Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Achieve Cybersecurity While Complying with HIPAA Standards

Written by:

Tony Jeffs, Cisco
The following is a guest post written by Tony Jeffs, Sr. Director, Product Management & Marketing, Global Government Solutions Group at Cisco.

Within the past 24 months, nine out of 10 hospitals in the U.S. have fallen victim to an attack or data breach, according to a recent report from the Ponemon Institute. The landscape of the healthcare IT industry is transforming rapidly due to significant changes in patient information management and today’s evolving threat landscape. Advancements in technology and government regulations have powered an explosive growth in the creation and storage of protected healthcare information (PHI). To prepare for new attacks targeting sensitive patient data, healthcare organizations need to recognize the risks of noncompliance and how the deployment of certified, secure, and trusted technologies will help ensure compliance with Health Insurance Portability and Accountability Act (HIPAA) standards.

According to the 2012 National Preparedness Report conducted by the Federal Emergency Management Agency, the healthcare industry is already prepared for many types of emergencies and contingencies. However, the same study showed that healthcare organizations are overall still unprepared for most cyber attacks.

The report highlighted that cybersecurity “was the single core capability where states had made the least amount of overall progress.” Of the state officials surveyed, merely 42 percent feel they are adequately prepared. The report also showed that in the last six years, less than two-thirds of all companies in the U.S. have sustained cyberattacks. From 2006 to 2010, the number of reported attacks in the U.S. rose by 650 percent. During the Aspen Security Forum last year, Keith B. Alexander, head of the National Security Agency and the new United States Cyber Command, indicated that the U.S. has seen a 17-fold rise in attacks against its infrastructure from 2009 through 2011.

In such an environment, it is a top priority for healthcare organizations to comply with HIPAA standards. Before the signing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, it was understood industry-wide that HIPAA was not strictly enforced. Under HITECH, healthcare providers could be penalized for “willful neglect” if they failed to demonstrate reasonable compliance with the Act. The penalties could be as high as $250,000 with fines for uncorrected violations costing up to $1.5 million.

In certain instances, HIPAA’s civil and criminal penalties now encompass business associates. While a citizen cannot directly sue their healthcare provider, the state attorney general could bring an action on behalf of state residents. In addition, the U.S. Department of Health and Human Services (HHS) is now required to periodically audit covered entities and business associates. This implies that healthcare providers are required to have systems in place to monitor relationships and business practices to guarantee consistent security for all medical data.

If information systems are left vulnerable to attack, providers face significant risks to their business. These targeted attacks in the healthcare industry can come in a variety of forms. In Bakerfield, CA, the Kern Medical Center was attacked by a virus that crippled its computer systems. The hospital took approximately 10 days to bring the doctors and nurses back online. A Chicago hospital was attacked by a piece of malware that forced the hospital’s computers into a botnet controlled by the hacker. A year later, the hospital was still dealing with the attack’s aftermath. Following the theft of a computer tape containing unencrypted personal health information from an employee’s automobile, the DoD faced a multi-billion-dollar lawsuit. The Veterans Administration (VA) fought a two-year battle against intrusions into wireless networks and medical devices, including picture archiving and communication systems (PACS), glucometers and pharmacy dispensing cabinets.

Patients are protected against identity theft if medical information is encrypted and secured. Simultaneously, information must be kept readily available when necessary, such as for emergency personnel. The subsequent benefits are important in order to keep businesses competitive, including better quality of patient care, improved patient outcomes, increased productivity and workflow efficiency, better information at the point of care and improved and integrated communications between doctors and patients.

The Key to HIPAA Compliance

In order to meet the HITECH Act requirements, encryption must be used on the main service provider network as well as its associated partner networks. Encryption uses an algorithm to convert data in a document or file into an indecipherable format prior to being delivered, and then decrypts the data once received to prevent unauthorized personnel from accessing it. Successful use of encryption depends on the strength of the algorithm and the security of the decryption “key” or process when data is in motion and moving through a network or data is at rest in databases, file systems, or other structured storage methods.

In order to achieve HIPAA compliance, healthcare providers should leverage verified, certified network security products and architectures. Recommended by the HHS and mandated by the U.S. Department of Defense (DoD) for encryption, Federal Information Process Standard (FIPS) 140-2 encryption certified products reliably safeguard healthcare data with reliable and proven security in order to diminish risks without increasing costs.

Technologies that are fully FIPS-140 certified provide organizations a level of security that will remain compliant through at least 2030, unlike legacy cryptographic systems.

A New Degree of Confidence

Today, closed networks are almost nonexistent as most offices have Internet access, at the minimum. With the use of electronic transactions increasing in healthcare, including e-prescriptions and electronic communication, many medical organizations use open systems that necessitate the use of encryption technologies.

