Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

HIPAA Security and Audits with Mac McMillan

Written by:

In case you missed the recent HIPAA Privacy and Security hangout I did with Mac McMillan, CEO of Cynergistek, you’re missing out. I think this HIPAA interview is an extension of what we started in our post “6 Reality Checks of HIPAA Compliance.” There’s a real awakening that’s needed when it comes to HIPAA. I love in this hangout when Mac says that the patience in Washington for those that aren’t HIPAA compliant is running low. An example of that is another topic we discus: HIPAA audits. The first round of HIPAA audits were more of a barometer of what was happening. The next round we’ll likely be much more damaging.

Watch the entire HIPAA interview with Mac McMillan to learn even more:

May 20, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Six Reality Checks of HIPAA Compliance

Written by:

Between Windows XP causing HIPAA compliance issues and the risk associated with the risk assessment required by meaningful use, many in healthcare are really waking up to the HIPAA compliance requirements. Certainly there’s always been an overtone of HIPAA compliance in the industry, but its one thing to think about HIPAA compliance and another to be HIPAA compliant.

This whitepaper called HIPAA Compliance: 6 Reality Checks is a great wake up call to those that feel they have nothing to worry about when it comes to HIPAA. While many are getting ready, there are still plenty that need a reality check when it comes to HIPAA compliance.

Here’s a look at why everyone could likely benefit from a HIPAA reality check:
(1) Data breaches are a constant threat
(2) OCR audits reveal health care providers are not in compliance
(3) Workforce members pose a significant risk for HIPAA liability
(4) Patients are aware of their right to file a complaint
(5) OCR is increasing its focus on HIPAA enforcement
(6) HIPAA Compliance is not an option, it’s LAW

Obviously, the whitepaper goes into a lot more detail on each of these areas. As I look through the list, what seems clear to me is that HIPAA compliance is a problem. Every organization should ask themselves the following questions:

Are we HIPAA compliant?

What are you doing to mitigate the risk of a breach or HIPAA violation?

When I look at the 6 Reality Checks details in the whitepaper, I realize that everyone could benefit from a harder look at their HIPAA compliance. A little bit of investment now, could save a lot of heartache later.

April 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

A CIO Guide to Electronic Mobile Device Policy and Secure Texting

Written by:

The following is a guest blog post by Cliff McClintick, chief operating officer of Doc Halo. Doc Halo provides secure, HIPAA-compliant secure-texting and messaging solutions to the healthcare industry. He is a former chief information officer of an inpatient hospital and has expertise in HIPAA compliance and security, clinical informatics and Meaningful Use. He has more than 20 years of information technology design, management and implementation experience. He has successfully implemented large systems and applications for companies such as Procter and Gamble, Fidelity, General Motors, Duke Energy, Heinz and IAMS.
Reach Cliff at cmcclintick@dochalo.com.

One of the many responsibilities of a health care chief information officer is making sure that protected health information stays secure.

The task includes setting policies in areas such as access to the EMR, laptop hard drive encryption,  virtual private networks, secure texting and emailing and, of course, mobile electronic devices.

Five years ago, mobile devices hadn’t caught many health care CIOs’ attention. Today, if smartphones and tablets aren’t top of mind, they should be. The Joint Commission, the Centers for Medicare and Medicaid Services and state agencies are scrutinizing how mobile fits into organizations’ security and compliance policies.

Be assured that nearly every clinician in your organization uses a smartphone, and in nearly every case the device contains PHI in the form of email or text messages. That’s not entirely a bad thing: The fact is, smartphones make clinicians more productive and lead to better patient care. Healthcare providers depend on texts to discuss admissions, emergencies, transfers, diagnoses and other patient information with colleagues and staff. But unless proper security steps are being taken, the technology poses serious risks to patient privacy.

