Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Risk Assessment and HIPAA Security Compliance Starting Points

Written by:

If you look at the number one meaningful use audit risk for a healthcare organization, I’m certain you’ll find lack of a proper Risk Assessment at the top of the list. I found this video of Jack Kolk, President of ACR2, talking about the need to do a risk assessment as part of the HITECH EHR incentive money which I’ll embed below.

That’s right, there’s a whole company that’s main focus is doing healthcare risk assessments. I think this illustrates a number of things. First, there are a lot of healthcare organizations that are outsourcing their risk assessment. This is likely a good plan for most large organizations since they often don’t have the time or expertise to do it well in house. Second, I believe it also illustrates that doing the risk assessment is not a simple task. There’s a lot that goes in to doing a proper risk assessment.

I must admit that I was also intrigued by ACR2′s cloud based risk assessment platform. Far too often a risk assessment consists of huge stacks of paper that get shuffled around the office. There’s a certain irony that the audit of IT would happen on stacks of paper. It just makes sense to do the risk assessment in the cloud.

Regular readers will probably now realize that I think the risk assessment is important both because of the meaningful use audit risk, but also because keeping a patient’s health information secure is the right thing to do.

The reality is that half of you reading this have already done a proper risk assessment or are looking to do one now. The other half have already decided that it’s too much work and so you don’t care to go to the work of a full risk assessment. You’d prefer to risk not doing one. You won’t likely admit this in public, but I know this is what goes on in many healthcare organizations.

For this later group, let me see if I can at least offer a couple important suggestions on HIPAA security compliance and protecting your health information. If healthcare did only these two things, we’d see a decrease in HIPAA violations.

Disk Encryption – Hospitals have no excuse to not be doing disk encryption on all of their devices. The technology is there and every hospital IT staff should be able to easily implement disk encryption in their environment. I’m not going to give a pass to ambulatory environments either, but I won’t be surprised if many ambulatory clinics just never knew they should be doing it.

Disk encryption is a relatively simple technology to implement and should have very little effect on your workflow. Every hospital CIO should make this mandatory and implement it immediately if it’s not already implemented. Every ambulatory office even down to the solo practice should find some IT help to implement disk encryption in their environment as well. If your IT support doesn’t know how to do disk encryption (and possibly if they haven’t recommended it previously), then you might want to consider finding new IT support.

Strong Authentication – Generally organizations do a pretty good job when it comes to strong authentication. I know that this is the case because I hear so many people complaining about their hospitals authentication requirements. Most have some sort of two factor authentication in place and have implemented strong password policies.

One challenge for hospitals is that they have so many different applications that they manage. This makes it a real challenge to ensure that good password policies and other authentication requirements are met.

Luckily, the tools we have to centrally manage these and other computer security policies are so much better today than they were previously. Plus, most of them integrate with an array of biometric, single sign on (SSO), Digital Signatures, and more. I’ve been a big fan of the DigitalPersona biometric solution since I first wrote about it years ago. It is really amazing how far they’ve come with their integration in the enterprise healthcare environment and how they can solve many of these issues.

The Real Solution
The most important thing a healthcare organization can do is to integrate HIPAA security and risk assessment into everything they do. Securing health IT and assessing your risk shouldn’t just be a one time event. Instead, a quality healthcare organization will make an institutional decision to make HIPAA security a priority in everything they do. However, the realist in me hopes that every organization will at least start with disk encryption and strong authentication.

This post is sponsored by HP Healthcare, however opinions on products and services expressed here are my own. Disclosure per FTC’s 16 CFR, Part 255.

August 9, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

ePrescribing Controlled Substances Patient Matching Rate

Written by:

I’ve been wanting to write about ePrescribing controlled substances since 9/13/09. In fact, I even did write post about the FDA approving a pilot to do electronic prescribing of controlled substances which I posted on that day. Turns out, it was a press release that was sent to me prematurely, so I hid it from view.

Well, a couple weeks ago, the Drug Enforcement Administration (DEA) released it’s interim final rule on ePrescribing of controlled substances (PDF). John Halamka described some of the most important details of this rule on his blog:

(a) To sign a controlled substance prescription, the electronic prescription application must require the practitioner to authenticate to the application using an authentication protocol that uses two of the following three factors:
(1) Something only the practitioner knows, such as a password or response to a challenge question.
(2) Something the practitioner is, biometric data such as a fingerprint or iris scan.
(3) Something the practitioner has, a device (hard token) separate from the computer to which the practitioner is gaining access.
(b) If one factor is a hard token, it must be separate from the computer to which it is gaining access and must meet at least the criteria of FIPS 140-2 Security Level 1, as incorporated by reference in § 1311.08, for cryptographic modules or one-time-password devices.
(c) If one factor is a biometric, the biometric subsystem must comply with the requirements of § 1311.116.

Halamka also suggests they’ll consider 3 approaches to support strong authentication:
*Fingerprints (Bio-Key software?)
*Hard Tokens (such as those provided by RSA)
*Cell Phones (As Gemalto talked about in this video)

I also recently heard someone tell me that the banking has a 6 percent failure rate for matching people. It’s hard for me to believe that it’s high and that the banking industry is willing to deal with that type of failure rate. Of course, that’s not good enough for controlled substances. So, they’re going to have to find some way to lower the patient matching failure rate. Although, I wonder what the failure rate is with the current model. Seems like electronic prescribing shouldn’t make it any worse than it currently is.

April 7, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Biometric Authentication Using Typing Behavior

Written by:

I’ve been pretty outspoken about my love for biometrics in healthcare. In particular I couldn’t imagine my computer without facial recognition, but I’ve also enjoyed playing around with biometric fingerprint readers and proximity readers too. Sorry, no retina scans yet. Anyone willing to send me one?

Today I came across a new biometric authentication method that recognizes a person’s typing behavior. Techcrunch described it as folows:

It’s a Flash-based interface that compares your typing style against a list of known styles and logs you in based on your individual typing fingerprint. To enroll you simply type a sentence nine times and then the system senses the pauses, mistakes, and speed of your hunting and pecking. Obviously, this doesn’t work if you have a broken hand or, presumably, you’re under duress so it’s fairly hard to crack a system using physical coercion. A cool way to add biometrics to web-based forms.

They have a test on their site, but the registration process seemed a bit onerous. Haven’t they realized the first key to a website is to let me test the product with no registration. Then, let me register when I like it? Maybe if I have some free time later I’ll register and try it out.

I wonder if something like this could merge with the OpenID movement and make this one other method of authenticating yourself to an open id enabled site. Could be pretty interesting I think.

March 5, 2008 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.