Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

5 Lessons In One Big HIPAA Penalty

Posted on February 2, 2017 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.

The federal Office for Civil Rights just announced a $ 3.2 million penalty against Children’s Medical Center of Dallas.

5 Lessons Learned from this HIPAA Penalty

  1. Don’t ignore HIPAA
  2. Cooperate with the enforcers
  3. Fix the problems you identify
  4. Encrypt your data
  5. Not everyone in your workforce should be able to access Protected Health Information

If you think complying with HIPAA isn’t important, is expensive, and annoying, do you realize you could be making a $3.2 million decision? In this one penalty there are lots of hidden and not-so-hidden messages.

1. A $ 3.2 million penalty for losing two unencrypted devices, 3 years apart.

LESSON LEARNED: Don’t ignore HIPAA.

If Children’s Medical Center was paying attention to HIPAA as it should have, it wouldn’t be out $3.2 million that should be used to treat children’s medical problems. Remember that you protecting your patients’ medical information is their Civil Right and part of their medical care.

2. This is a Civil Money Penalty, not a Case Resolution.

What’s the difference? A Civil Money Penalty is a fine. It could mean that the entity did not comply with the investigation; (as in this case) did not respond to an invitation to a hearing; or did not follow corrective requirements from a case resolution. Most HIPAA penalties are Case Resolutions, where the entity cooperates with the enforcement agency, and which usually results in a lower dollar penalty than a Civil Money Penalty.

LESSON LEARNED: Cooperate with the enforcers. No one likes the idea of a federal data breach investigation, but you could save a lot of money by cooperating and asking for leniency. Then you need to follow the requirements outlined in your Corrective Action Plan.

3. They knew they had security risks in 2007 and never addressed them until 2013, after a SECOND breach.

Children’s Medical Center had identified its risks and knew it needed to encrypt its data as far back as 2007, but had a breach of unencrypted data in 2010 and another in 2013.

LESSON LEARNED: Don’t be a SLOW LEARNER. HIPAA requires that you conduct a Security Risk Analysis AND mitigate your risks. Self-managed risk analyses can miss critical items that will result in a breach. Paying for a risk analysis and filing away the report without fixing the problems can turn into a $ 3.2 million violation. How would you explain that to your management, board of directors, your patients, and the media, if you knew about a risk and never did anything to address it? How will your management and board feel about you when they watch $3.2 million be spent on a fine?

4. There is no better way to protect data than by encrypting it.

HIPAA gives you some leeway by not requiring you to encrypt all of your devices, as long as the alternative methods to secure the data are as reliable as encryption. There’s no such thing.

If an unencrypted device is lost or stolen, you just proved that your alternative security measures weren’t effective. It amazes me how much protected data we find floating around client networks. Our clients swear that their protected data is all in their patient care system; that users are given server shares and always use them; that scanned images are directly uploaded into applications; and that they have such good physical security controls that they do not need to encrypt desktop computers and servers.

LESSON LEARNED: You must locate ALL of your data that needs to be protected, and encrypt it using an acceptable method with a tracking system. We use professional tools to scan networks looking for protected data.

5. Not everyone in your workforce needs access to Protected Health Information.

We also look at paper records storage and their movement. This week we warned a client that we thought too many workforce members had access to the rooms that store patient records. The Children’s Medical Center penalty says they secured their laptops but “provided access to the area to workforce not authorized to access ePHI.”

LESSON LEARNED: Is your Protected Health Information (on paper and in electronic form) protected against unauthorized physical access by your workforce members not authorized to access PHI?

You can plan your new career after your current organization gets hit with a preventable $ 3.2 million penalty, just like Children’s Medical Center. Or, you can take HIPAA seriously, and properly manage your risks.

Your choice.

About Mike Semel
mike-semel-hipaa-consulting
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.

Healthcare Robots! – #HITsm Chat Topic

Posted on January 31, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 2/3 at Noon ET (9 AM PT). This week’s chat will be hosted by Mr RIMP (@MrRimp, Robot-In-My-Pocket), mascot of the first ever #HIMSS17 Innovation Makerspace! (Booth 7785) (with assistance from @wareflo) We’ll be discussing the topic “Healthcare Robots!” and so it seems appropriate to have a robot hosting the chat.

In a first, #HIMSS17 has a #makerspace (Booth 7785), in the HIMSS17 Innovation Zone. It has robots! They are rudimentary, but educational and fun. One of those robots is @MrRIMP, for Robot-In-My-Pocket. Here is an YouTube interview with @MrRIMP. As you can tell, little Mr. R. has a bit of an attitude. He also wrote the questions below and will moderate tweets about them during the #HITsm tweetchat.