For creating a policy on mobile electronic devices, CIOs can choose from three broad approaches:

  • Forbid the use of smartphones in the organization for work purposes. This route includes forbidding email use on the devices. Many companies have tried this approach, but in the end, it’s not a realistic way to do business. You may forbid the use of the technology and even have members of your organization sign “contracts” to that effect. But even for the people who do comply out of fear, the organization sends the message that it’s OK to violate policy as long as no one finds out.
  • Allow smartphones in the organization but not for transmitting PHI. This approach acknowledges the benefits of the technology and provides guidelines and provisions around its use. This type of policy is better than the first option, as the CIO is taking responsibility for the use of the devices and providing some direction. In most cases there will be guidelines regarding message life, password format, password timeout, remote erase for email and other specifics. And while the sending of PHI would not be allowed, protocol and etiquette would be in place for when the issue comes up. Ultimately, though, this approach can be hard to enforce, and the possibility remains that PHI will be sent to a vendor or out-of-IT-network affiliate.
  • Create a mobile device strategy. This option embraces the technology and acknowledges that real-time communication is paramount to the success of the organization. In healthcare, real-time communication can mean the difference between life and death. With this approach the technology is fully secured and can be used efficiently and effectively.

Recent studies have shown that more than 90 percent of physicians own a smartphone. Texting PHI is common and helps clinicians to make better decisions more quickly. But allowing PHI to be transmitted without adequate security can compromise patient trust and lead to government penalties.

Fortunately, healthcare organizations can take advantage of mobile technology’s capacity to improve care while still keeping PHI safe. In a recent survey of currently activated customers of Doc Halo, a secure texting solution provider, 70 percent of respondents using real-time secure communication reported better patient care. Seamless communication integration and a state-of-the-art user experience ensure that the percentage will only rise.

Doc Halo, a leading secure physician communication application, is a proud sponsor of the Healthcare Scene Blog Network.

January 6, 2014 I Written By

Top 5 Tips for HIPAA Compliance

Written by:

Manny Jones, health care solution manager at LockPath, recently sent me 5 tips to consider in order to meet HIPAA guidelines. It addresses some of the following questions: What does the HIPAA Omnibus rule mean for me? How do I know if I’m compliant? Where do I even begin?

This list of 5 tips are a good place to start.

1. Be prepared for more frequent audits and a fine structure based on knowledge – The new tiered approach means organizations can face much higher fines if they’re not in compliance with the rule.

2. Update Notice of Privacy Practice (NPP) – These should explain that individuals will be notified if there is a breach, disclosures around areas that now require authorizations, and more. Once updated, organizations should redistribute to patients and others to ensure they’re aware of changes.

3. Develop new processes – These should address additional restrictions on use or disclosure of protected health information (PHI).

4. Identify assets containing PHI – Once an organization has an inventory of these assets, they can determine where safeguards/breach notification obligations apply.

5. Understand the new definitions – Organizations should understand how “breach” and “business associate” are now defined and how they apply to their organization.

For those wanting to really dig into the details of HIPAA compliance, you’ll want to consider a HIPAA Compliance training course. These are easy online courses for both the HIPAA privacy officer or your staff. As is noted above, more frequent audits and fines are coming.

December 17, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Should Patients Care About Their Doctors’ Text Messages?

Written by:

The following is a guest blog post by Dr. Jose Barreau, CEO of Doc Halo.

For all the money they spend on state-of-the-art EMRs, compliance officers and other measures to ensure they’re protecting their patients’ medical information, many healthcare organizations have a gaping hole in their security.

Physicians and other clinicians are as apt as anyone to send a quick text to a colleague. Maybe an attending physician wants to ask a resident about test results or an office worker needs to pass along a patient’s question.

But standard SMS text messages are not HIPAA compliant. Communicating protected health information in this way could compromise patient privacy and expose your organization to substantial fines.

That’s not to say doctors shouldn’t text. Because of its instantaneous nature, mobile messaging can improve efficiency and quality of care. But healthcare providers should make sure they’re using a secure texting platform.

If you have a non-HIPAA-compliant texting habit, you’re in good company. In research last year, nearly 60 percent of physicians at children’s hospitals said they sent or received text messages for work.

It’s easy to view text messages as “off the record.” Chances are they aren’t going into an EMR, and there’s a sense that no one but the sender and recipient will see them.

But when you fire off a text, you don’t know where it will end up. Some of these text messages contain sensitive details of diagnosis and treatment that have been discussed.  Also it’s hard to say whose servers the messages might be stored on, or for how long.  When patients entrust healthcare providers to care for them, they expect their data to be cared for, too.

