:

Depression and other mental illnesses sometimes make it difficult for patients to follow physicians’ instructions after a heart attack or stroke and are less likely to take proper care of themselves…[Also,] being uninformed about medications prescribed by a psychiatrist can cause the primary care physician to prescribe medications that create adverse reactions.

Segregating mental health records may make sense from a social standpoint, but perhaps it’s not good medicine. At minimum, this issue deserves further study.