From the recent “How medical robots will change healthcare” (@PeterBNichol), there are three main areas of robotic health:

1. Direct patient care robots: surgical robots (used for performing clinical procedures), exoskeletons (for bionic extensions of self like the Ekso suit), and prosthetics (replacing lost limbs).  Over 500 people a day loses a limb in America with 2 million Americans living with limb loss according to the CDC.

2. Indirect patient care robots: pharmacy robots (streamlining automation, autonomous robots for inventory control reducing labor costs), delivery robots (providing medical goods throughout a hospital autonomously), and disinfection robots (interacting with people with known infectious diseases such as healthcare-associated infections or HAIs).

3. Home healthcare robots: robotic telepresence solutions (addressing the aging population with robotic assistance).

Before the #HITsm tweetchat I hope you’ll watch Robot & Frank, about a household robot and an increasingly infirm retiree (86% on Rotten Tomatoes, available on YouTube, Amazon, Itunes, Vudu, and Google for $2.99) I’ll also note a subcategory to the direct care robots: pediatric therapy robots. Consider, for example, New Friends 2016, The Second International Conference on Social Robots in Therapy and Education. I, Mr. RIMP, have a special interest in this area.

Join us as we discuss Healthcare Robots during the February 3rd #HITsm chat. Here are the questions we’ll discuss:

T1: What is your favorite robot movie? Why? How many years in the future would you guess it will take to achieve similar robots? #HITsm

T2: Robots promise to replace a lot of human labor. Cost-wise, humanity-wise, will this be more good than bad, or more bad than good? #HITsm

T3: Have you played with, or observed any “toy” robots. Impressed? Not impressed? Why? #HITsm

T4: IMO, “someday” normal, everyday people will be able design and program their own robots. What kind of robot would you design for healthcare? #HITsm

T5: Robots and workflow? Connections? Think about healthcare robots working *together* with healthcare workers. What are potential implications? #HITsm

Bonus: Isn’t @MrRIMP (Robot-In-My-Pocket) the cutest, funniest, little, robot you’ve ever seen? Any suggestions for the next version (V.4) of me? #HITsm

Here’s a look at the upcoming #HITsm chat schedule:
2/10 – Maximizing Your HIMSS17 Experience – Whether Attending Physically or Virtually
Hosted by Steve Sisko (@HITConfGuy and @shimcode)

2/17 – Enough talk, lets #GSD (Get Stuff Done)
Hosted by Burt Rosen (@burtrosen) from @healthsparq

2/24 – HIMSSanity Recovery Chat
With #HIMSS17 happening the week of this chat, we’ll take the week off from a formal chat. However, we encourage people that attended HIMSS or watched HIMSS remotely to share a “Tweetstorm” that tells a #HIMSS17 story, shares insights about a topic, rants on a topic of interest, or shows gratitude. Plus, it will be fun to test out a new form of tweetstorm Twitter chat. We’ll post more details as we get closer.

We look forward to learning from the #HITsm community! As always let us know if you have ideas for how to make #HITsm better.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

Key Components of #HealthIT Strategy and Disaster Recovery – #HITsm Chat Topic

Posted on January 24, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 1/27 at Noon ET (9 AM PT). This week’s chat will be hosted by Bill Esslinger (@billesslinger) from @FogoDataCenters on the topic of “Key Components of Health IT Strategy and Disaster Recovery“.

Medical records are worth more on the Black Market than credit cards. The value is greater because a medical record contains multiple credentials that can be used by hackers more than once or twice. A medical record contains not only a social security number but additional qualifying information, allowing thieves to penetrate layers of data, and conduct multiple acts of fraud before the data is even missing.

As healthcare organizations embark on the improved use of data sets, from analytics to precision medicine and value based care, Cybersecurity rises to the number one concern for CIO’s.

How secure is your cloud based data strategy?

Consideration must be given to the different models of service

With each delivery model: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), comes a new set of requirements and responsibilities. The key considerations for deployment and ongoing data management include on-demand 24/7 access to critical healthcare information, support for big data and small data sets, traceability, HIPAA compliance and a thorough understanding of the healthcare environment from both a security and a legal perspective.

Join us as we discuss Key Components of #HealthIT Strategy and Disaster Recovery during the January 27th #HITsm chat.

T1: How can we prepare for the unexpected in data security? #HITsm

T2: Are we making Cybersecurity a priority in risk management? #HITsm

T3: Is Your Prevention Strategy Scalable for a Ransomware Attack? #HITsm

T4: What are the top threats regarding healthcare data today? #HITsm

T5: What Service Levels are Necessary for Redundancy in Data, Power, Cooling, and Connectivity? #HITsm

Bonus: Do you worry about the security of your health information? Why or why not? #HITsm

About Fogo Data Centers
Fogo Data Centers are SSAE16, SOCII, and HIPAA compliant as well as PCI compliant. Each site provides redundancies across all support systems. Our centers of excellence provide flexible and scalable solutions to protect your critical data and applications. Colocation at a Fogo Data Centers can ease the cost of building your own facility and maintaining your own on-site dedicated servers. Properties feature full perimeter fencing with an electric gate requiring keycard access and audio/video check-in.