The Department of Health and Human Services certainly knows about the problem. Last year the agency told an Arizona physicians practice to address the issue in a risk-management plan. The group “must implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level for ePHI in text messages that are transmitted to or from or stored on a portable device.”

Healthcare providers can text about their patients without violating HIPAA — but only with secure messaging technology. Here are features to look for in a healthcare texting solution:

  • Encryption at all levels — database, transmission and on the app — with federally validated standards
  • Tracking of whether messages have been delivered, with repeated ping of the user
  • A secure private server that is backed up
  • Remote mobile app wipe option if a phone is lost or stolen
  • Automatic logout with inactivity
  • Ability to work on all spectrums of cell data and Wi-Fi for broad coverage
  • Limited data life — for example, 30 days — for messages

Patients benefit when their healthcare providers have quick and secure ways to stay in touch. A secure text messaging platform can help you to provide better care while avoiding HIPAA violations.

Doc Halo, a leading secure physician communication application, is a proud sponsor of the Healthcare Scene Blog Network.

November 25, 2013 I Written By

Model Notice of Privacy Practices (NPP) Released by OCR and ONC

Written by:

The HIPAA Omnibus Rule compliance date is on Monday. Are you ready?

I’m sure the answer for most organizations is NO!

In fact, the real question that I hear most organizations asking is what they need to do to be compliant with the new HIPAA omnibus regulations. One of my more popular video interviews was on the subject of HIPAA Omnibus with Rita Bowen from HealthPort. That might be one place to start.

OCR and ONC recently released some model HIPAA Notice of Privacy Practice forms to help with compliance. Why they are just releasing them a week before organizations are suppose to be compliant is a little puzzling to me. Hopefully your organization is well ahead of the game on this, but you could still compare your Notice of Privacy Practices with the model forms they released.

David Harlow from the Health Blawg wrote the following about the model forms:

I was disappointed, however, with one of the examples given in the model NPP:
*You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
*We will say “yes” to all reasonable requests.

Telephone and snail mail are nice, but many patients would prefer to be in contact with their health care providers via text message or email. Both modes of communication are permitted under HIPAA wth the patient’s consent (which may be expressed by simply emailing or texting a provider), but if the NPP doesn’t alert patients to that right, then many will never be aware of it.

As I heard voiced at a healthcare billing conference yesterday, “You have to be HIPAA omnibus compliant on Monday. I’m not saying you should spend your whole weekend making sure you’re in compliance. The HIPAA auditors won’t be knocking your door on Monday, but you better become compliant pretty quickly if you’re not already.”

September 20, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

The HIPAA Final Rule and Staying Compliant in the Cloud

Written by:

The following is a guest post by Gilad Parann-Nissany, Founder and CEO of Porticor.

The HIPAA Omnibus Final Rule went into effect on March 26, 2013.  In order to stay compliant, the date for fulfilling the new rules is September 23, 2013, except for companies operating under existing “business associate agreements (BAA),” who may be allowed an extension until September 23, 2014.

As healthcare and patient data move to the cloud, HIPAA compliance issues follow.  With many vendors, consultants, internal and external IT departments at work, the question of who is responsible for compliance comes up quite often.  Not all organizations are equipped or experienced to meet the HIPAA compliance rules by themselves.  Due to the nature of the data and the privacy rules of patients, it is important to secure the data correctly the first time.

HIPAA and the Cloud
Do you have to build your own cloud HIPAA compliance solutions from scratch?  The short answer is no.  There are solutions and consulting companies available to help move patient data to the cloud as well as secure it following HIPAA compliance rules and best practices.

The following checklist provides a guide to help plan for meeting the new HIPAA compliance rules.

A Cloud HIPAA Compliance Checklist

1. Ensure “Business Associates” are HIPAA compliant

-          Data Centers and cloud providers that serve the healthcare industry are in the category of “business associates.”

-          Business Associates can also be any entity that “…creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity.”  This means document storage companies and cloud providers now officially have to follow HIPAA rules as well.