Technology providers can easily assert that a system is secure by using the highest level of encryption technologies on the market. With the degree of public visibility of breaches of trust, organizations have no reason to risk exposure with technology systems that fail to meet the FIPS 140-2 standard for data encryption. Without this certification, the cryptography function on the network has demonstrated a less than 50 percent chance of being correctly implemented, which also implies there is a 50 percent chance that the cryptography can be cracked. By purchasing solutions with FIPS validation, healthcare organizations achieve a new degree of reassurance that their critical data is secure, allowing them to minimize risk without an increase in costs.

Post a Comment(0)
March 8, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: Healthcare  HealthCare IT  HIPAA General
Tags:                    

BYOD And HIPAA Compliance: Can You Have Both?

Written by:

With doctors among the biggest fans of smartphones around, hospitals and medical practices are having to face the reality that Bring Your Own Device is here to stay. The question is, is BYOD so hard to manage that it all but guarantees HIPAA breaches?

On the one hand, BYOD seems to have arrived to stay. According to a recent report by KLAS Research surveying 105 CIOs, IT specialits and physicians, 70 percent said they used mobile devices to access their EMRs Even this small group was accessing virtually every major enterprise EMR via mobile, reports MobiHealthNews.

But the pressures on hospitals to corral BYOD security gaps are growing.  Hospitals will soon have to provide increased protection of patient health information under Meaningful Use Stage 2.  And the HHS Office of Civil Rights will be doing stepped up HIPAA-compliance audits, which gives hospitals even less leeway than they’d have had otherwise.

Of course, hospitals have been dealing with doctors bringing one device — a laptop — for quite some time. One might think this would have prepared hospitals for dealing with security-hole-ridden portable devices that staff and clinicians bring to work.  But as we all know, laptops have proven to be major sources of security breaches, most typically by being stolen when loaded down with unencrypted data.

BYOD on the mobile side is if anything a riskier proposition.  For one thing, doctors and executive staff are likely to own more than one device, such as a phone and a tablet, multiplying the risk that an unguarded device could be stolen and bled for information.  And managing mobile devices calls for IT to support two additional operating systems (iOS and Android) configured in whatever way the user prefers.

Folks, I know I’m not saying anything crashingly original, but I’d argue it’s worth repeating: It’s time for hospitals to stop waffling and develop comprehensive protocols for BYOD use. It’s clear that left alone, the problem is going to  get worse, not better.

Post a Comment(3)
December 7, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Security  HIPAA Breaches  HIPAA General  mHealth  Security Rule
Tags:        

HIPAA Infographic

Written by:

Who doesn’t like a good infographic? My favorite part of this HIPAA infographic is the last section where it breaks out the number of healthcare organizations that are being investigated for HIPAA violations and the results of those investigations.

HIPAA Violation Infographic
Infographic authored by Inspired eLearning, a leading provider of online HIPAA compliance training solutions. To view the original post, check out the original HIPAA violation infographic.
Post a Comment(3)
September 27, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: HealthCare IT  HIPAA Breaches  HIPAA General  HIPAA News
Tags:      

A Fun (and Educational) Look at Privacy and Security – Meaningful Use Monday

Written by:

One of the most common sources of confusion about the meaningful use requirements is the Privacy and Security Risk Analysis measure. As I discussed in a past Meaningful Use Monday post, according to CMS, practices that are HIPAA compliant are likely in pretty good shape on this measure. For those physicians, what’s needed is documentation of the steps that were taken to review HIPAA compliance, the deficiencies identified, and what was done to remediate these exposures. (For more information, see the meaningful use chapter in ONC’s “Guide to Privacy and Security of Health Information.”)

This begs the question, “What exactly is HIPAA compliance?” I recently came upon the “Privacy and Security Training Game” that was created by ONC’s Chief Privacy Officer and couldn’t resist playing. While a lot of the information provided is quite basic for those with expertise in the privacy and security arena, as you progress through the game, the questions become more challenging. It’s definitely a fun way to introduce staff to the issues and increase awareness about the importance of safeguarding patient information.

Check out all of the past Meaningful Use Monday posts.

Post a Comment(1)
September 24, 2012 I Written By

Lynn Scheps is Vice President, Government Affairs at EHR vendor SRSsoft. In this role, Lynn has been a Voice of Physicians and SRSsoft users in Washington during the formulation of the meaningful use criteria. Lynn is currently working to assist SRSsoft users interested in showing meaningful use and receiving the EHR incentive money.

Filed Under: ARRA  EHR  EHR Stimulus  Electronic Health Record  Electronic Medical Record  EMR  HIPAA General  HITECH  Meaningful Use
Tags:                

6 Rules for Ethical Data Handling in a Health Organization

Written by:

The following is a guest post by Danny Lieberman. Danny Lieberman, founder of Pathcare, the private social network for doctors and patients, talks about how to develop clinical care teams that will become world-class at patient data-handling.