Our hashtag is #KnowYourCloud. We stand ready 24/7, with years of experience, integrity and legal know-how, to protect data and securely manage your cloud strategy. In the event of a disaster or incident the Fogo team can have your facility back-up and running within hours. Call us today or take a look at our facility page to learn more.

Here’s a look at the upcoming #HITsm chat schedule:

2/3 – Healthcare Robots!
Hosted by Mr RIMP (@MrRimp, Robot-In-My-Pocket), mascot of the first ever #HIMSS17 Innovation Makerspace! (Booth 7785) (with assistance from @wareflo)

2/10 – Maximizing Your HIMSS17 Experience – Whether Attending Physically or Virtually
Hosted by Steve Sisko (@HITConfGuy and @shimcode)

2/17 – Enough talk, lets #GSD (Get Stuff Done)
Hosted by Burt Rosen (@burtrosen) from @healthsparq

2/24 – HIMSSanity Recovery Chat
With #HIMSS17 happening the week of this chat, we’ll take the week off from a formal chat. However, we encourage people that attended HIMSS or watched HIMSS remotely to share a “Tweetstorm” that tells a #HIMSS17 story, shares insights about a topic, rants on a topic of interest, or shows gratitude. Plus, it will be fun to test out a new form of tweetstorm Twitter chat. We’ll post more details as we get closer.

We look forward to learning from the #HITsm community! As always let us know if you have ideas for how to make #HITsm better.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

Kill Passwords

Posted on January 13, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One time I was attending the crazy SXSW conference in Austin. As part of the event, there was a startup company from Las Vegas (where I live) that had a small tower in the big Vegas Tech booth. Their startup was a method to use your phone as your password and a few other password related things. I’m not sure how they came up with this idea, but half way through the conference they switched their monitor which previously had their logo on it to just say “Kill Passwords” in big black letters with a white background. It was amazing how much traffic they drove to their small table because of that simple digital signage.

While this is a story in marketing that’s worthy of the Healthcare IT Marketing and PR Conference which I host, it also illustrated how much we hate passwords. Turns out that this is a universal truth, but it’s particularly poignant in healthcare because of absurd password policies that many healthcare organizations put in place in the name of security (even if many of the choices they make don’t actually improve security).

Doctors password frustration was illustrated well in the latest ZDoggMD video “Doc Vader on The Password Menace.” Check it out below:

I felt it was appropriate to use ZDoggMD’s latest video in today’s Fun Friday post, but I do it with some sadness. A couple days ago, ZDoggMD announced that his Turntable Health clinic in Las Vegas was shutting down. As a Vegas resident and former member of Turntable Health, I was sorry to see this happen. No doubt this is not the end for ZDoggMD. In fact, for those that are fans of his video and his message, I think this will give him more time to evangelize and inspire. So, that’s a good thing. Healthcare can use a shakeup that points out the challenges we face with a little lot of humor. Thanks ZDoggMD for all you do.

Now, I agree that passwords are a pain. Although, I think we’ve all learned to deal with them. I do look forward to the day when passwords will no longer exist in their current form. I’m not sure what it will look like, but it will be a welcome day!

How Many Points of Vulnerability Do You Have in Your Healthcare Organization?

Posted on December 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Far too often I hear healthcare CIOs talk about all of the various electronic devices they have in their organization and how this device proliferation has created a really large risk surface that makes their organization vulnerable to breaches and other nefarious actions. This is true to some extent since organizations now have things like:

  • Servers
  • Desktops
  • Mobile Devices
  • Network Devices
  • Internet Access
  • Medical Devices
  • Internet of Thing Devices
  • etc

As tech progresses, the number of devices we have in our healthcare organizations is only going to continue to grow. No doubt this can pose a challenge to any Chief Security Officer (CSO). However, I actually think this is the easiest part of a CSO’s job when it comes to making sure a healthcare organization is secure. I think it’s much harder to make sure the people in your organization are acting in a way that doesn’t compromise your organization’s security.

As one hospital CIO told me, “I’m most concerned with the 21,000 security vulnerabilities that existed in my organization. I’m talking about the 21,000 employees.

Granted, this CIO worked at a very large organization. However, I think he’s right. Creating a security plan for a device is pretty easily accomplished. It will never be perfect, but you can put together a really good, effective plan. People are wild cards. It’s much harder to keep them from doing something that compromises your organization. Especially since the hackers have gotten so pernicious and effective in the tactics they use.