-          Subcontractors are also considered business associates if they are creating, receiving, transmitting, or maintaining Protected Health Information (PHI) on behalf of a business associate agreement.

-          As a business associate they must meet the compliance rules for all privacy and security requirements.

What can you do?

Ensure business associates and subcontractors sign a business associate agreement and follow the HIPAA compliance rules for themselves and any of their subcontractors. A sample Business Associate Agreement is available on the HHS.gov website.

What happens if you are in violation?

The Office of Civil Rights (OCR) investigates HIPAA violations and can charge $100 – 50,000 per violation.  That gets capped at $1.5 million for multiple violations.  The charges are harsh to help ensure that data is safe and companies are following the HIPAA rules.

2. Data Backup

- Health care providers, business associates, and subcontractors must have a backup contingency plan.

- Requirements state that it has to include a:

Backup plan for data, disaster recovery plan, and an emergency mode operations plan

- The backup vendor needs to encrypt backup images during transit to their off-site data centers so that data cannot be read without an encryption key

- The end user/partner is required to encrypt the source data to meet HIPAA compliance

What can you do?

If you handle the data backup internally, set a plan to meet HIPAA compliance and execute it.
If you have external backup solution providers, ensure they have a working plan in place.

3. Security Rules

-          Physical safeguards need to be implemented to secure the facility, like access controls for the facility

-          Develop procedures to address and respond to security breaches

-          There are an additional 18 technical security standards and 36 implementation specifications as well

What can you do?

Put a plan in place to protect data from internal and external threats as well as limiting access to only those that require it.

4. Technical Safeguards

Health care providers, business associates, and subcontractors must implement technical safeguards. While many technical safeguards are not required – they do mitigate your risk in case of a breach. In particular, encryption of sensitive data allows you to claim “safe harbor” in the case of a breach.

v  Study encryption and decryption of electronically protected health information

v  Use AES encryption for data “at rest” in the cloud

v  Use strong – and highly protected – encryption key management; this is the most sensitive and difficult piece on this list – consider to use split-key cloud encryption or homomorphic key management

v  Transmission of data must be secured: use SSL/TLS or IPSec

v  When any data is deleted in the cloud any mirrored version of the data must be deleted as well

v  Limit access to electronically protected health information

v  Audit controls and procedures that record and analyze activity in information systems which contain electronically protected health information

v  Implement technical security measures such as strong authentication and authorization, guarding against unauthorized access to electronically protected information transmitted over electronic communication networks

What can you do?

Adopt strong encryption technology and develop a plan to ensure data is transmitted, stored, and deleted securely. Develop a plan to monitor data access and control access.

5. Administrative Safeguards

For organizations to meet HIPAA compliance they must have HIPAA Administrative Safeguards in place to “prevent, detect, contain and correct security violations.”  Policies and procedures are required to deal with: risk analysis, risk management, workforce sanctions for non-compliance, and a review of records.

v  Assign a privacy officer for developing and implementing HIPAA policies and procedures

  • Ensure that business associates also have a privacy officer since they are also liable for complying with the Security Rule

v  Implement a set of privacy procedures to meet compliance for four areas:

Risk Analysis
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity”

Risk Management
“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

Workforce Sanctions for Non-Compliance
“Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”

Review of Records
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

v  Provide ongoing administrative employee training on Protected Health Information (PHI)

v  Implement a procedure and plan for internal HIPAA compliance audits

What can you do?

Develop an internal plan to meet HIPAA compliance and have a privacy officer to implement requirements.  Ensure that policies and procedures deal with analysis of risk, management of risk, policy violations, and sanctions for staff or contractors in violation of the policy.  Develop and maintain documentation for internal policies to meet HIPAA compliance as it will help define those policies to your organization and could assist during a HIPAA audit.

Gilad Parann-Nissany, Founder and CEO of Porticor, is a cloud computing pioneer. Porticor infuses trust into the cloud with secure, easy to use, and scalable solutions for data encryption and key management. Porticor enables companies of all sizes to safeguard their data, comply with regulatory standards like PCI DSS, and streamline operations.