Patient data loss is a peculiar problem. 

Unlike malware and attacker intrusions that is caused by “attackers” who are “other people”, data loss happens inside your healthcare provider organization and is perpetrated by your people, your contractors and your business partners who have access to your patients data and your systems.

Patient privacy data loss is best mitigated by management leadership reinforced by real time data loss monitoring that is part of a continous process of improving data governance.

Management needs to lead from the front, providing a personal example for how to handle data and behave ethically in the workplace.

Real-time monitoring of data loss events on a healthcare provider network can be performed using DLP (data loss prevention) technologies from companies like Websense, Fidelis Security Systems (recently acquired by General Dynamics) and Verdasys.

While I do not subscribe to vendor rhetoric regarding data loss prevention,  experience tells me that data loss detection provides information security and privacy officers with firm examples of what data is actually exiting the network.

The combination of management commitment to ethical behavior with a real time monitoring facility can create a powerful feedback loop that improves behavior and drives improved data governance.

The practical question is then  “How do I go from Point A to Point B”:

How do I take an organization where HIPAA compliance is the auditors’ responsibility and make the responsibility of care team leaders and members?

Let’s start with management.

In a follow-on article, we’ll discuss how to best deploy DLP technologies and integrate them with security and privacy leadership.

Just because everyone does it doesn’t make it right

Data leakage is as old as mankind. Think about Jericho and Rahav. People have always bartered or “sold” things of value to one another.  This doesn’t make it acceptable on your watch.

Getting it right is why they pay you the big bucks

Managing a care team is complex, especially since your care team is not you. They have their own economic background, religious beliefs, and cultural upbringing.  Your team will look at you for both formal and informal cues as to your data handling ethics and then they will follow that direction intuitively.

If you close an eye to infringements of data handling procedures (like exchanging plain text files with external users over Gmail since the internal email system won’t let you attach files with PHI, then you are sending a subliminal message to the team that is acceptable to bend rules.

Patient data breaches are bad for business

Aside from this being an inappropriate security policy, it is also bad for business. If your team doesn’t care about the little stuff like HIPAA physical and administrative safeguards then maybe they won’t wash their hands as often as they should.  Patients (who are also customers) may feel that an organization where patient data leaks like a sieve, is an organization that cares less about healthcare and take their business elsewhere.

Since your clinical care team looks at your data handling as a role model for their expected behavior, setting an ethical standard for data handling is as much your job as it is the individual responsibility of nurse, resident or surgeon on your team.

The 2 elements of ethical standards for healthcare privacy are shared by manager and team members:

1)      healthcare provider standards for patient privacy (nominally at least HIPAA compliance since a hospital or HMO are covered entities and must comply) and

2)      individual responsibility.

6 rules for ethical data handling in a health organization

  1. Ethical data handling must be verbalized and demonstrated. You must communicate to your healthcare  team your expectations of what you expect and what you consider unacceptable. Set the standard for all to be measured by. Once a quarter, discuss ethics, privacy and data governance at a team meeting.
  2. Develop a detailed set of data/privacy breach use cases in your practice area, and have your teams to sign off on them.
  3. Management must use a top-down ethical approach and demonstrate the standards they expect their team(s) to follow. This includes not accepting unauthorized gifts from vendors, or allowing nursing and administrative staff to bend the rules of disclosing patient files to non-family members.
  4. When hiring employees, include a clause on ethics in their job description. (Check with your company lawyer on this.)
  5. Communicate to your care team on a monthly basis what is expected of them with regard to maintaining security and enforcing privacy.
  6. Don’t always assume that a a team member is unethical just because a patient complains.
Post a Comment(4)
August 24, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: EMR  Healthcare  HIPAA Breaches  HIPAA General  Medical Privacy
Tags:                      

Guest Post: GFI FaxMaker Solves Healthcare Customers’ Faxing Needs

Written by:

Guest Post: This is a sponsored guest post written by James Taylor and provided by GFI FaxMaker.

HIPAA requirements are becoming a part of every technology discussion, especially within the healthcare industry. One of the biggest pain points for both doctors and dentists is faxing. The HIPAA requirements for faxing EMR/EHR records are fairly straightforward, and also fairly onerous and time consuming, and healthcare organizations are looking for better ways to do faxing. This is where GFI’s fax server software, GFI FaxMaker, steps into the scene.

Installation

Installation is easy, though it does require a domain admin account (more on that below). It can use a fax modem, FoIP SaaS service from Brooktrout, or ISDN lines, and can be installed right on your Exchange server or integrate with Exchange (or other email systems) using an SMTP connector. Install gets a 9/10.