At the end of the day, I look at security as similar to child proofing your house when you have a young child. You’ll never make it 100% completely safe, but you can really mitigate most of the issues that could cause harm to your child. The same is true in your approach to securing your healthcare organization. You can never ensure you won’t have any security incidents, but you can mitigate a lot of the really dangerous things. Then, you just have to deal with the times something surprising happens. Now if we would just care as much about keeping our healthcare organizations secure as we do keeping our children safe, then we’d be in a much better place.

Don’t Worry About HIPAA – When Your License Is At-Risk!

Posted on October 24, 2016 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.
medical-license-revoked
Not long ago I was at an ambulance service for a HIPAA project when one of their paramedics asked what the odds were that his employer would get a HIPAA fine if he talked about one of his patients. I replied that the odds of a HIPAA penalty were very slim compared to him losing his state-issued paramedic license, that would cost him his job and his career. He could also be sued. He had never thought of these risks.

Doctors, dentists, lawyers, accountants, psychologists, nurses, EMT’s, paramedics, social workers, mental health counselors, and pharmacists, are just some of the professions that have to abide by confidentiality requirements to keep their licenses.

License and ethical requirements have required patient and client confidentiality long before HIPAA and other confidentiality laws went into effect.  HIPAA became effective in 2003, 26 years after I became a New York State certified Emergency Medical Technician (EMT). Way back in 1977, the very first EMT class I took talked about my responsibility to keep patient information confidential, or I would risk losing my certification.

While licensed professionals may not talk about an individual patient or client, weak cybersecurity controls could cause a breach of ALL of their patient and client information – instantly.
health-data-encryption
Most certified and licensed professionals will agree that they are careful not to talk about patients and clients, but how well do they secure their data? Are their laptops encrypted? Are security patches and updates current? Do they have a business-class firewall protecting their network? Do they have IT security professionals managing their technology?
psychologist-loses-license-prostitute-takes-laptop
Lawyers have been sanctioned for breaching confidentiality. Therapists have lost their licenses. In one well-publicized case a psychologist lost his license when a prostitute stole his laptop. In rare cases a confidentiality breach will result in a jail sentence, along with the loss of a license.

Cyber Security Ethics Requirements
Lawyers are bound by ethical rules that apply to confidentiality and competence. The competence requirements typically restrict lawyers from taking cases in unfamiliar areas of the law. However, The American Bar Association has published model guidance that attorneys not competent in the area of cyber security must hire professionals to help them secure their data.

The State Bar of North Dakota adopted technology amendments to its ethics rules in early 2016. The State Bar of Wisconsin has published a guide entitled Cybersecurity and SCR Rules of Professional Conduct. In 2014, The New York State Bar Association adopted Social Media Ethics Guidelines. Lawyers violating these ethical requirements can be sanctioned or disbarred.

A State Bar of Arizona ethics opinion said “an attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.”

Some licensed professionals argue that their ethical and industry requirements mean they don’t have to comply with other requirements. Ethical obligations do not trump federal and state laws. Lawyers defending health care providers in malpractice cases are HIPAA Business Associates. Doctors that have to comply with HIPAA also must adhere to state data breach laws. Psychiatric counselors, substance abuse therapists, pharmacists, and HIV treatment providers have to comply with multiple federal and state confidentiality laws in addition to their license requirements.

There are some exemptions from confidentiality laws and license requirements when it comes to reporting child abuse, notifying law enforcement when a patient becomes a threat, and in some court proceedings.

While the odds of a federal penalty for a confidentiality breach are pretty slim, it is much more likely that someone will complain to your licensing board and kill your career. Don’t take the chance after all you have gone through to earn your license.

About Mike Semel
mike-semel-ambulance
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.

States Strengthen Data Breach Laws & Regulations

Posted on October 18, 2016 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.

If your cyber security and compliance program is focused on just one regulation, like HIPAA or banking laws, many steps you are taking are probably wrong.

Since 2015 a number of states have amended their data breach laws which can affect ALL BUSINESSES, even those out of state, that store information about their residents. The changes address issues identified in breach investigations, and public displeasure with the increasing number of data breaches that can result in identity theft.

Forty-seven states, plus DC, Puerto Rico, Guam, and the US Virgin Islands, protect personally identifiable information, that includes a person’s name plus their Driver’s License number, Social Security Number, and the access information for bank and credit card accounts.

Many organizations mistakenly focus only on the data in their main business application, like an Electronic Health Record system or other database they use for patients or clients. They ignore the fact that e-mails, reports, letters, spreadsheets, scanned images, and other loose documents contain data that is also protected by laws and regulations. These documents can be anywhere – on servers, local PC’s, portable laptops, tablets, mobile phones, thumb drives, CDs and DVDs, or somewhere up in the Cloud.