September 3, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Amazon AWS Will Sign HIPAA Business Associate Agreement

Written by:


Thanks to Ian Eslick for catching this piece of news. This is really big news, because there were a lot of companies and organizations that were building healthcare applications on the back of Amazon AWS. I’m glad that Amazon has finally put together a policy related to HIPAA.

Here’s their new section describing their compliance with HIPAA:

AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA)  to leverage the secure AWS environment to process, maintain, and store protected health information and AWS will be signing business associate agreements with such customers. AWS also offers a HIPAA-focused whitepaper for customers interested in learning more about how they can leverage AWS for the processing and storage of health information. The Creating HIPAA-Compliant Medical Data Applications with AWS whitepaper outlines how companies can use AWS to process systems that facilitate HIPAA and HITECH compliance. For more information on the AWS HIPAA compliance program please contact AWS Sales and Business Development.

Obviously the devil is in the details on this. I’ll reach out to one of my HIPAA lawyer friends to see what they think of this. If you’re a healthcare organization or vendor that’s on Amazon AWS, I’d love to hear your thoughts as well. The fact that Amazon is now willing to sign a BAA is really big news and a great step forward for anyone wanting to develop an application covered by HIPAA on Amazon’s AWS.

June 19, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Achieve Cybersecurity While Complying with HIPAA Standards

Written by:

Tony Jeffs, Cisco
The following is a guest post written by Tony Jeffs, Sr. Director, Product Management & Marketing, Global Government Solutions Group at Cisco.

Within the past 24 months, nine out of 10 hospitals in the U.S. have fallen victim to an attack or data breach, according to a recent report from the Ponemon Institute. The landscape of the healthcare IT industry is transforming rapidly due to significant changes in patient information management and today’s evolving threat landscape. Advancements in technology and government regulations have powered an explosive growth in the creation and storage of protected healthcare information (PHI). To prepare for new attacks targeting sensitive patient data, healthcare organizations need to recognize the risks of noncompliance and how the deployment of certified, secure, and trusted technologies will help ensure compliance with Health Insurance Portability and Accountability Act (HIPAA) standards.

According to the 2012 National Preparedness Report conducted by the Federal Emergency Management Agency, the healthcare industry is already prepared for many types of emergencies and contingencies. However, the same study showed that healthcare organizations are overall still unprepared for most cyber attacks.

The report highlighted that cybersecurity “was the single core capability where states had made the least amount of overall progress.” Of the state officials surveyed, merely 42 percent feel they are adequately prepared. The report also showed that in the last six years, less than two-thirds of all companies in the U.S. have sustained cyberattacks. From 2006 to 2010, the number of reported attacks in the U.S. rose by 650 percent. During the Aspen Security Forum last year, Keith B. Alexander, head of the National Security Agency and the new United States Cyber Command, indicated that the U.S. has seen a 17-fold rise in attacks against its infrastructure from 2009 through 2011.

In such an environment, it is a top priority for healthcare organizations to comply with HIPAA standards. Before the signing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, it was understood industry-wide that HIPAA was not strictly enforced. Under HITECH, healthcare providers could be penalized for “willful neglect” if they failed to demonstrate reasonable compliance with the Act. The penalties could be as high as $250,000 with fines for uncorrected violations costing up to $1.5 million.

In certain instances, HIPAA’s civil and criminal penalties now encompass business associates. While a citizen cannot directly sue their healthcare provider, the state attorney general could bring an action on behalf of state residents. In addition, the U.S. Department of Health and Human Services (HHS) is now required to periodically audit covered entities and business associates. This implies that healthcare providers are required to have systems in place to monitor relationships and business practices to guarantee consistent security for all medical data.

If information systems are left vulnerable to attack, providers face significant risks to their business. These targeted attacks in the healthcare industry can come in a variety of forms. In Bakerfield, CA, the Kern Medical Center was attacked by a virus that crippled its computer systems. The hospital took approximately 10 days to bring the doctors and nurses back online. A Chicago hospital was attacked by a piece of malware that forced the hospital’s computers into a botnet controlled by the hacker. A year later, the hospital was still dealing with the attack’s aftermath. Following the theft of a computer tape containing unencrypted personal health information from an employee’s automobile, the DoD faced a multi-billion-dollar lawsuit. The Veterans Administration (VA) fought a two-year battle against intrusions into wireless networks and medical devices, including picture archiving and communication systems (PACS), glucometers and pharmacy dispensing cabinets.

