Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Why HIPAA isn’t Enough to Keep Patient Data Secure

Posted on March 21, 2014 I Written By

The following is a guest blog post by Takeshi Suganuma, Senior Director of Security at Proficio.
Takeshi Suganuma
Just meeting minimum HIPAA safeguards is not enough to keep patient data secure. This should come as no surprise when you consider that HIPAA was developed as a general framework to protect PHI for organizations ranging from small medical practices to very large healthcare providers and payers. After all, one size seldom fits all.

While HIPAA is a general, prescriptive framework for security controls and procedures, HIPAA disclosure rules and penalties are very specific and have increased impact as a result of the Omnibus Final Rule enacted last year. The CIOs and CSOs we talk to are not willing to risk their organization’s reputation by just implementing the minimum HIPAA safeguards.

The collection, analysis, and monitoring of security events is a prime example of where medium to large-sized organizations must do much more than just record and examine activity as prescribed by HIPAA.

The challenge to effectively monitor and prioritize security alerts is exacerbated by the changing security threat landscape. Unlike the visible incursions of the past, new attacks employ slow and low strategies. Attackers are often able to sys­tematically pinpoint security weaknesses and then cover all traces of their presence as they move on to penetrate the other critical IT assets.

Hackers are using multiple attack vectors including exploiting vulnerabilities in medical devices and printers. Networked medical devices represent a significant security challenge for hospitals, because their IT teams cannot upgrade the underlying operating system embedded into these devices. Many medical devices using older versions of Windows and Linux have known security vulnerabilities and are at risk of malware contamination.

Insider threats comprise a significant risk for healthcare organizations. Examples of insider threats include employees who inappropriately access the medical records, consultants who unintentionally breach an organization’s confidentiality, and disgruntled employees seeking to harm their employer. Insider activity can be much more difficult to pinpoint than conventional external activity as insiders have more privileges than an external attacker. Security event monitoring and advanced correlation techniques are needed to identify such suspicious behavior. For example, a single event, such as inappropriate access of a VIP’s medical records, might go unnoticed, but when the same person is monitored saving files to a USB drive or exhibiting unusual email activity, these correlated events should trigger a high priority alert.

The volume of security alerts generated in even a mid-size hospital is staggering – tens of millions a day. Without a tool to centrally collect and correlate security events, it is extremely difficult to detect and prioritize threats that could lead to a PHI data breach. Log management and SIEM systems are part of the solution, but these are complex to administer and require regular tweaking to reflect new security and compliance use cases.

Technology alone is just a starting point. Unfortunately, hackers don’t restrict their activities to local business hours and nor should the teams responsible for the security of their organization. Effective security event monitoring requires technology, process, and people. Many healthcare organizations that lack in-house IT security resources are turning to Managed Security Service Providers (MSSPs) who provide around-the-clock Security Operation Center (SOC) services.

The challenge for today’s security teams, whether internal or outsourced, is to accurately prioritize alerts and provide actionable intelligence that allows a fast and effective response to critical issues. Tomorrow’s goal is to move beyond reporting incidents to anticipating the types of suspicious behaviors and patterns of multi-stage attacks that could lead to data being compromised. Multi-vector event correlation, asset modeling, user profiling, threat intelligence and predictive analytics are among the techniques used to achieve preventive threat detection. The end game is a preemptive defense where real-time analysis of events triggers an automated response to prevent an attack.

The increasing cost of litigation and the loss of reputation that result from an impermissible disclosure of PHI are driving healthcare organizations to build robust security controls and monitor and correlate real-time security events. HIPAA guidelines are a great start, but not enough if CIOs want to sleep easily at night.

Top Considerations for Transitioning to ICD-10 – Guest Post

Posted on August 30, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Chuck Podesta is Fletcher Allen Health Care’s chief information officer.

ICD-10 would not be so daunting if the deadline was not occurring during the rush to get EHRs for meaningful use. Add in value-based purchasing, bundled payments and transitioning to ACOs, and you can see why many CIOs are retiring early or migrating to the vendor or consulting world. We are just over two years away from the October 2013 deadline, and there is much work to be done. ICD-10 contains 68,000 codes, as opposed to the 13,000 currently used in the ICD-9 world. There is a code for every condition that exists on the planet.

The revenue cycle system, which includes registration, HIM and billing/AR, will be the lynch pin to ICD-10 readiness. Having a solid vendor partner and a strong product is key to a successful transition. Many solution providers – like GE Healthcare, who recently launched the 5.0 version of their Centricity Business product – are updating their systems to better comply with ICD-10. GE Healthcare also allows existing Centricity Business customers to retrofit the new ICD-10 functions to the 4.6 version of the product. Strong vendor partners take the burden off you by being ahead of the game and delivering the appropriate technology in time so you are not racing to the finish line.

By now, you should have at least a steering committee in place. Your IT shop should have completed an inventory of all applications that are impacted by ICD-10, including reporting systems. You will be surprised by the number of applications, even if you have taken the one-vendor approach for most of your IT needs. You will need to contact all affected application vendors to see what the plans are for ICD-10 compliance. Most likely, upgrades will be required that will need to be scheduled.

Training of coders will be critical, along with implementing clinical documentation improvement programs. Documentation improvement programs are difficult to implement and will be viewed by providers as more work on top of an already busy schedule. New technologies such as computer-assisted coding will definitely help, but success will be a combination of process improvements and technology.

Lastly, remember that the deadline is for Medicare and Medicaid patients only. Unless the rest of the payer industry follows the same deadline (highly unlikely), you will need to run both ICD-9 and ICD-10 systems.