Some businesses also mistakenly believe that moving data to the cloud means that they do not have to have a secure office network. This is a fallacy because your cloud can be accessed by hackers if they can compromise the local devices you use to get to the cloud. In most cases there is local data even though the main business applications are in the cloud. Local computers should have business-class operating systems, with encryption, endpoint protection software, current security patches and updates, and strong physical security. Local networks need business-class firewalls with active intrusion prevention.

States are strengthening their breach laws to make up for weaknesses in HIPAA and other federal regulations. Between a state and federal law, whichever requirement is better for the consumer is what those storing data on that state’s residents (including out of state companies) must follow.

Some states have added to the types of information protected by their data breach reporting laws. Many states give their residents the right to sue organizations for not providing adequate cyber security protection. Many states have instituted faster reporting requirements than federal laws, meaning that incident management plans that are based on federal requirements may mean you will miss a shorter state reporting deadline.

In 2014, California began requiring mandatory free identity theft prevention services even when harm cannot be proven. This year Connecticut adopted a similar standard. Tennessee eliminated the encryption safe harbor, meaning that the loss of encrypted data must be reported. Nebraska eliminated the encryption safe harbor if the encryption keys might have been compromised. Illinois is adding medical records to its list of protected information.

Massachusetts requires every business to implement a comprehensive data protection program including a written plan. Texas requires that all businesses that have medical information (not just health care providers and health plans) implement a staff training program.

REGULATIONS

Laws are not the only regulations that can affect businesses.

The New York State Department of Financial Services has proposed that “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” comply with new cyber security regulations. This includes banks, insurance companies, investment houses, charities, and even covers organizations like car dealers and mortgage companies who handle consumer financial information.

The new rule will require:

  • A risk analysis
  • An annual penetration test and quarterly vulnerability assessments
  • Implementation of a cyber event detection system
  • appointing a Chief Information Security Officer (and maintaining compliance responsibility if outsourcing the function)
  • System logging and event management
  • A comprehensive security program including policies, procedures, and evidence of compliance

Any organization connected to the Texas Department of Health & Human Services must agree to its Data Use Agreement, which requires that a suspected breach of some of its information be reported within ONE HOUR of discovery.

MEDICAL RECORDS

People often assume that their medical records are protected by HIPAA wherever they are, and are surprised to find out this is not the case. HIPAA only covers organizations that bill electronically for health care services, validate coverage, or act as health plans (which also includes companies that self-fund their health plans).

  • Doctors that only accept cash do not have to comply with HIPAA.
  • Companies like fitness centers and massage therapists collect your medical information but are not covered by HIPAA because they do not bill health plans.
  • Health information in employment records are exempt from HIPAA, like letters from doctors excusing an employee after an injury or illness.
  • Workers Compensation records are exempt from HIPAA.

Some states protect medical information with every entity that may store it. This means that every business must protect medical information it stores, and must report it if it is lost, stolen, or accessed by an unauthorized person.

  • Arkansas
  • California
  • Connecticut
  • Florida
  • Illinois (beginning January 1, 2017)
  • Massachusetts
  • Missouri
  • Montana
  • Nevada
  • New Hampshire
  • North Dakota
  • Oregon
  • Puerto Rico
  • Rhode Island
  • Texas
  • Virginia
  • Wyoming

Most organizations are not aware that they are governed by so many laws and regulations. They don’t realize that information about their employees and other workforce members are covered. Charities don’t realize the risks they have protecting donor information, or the impact on donations a breach can cause when it becomes public.

We have worked with many healthcare and financial organizations, as well as charities and general businesses, to build cyber security programs that comply with federal and state laws, industry regulations, contractual obligations, and insurance policy requirements. We have been certified in our compliance with the federal NIST Cyber Security Framework (CSF) and have helped others adopt this security framework, that is gaining rapid acceptance.

About Mike Semel
mike-semel-hipaa-consulting
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.

HIPAA Cloud Bursts: New Guidance Proves Cloud Services Are Business Associates

Posted on October 10, 2016 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.
hipaa-cloud
It’s over. New guidance from the federal Office for Civil Rights (OCR) confirms that cloud services that store patient information must comply with HIPAA.

Many cloud services and data centers have denied their obligations by claiming they are not HIPAA Business Associates because:

  1. They have no access to their customer’s electronic Protected Health Information (ePHI),
  2. Their customer’s ePHI is encrypted and they don’t have the encryption key,
  3. They never look at their customer’s ePHI,
  4. Their customers manage the access to their own ePHI in the cloud,
  5. Their terms and conditions prohibit the storage of ePHI, and
  6. They only store ePHI ‘temporarily’ and therefore must be exempt as a ‘conduit.’