Patients are protected against identity theft if medical information is encrypted and secured. Simultaneously, information must be kept readily available when necessary, such as for emergency personnel. The subsequent benefits are important in order to keep businesses competitive, including better quality of patient care, improved patient outcomes, increased productivity and workflow efficiency, better information at the point of care and improved and integrated communications between doctors and patients.

The Key to HIPAA Compliance

In order to meet the HITECH Act requirements, encryption must be used on the main service provider network as well as its associated partner networks. Encryption uses an algorithm to convert data in a document or file into an indecipherable format prior to being delivered, and then decrypts the data once received to prevent unauthorized personnel from accessing it. Successful use of encryption depends on the strength of the algorithm and the security of the decryption “key” or process when data is in motion and moving through a network or data is at rest in databases, file systems, or other structured storage methods.

In order to achieve HIPAA compliance, healthcare providers should leverage verified, certified network security products and architectures. Recommended by the HHS and mandated by the U.S. Department of Defense (DoD) for encryption, Federal Information Process Standard (FIPS) 140-2 encryption certified products reliably safeguard healthcare data with reliable and proven security in order to diminish risks without increasing costs.

Technologies that are fully FIPS-140 certified provide organizations a level of security that will remain compliant through at least 2030, unlike legacy cryptographic systems.

A New Degree of Confidence

Today, closed networks are almost nonexistent as most offices have Internet access, at the minimum. With the use of electronic transactions increasing in healthcare, including e-prescriptions and electronic communication, many medical organizations use open systems that necessitate the use of encryption technologies.

Technology providers can easily assert that a system is secure by using the highest level of encryption technologies on the market. With the degree of public visibility of breaches of trust, organizations have no reason to risk exposure with technology systems that fail to meet the FIPS 140-2 standard for data encryption. Without this certification, the cryptography function on the network has demonstrated a less than 50 percent chance of being correctly implemented, which also implies there is a 50 percent chance that the cryptography can be cracked. By purchasing solutions with FIPS validation, healthcare organizations achieve a new degree of reassurance that their critical data is secure, allowing them to minimize risk without an increase in costs.

March 8, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

BYOD And HIPAA Compliance: Can You Have Both?

Written by:

With doctors among the biggest fans of smartphones around, hospitals and medical practices are having to face the reality that Bring Your Own Device is here to stay. The question is, is BYOD so hard to manage that it all but guarantees HIPAA breaches?

On the one hand, BYOD seems to have arrived to stay. According to a recent report by KLAS Research surveying 105 CIOs, IT specialits and physicians, 70 percent said they used mobile devices to access their EMRs Even this small group was accessing virtually every major enterprise EMR via mobile, reports MobiHealthNews.

But the pressures on hospitals to corral BYOD security gaps are growing.  Hospitals will soon have to provide increased protection of patient health information under Meaningful Use Stage 2.  And the HHS Office of Civil Rights will be doing stepped up HIPAA-compliance audits, which gives hospitals even less leeway than they’d have had otherwise.

Of course, hospitals have been dealing with doctors bringing one device — a laptop — for quite some time. One might think this would have prepared hospitals for dealing with security-hole-ridden portable devices that staff and clinicians bring to work.  But as we all know, laptops have proven to be major sources of security breaches, most typically by being stolen when loaded down with unencrypted data.

BYOD on the mobile side is if anything a riskier proposition.  For one thing, doctors and executive staff are likely to own more than one device, such as a phone and a tablet, multiplying the risk that an unguarded device could be stolen and bled for information.  And managing mobile devices calls for IT to support two additional operating systems (iOS and Android) configured in whatever way the user prefers.

Folks, I know I’m not saying anything crashingly original, but I’d argue it’s worth repeating: It’s time for hospitals to stop waffling and develop comprehensive protocols for BYOD use. It’s clear that left alone, the problem is going to  get worse, not better.

December 7, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.