Each of these excuses has been debunked in HIPAA Cloud Guidance released on October 7, 2016, by the Office for Civil Rights.

The new guidance clearly explains that any cloud vendor that stores ePHI must:

  1. Sign a HIPAA Business Associate Agreement,
  2. Conduct a HIPAA Security Risk Analysis,
  3. Comply with the HIPAA Privacy Rule,
  4. Implement HIPAA Security Rule safeguards the ePHI to ensure its confidentiality, integrity, and availability.
  5. Comply with the HIPAA Breach Reporting Rule by reporting any breaches of ePHI to its customers, and be directly liable for breaches it has caused.

The OCR provides examples of cloud services where clients manage access to their stored data. It discusses how a client can manage its users’ access to the stored data, while the cloud service manages the security of the technical infrastructure. Each needs to have a risk analysis that relates to its share of the responsibilities.
access-denied-phi
OCR also recently published guidance that cloud services cannot block or terminate a client’s access to ePHI, for example, if they are in a dispute with their customer or the customer hasn’t paid its bill.

As we have been saying for years, the 2013 HIPAA Omnibus Final Rule expanded the definition of HIPAA Business Associates to include anyone outside a HIPAA Covered Entity’s workforce that “creates, receives, maintains, or transmits PHI” on behalf of the Covered Entity. It defines subcontractors as anyone outside of a Business Associate’s workforce that “creates, receives, maintains, or transmits PHI on behalf of another Business Associate.”

‘Maintains’ means storing ePHI, and does not distinguish whether the ePHI is encrypted, whether the Business Associate looks at the ePHI, or even if its staff has physical access to the devices housing the ePHI (like servers stored in locked cabinets in a data center.)
hipaa-fines-payment
A small medical clinic was fined $100,000 for using a free cloud mail service to communicate ePHI, and for using a free online calendar to schedule patient visits. Recently the OCR issued a $2.7 million penalty against Oregon Health & Science University (OHSU) partly for storing ePHI with a cloud service in the absence of a Business Associate Agreement.

“OHSU should have addressed the lack of a Business Associate Agreement before allowing a vendor to store ePHI,” said OCR Director Jocelyn Samuels.  “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”

So what does this mean to you?

If you are Covered Entity or a Business Associate…

  • A common myth is that all ePHI is in a structured system like an Electronic Health Record system. This is wrong because ePHI includes anything that identifies a patient, nursing home resident, or health plan member that is identifiable (many more identifiers than just a name) and relates to the treatment, diagnosis, or payment for health care.

    EPHI can be in many forms. It does not have to be in a formal system like an Electronic Health Record (EHR) system, but can be contained in an e-mail, document, spreadsheet, scanned or faxed image, medical images, photographs, and even voice files, like a patient leaving a message in your computerized phone system requesting a prescription refill. During our risk analyses we find ePHI everywhere- on servers, local devices, portable media, mobile devices, and on cloud services. Our clients are usually shocked when we show them where their ePHI is hiding.

  • Never store ePHI in any cloud service without first knowing that the service is compliant with HIPAA and will sign a HIPAA Business Associate Agreement.

    This automatically disqualifies:

    • The free texting that came with your cellular phone service;
    • Free e-mail services like Gmail, Yahoo!, Hotmail, etc.;
    • Free e-mail from your Internet service provider like Cox, Comcast, Time Warner, Charter, CenturyLink, Verizon, Frontier, etc.;
    • Free file sharing services from DropBox, Box.com, Google Drive, etc.
    • Consumer-grade online backup services.

hacked-healthcare

  • Another common myth is that if data is stored in the cloud that you don’t have to secure your local devices. This is wrong because if someone can compromise a local device they can gain access to your data in the cloud. Be sure the mobile devices and local devices you use to access the cloud are properly protected, including those on your office network, and at users’ homes. This means that all mobile devices like phones and tablets; PCs; and laptops should be secured to prevent unauthorized access. All devices should be constantly updated with security patches, and anti-virus/anti-malware software should be installed and current. If ePHI is stored on a local network, it must be a domain with logging turned on, and logs retained for six years.
  • Use an e-mail service that complies with HIPAA. Microsoft Office 365 and similar business-class services advertise that they provide secure communications and will sign a HIPAA Business Associate Agreement.
  • You may be using a vendor to remotely filter your e-mail before it arrives in your e‑mail system. These services often retain a copy of each message so it can be accessed in the event your mail server goes down. Make sure your spam filtering service secures your messages and will sign a HIPAA Business Associate Agreement.

mobile-device-security-in-healthcare

  • Never send or text ePHI, even encrypted, to a caregiver or business associate at one of the free e-mail services.
  • Never use the free texting that came with your cell service to communicate with patients and other caregivers.
  • If you have sent text messages, e-mails, or stored documents containing ePHI using an unapproved service, delete those messages now, and talk with your compliance officer.
  • Review your HIPAA compliance program, to ensure it really meets all of HIPAA’s requirements under the Privacy, Security, and Data Breach Reporting rules. There are 176 auditable HIPAA items. You may also need to comply with other federal and state laws, plus contractual and insurance requirements.

If you are a cloud service, data center, or IT Managed Service Provider …

  • If you have been denying that you are a HIPAA Business Associate, read the new guidance document and re-evaluate your decisions.
  • If you do sign HIPAA Business Associate Agreements, you need to review your internal HIPAA compliance program to ensure that it meets all of the additional requirements in the HIPAA Privacy, Security, and Data Breach Reporting rules.
  • Also become familiar with state regulations that protect personally identifiable information, including driver’s license numbers, Social Security numbers, credit card and banking information. Know which states include protection of medical information, which will require breach reporting to the state attorney general in addition to the federal government. Know what states have more stringent reporting timeframes than HIPAA. You may have to deal with a large number of states with varying laws, depending on the data you house for customers.

hipaa-terms-and-conditions

  • Make sure your Service Level Agreements and Terms & Conditions are not in conflict with the new guidance about blocking access to ePHI. Compare your policies for non-payment with the new guidance prohibiting locking out access to ePHI.
  • Make sure your Service Level Agreements and Terms & Conditions include how you will handle a breach caused by your clients when they are using your service. Everyone should know what will happen, and who pays, if you get dragged into a client’s data breach investigation.
  • Make sure all of your subcontractors, and their subcontractors, comply with HIPAA. This includes the data centers you use to house and/or manage your infrastructure, programmers, help desk services, and backup vendors.
  • Learn about HIPAA. We see many cloud vendors that promote their HIPAA compliance but can seldom answer even the most basic questions about the compliance requirements. Some believe they are compliant because they sign Business Associate Agreements. That is just the first step in a complex process to properly secure data and comply with the multiple regulations that affect you. We have helped many cloud services build compliance programs that protected them against significant financial risks.
  • If you have administrative access to your client’s networks that contain ePHI, you are a Business Associate. Even if your clients have not signed, or refused to sign, Business Associate Agreements, you are still a Business Associate and must follow all of the HIPAA rules.
  • If you are reselling hosting services, co-location services, cloud storage, file sharing, online backup, Office 365/hosted Exchange, e-mail encryption, or spam filtering, you need to make sure your vendors are all compliant with HIPAA and that they will sign a Business Associate Agreement with you.
  • Look at all the services your regulated clients need. Include in your project and managed service proposals clear links between your clients’ needs and your services. For example, when installing replacement equipment, describe in detail the steps you will take to properly wipe and dispose of devices being replaced that have stored any ePHI. Link your managed services to your client’s needs and include reports that directly tie to your clients’ HIPAA requirements.

About Mike Semel
mike-semel-hipaa-consulting
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.

What Would a Patient-Centered Security Program Look Like? (Part 2 of 2)

Posted on August 30, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The previous part of this article laid down a basic premise that the purpose of security is to protect people, not computer systems or data. Let’s continue our exploration of internal threats.

Security Starts at Home

Before we talk about firewalls and anomaly detection for breaches, let’s ask why hospitals, pharmacies, insurers, and others can spread the data from health care records on their own by selling this data (supposedly de-identified) to all manner of third parties, without patient consent or any benefit to the patient.

This is a policy issue that calls for involvement by a wide range of actors throughout society, of course. Policy-makers have apparently already decided that it is socially beneficial–or at least the most feasible course economically–for clinicians to share data with partners helping them with treatment, operations, or payment. There are even rules now requiring those partners to protect the data. Policy-makers have further decided that de-identified data sharing is beneficial to help researchers and even companies using it to sell more treatments. What no one admits is that de-identification lies on a slope–it is not an all-or-nothing guarantee of privacy. The more widely patient data is shared, the more risk there is that someone will break the protections, and that someone’s motivation will change from relatively benign goals such as marketing to something hostile to the patient.

Were HIMSS to take a patient-centered approach to privacy, it would also ask how credentials are handed out in health care institutions, and who has the right to view patient data. How do we minimize the chance of a Peeping Tom looking at a neighbor’s record? And what about segmentation of data, so that each clinician can see only what she needs for treatment? Segmentation has been justly criticized as impractical, but observers have been asking for it for years and there’s even an HL7 guide to segmentation. Even so, it hasn’t proceeded past the pilot stage.

Nor does it make sense to talk about security unless we talk about the rights of patients to get all their data. Accuracy is related to security, and this means allowing patients to make corrections. I don’t know what I think would be worse: perfectly secure records that are plain wrong in important places, or incorrect assertions being traded around the Internet.

Patients and the Cloud

HIMSS did not ask respondents whether they stored records at their own facilities or in third-party services. For a while, trust in the cloud seemed to enjoy rapid growth–from 9% in 2012 to 40% in 2013. Another HIMSS survey found that 44% of respondents used the cloud to host clinical applications and data–but that was back in 2014, so the percentage has probably increased since then. (Every survey measures different things, of course.)

But before we investigate clinicians’ use of third parties, we must consider taking patient data out of clinicians’ hands entirely and giving it back to patients. Patients will need security training of their own, under those conditions, and will probably use the cloud to avoid catastrophic data loss. The big advantage they have over clinicians, when it comes to avoiding breaches, is that their data will be less concentrated, making it harder for intruders to grab a million records at one blow. Plenty of companies offer personal health records with some impressive features for sharing and analytics. An open source solution called HEART, described in another article, is in the works.

There’s good reason to believe that data is safer in the cloud than on local, network-connected systems. For instance, many of the complex technologies mentioned by HIMSS (network monitoring, single sign on, intrusion detection, and so on) are major configuration tasks that a cloud provider can give to its clients with a click of a button. More fundamentally, hospital IT staffs are burdened with a large set of tasks, of which security is one of the lowest-priority because it doesn’t generate revenue. In contrast, IT staff at the cloud environment spend gobs of time keeping up to date on security. They may need extra training to understand the particular regulatory requirements of health care, but the basic ways of accessing data are the same in health care as any other industry. Respondents to the HIMSS survey acknowledged that cloud systems had low vulnerability (p. 6).

There won’t be any more questions about encryption once patients have their data. When physicians want to see it, they will have to so over an encrypted path. Even Edward Snowden unreservedly boasted, “Encryption works.”

Security is a way of behaving, not a set of technologies. That fundamental attitude was not addressed by the HIMSS survey, and might not be available through any survey. HIMSS treated security as a routine corporate function, not as a patient right. We might ask the health care field different questions if we returned to the basic goal of all this security, which is the dignity and safety of the patient.

We all know the health record system is broken, and the dismal state of security is one symptom of that failure. Before we invest large sums to prop up a bad record system, let’s re-evaluate security on the basis of a realistic and respectful understanding of the patients’ rights.

What Would a Patient-Centered Security Program Look Like? (Part 1 of 2)

Posted on August 29, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

HIMSS has just released its 2016 Cybersecurity Survey. I’m not writing this article just to say that the industry-wide situation is pretty bad. In fact, it would be worth hiring a truck with a megaphone to tour the city if the situation was good. What I want to do instead is take a critical look at the priorities as defined by HIMSS, and call for a different industry focus.

We should start off by dispelling notions that there’s anything especially bad about security in the health care industry. Breaches there get a lot of attention because they’re relatively new and because the personal sensitivity of the data strikes home with us. But the financial industry, which we all thought understood security, is no better–more than 500 million financial records were stolen during just a 12-month period ending in October 2014. Retailers are frequently breached. And what about one of the government institutions most tasked with maintaining personal data, the Office of Personnel Management?

The HIMSS report certainly appears comprehensive to a traditional security professional. They ask about important things–encryption, multi-factor authentication, intrusion detection, audits–and warn the industry of breaches caused by skimping on such things. But before we spend several billion dollars patching the existing system, let’s step back and ask what our priorities are.

People Come Before Technologies

One hint that HIMSS’s assumptions are skewed comes in the section of the survey that asked its respondents what motivated them to pursue greater security. The top motivation, at 76 percent, was a phishing attack (p. 6). In other words, what they noticed out in the field was not some technical breach but a social engineering attack on their staff. It was hard to interpret the text, but it appeared that the respondents had actually experienced these attacks. If so, it’s a reminder that your own staff is your first line of defense. It doesn’t matter how strong your encryption is if you give away your password.

It’s a long-held tenet of the security field that the most common source of breaches is internal: employees who were malicious themselves, or who mistakenly let intruders in through phishing attacks or other exploits. That’s why (you might notice) I don’t use the term “cybersecurity” in this article, even though it’s part of the title of the HIMSS report.

The security field has standardized ways of training staff to avoid scams. Explain to them the most common vectors of attack. Check that they’re creating strong passwords, where increased computing power is creating an escalating war (and the value of frequent password changes has been challenged). Best yet, use two-factor authentication, which may help you avoid the infuriating burden of passwords. Run mock phishing scams to test your users. Set up regular audits of access to sensitive data–a practice that HIMSS found among only 60% of respondents (p. 3). And give someone the job of actually checking the audit logs.

Why didn’t HIMSS ask about most of these practices? It began the project with a technology focus instead a human focus. We’ll take the reverse approach in the second part of this article.