Integration

GFI FaxMaker almost sells itself just in how easily it can be integrated into practically any client’s existing infrastructure, whether they are a private practice, or part of a huge hospital network. The email to fax and print to fax capabilities make it easy for end-users to send faxes, and helps to ensure HIPAA compliance in several ways; these include:

  1. Fax numbers can be pulled from the email client address book (GAL),
  2. Delivery confirmation reports can be automatically generated and stored with the sent faxes,
  3. Incoming faxes are delivered directly to the recipient; no paper left lying around, and no need for the user to go stand by the fax machine waiting for an incoming fax,
  4. Faxes can be stored as PDF or TIFF, and routed to network shares. Practically any client’s medical records program for EMH/EHR can consume these with no need for extra work making this another way to plug directly in to programs without needing to write any code.
  5. The ability to ‘print to fax’ makes every Windows program my clients use ‘fax capable’

    Share the printer and clients can just double-click it to start faxing from any application.

making it so easy to plug into existing infrastructure earns this a 9/10.

Fax routing flexibility

GFI FaxMaker’s routing capabilities are its best feature. You can automatically deliver faxes to users, network folders, or printers, based on several different attributes including:

If your senders’ fax machines identify themselves by CSID, you can route using that, or you can set up extensions for each user without having to get dedicated lines. Of course, it can use dedicated lines too. OCR rocks, since it can scan for the recipient’s name and deliver the fax by ‘reading’ the To: line on a cover page or finding a keyword in the body of the fax. Just don’t expect it to decipher a doctor’s handwriting.

It can also automatically archive inbound and outbound faxes as PDF or TIFF format, making it easy to import faxes into other programs or to keep a secured archive.

Most organizations are very big on electronic archiving, and they don’t have the budget to get every single doctor and PA in the practice their own fax number, so I give this a 9/10.

What I like

GFI FaxMaker installs very easily, integrates with every email environment without having to install anything on the mail server, and sets up a shared printer so users can simply print to fax. It is easy to setup, easy to understand, and just works. Getting rid of the fax machines, the stocks of ink, and all the paper left lying around that goes along with a traditional fax is great, and with no more incoming faxes hitting the output tray, there’s no chance of confidential patient information (EMR/EHR) being at risk. Considering how big a concern that is for HIPAA compliance, and how little space most offices have to ‘secure’ a traditional fax machine, this is a huge benefit and earns GFI FaxMaker a 10/10 for convenience and compliance.

What I don’t like

The one thing I don’t care for is that GFI FaxMaker wants to run under the account of a domain admin. Small offices running SBS don’t seem to care, but hospitals with Information Security departments take exception to this. Two things; no software should want to run as a domain admin, and any software that isn’t going to run as system ought to run under a service account. If you let it run under your user account, it will break in a couple of months when you change your password. In terms of how I rate this product, that counts off more than anything else.

I would also prefer the print drivers to be signed by Microsoft; I know that takes time, but it is a jarring warning in bold red when you go to install it on a Windows server.

The bottom line

GFI FaxMaker is an excellent faxing solution for health care organizations, whether they are private practice or attached to major medical centers. It’s easy to use, is able to integrate into existing systems, and contributes to HIPAA compliance – making itself a great solution on its own merits; the amount of time, money, and administrative support it saves your IT support helps it pay for itself in no time. I rate it a very strong 9/10, and bet you will too.

With all that it has to offer, GFI FaxMaker may be the best new application your healthcare practice has ever seen. But don’t just base it on my great experience, see for yourself.

Post a Comment(2)
September 28, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: EMR Technology  HealthCare IT
Tags:                  

Meaningful Use and HIPAA – The Risk Analysis

Written by:

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

So far we’ve covered Information System Activity Review & Sanction Policy.

The next item to tackle for the HIPAA side of Meaningful Use is the Risk Analysis.  This may also be referred to by some as the Risk Assessment also.

The Risk Analysis is simply a look at the way your practice operates as it pertains to PHI and your computer network.

Your risk analysis shouldn’t be a handful of questions.  It should be a set of targeted questions – partly to see that your practice is doing things correctly and partly to invoke conversation to ensure you fix other areas of how your practice does business.

The risk analysis we use is just north of 100 questions…and it continually grows as technology changes and new phishing scams arrive on the scene.

How often should a risk analysis be accomplished?

Once a year is reasonable for most practices.  An additional risk analysis should be accomplished anytime there is a major technological or physical change.

A technological change would include: a new EHR, a new component to your EHR new computer network architecture, and even something as innocent as a new photocopier (more on this later).

Physical change would include any remodeling that might change the layout to the waiting area or a complete location change for the office.

Can I accomplish the risk analysis?

Sure, you or your staff may accomplish the risk analysis.  Be aware though, the risk analysis can become quite technical, so you may need to have your IT staff involved, at least in part of this analysis.

But don’t be fooled, this risk analysis is not just technology based.  Your risk analysis should cover areas including:

  • Does the practice have a privacy window at the sign in station?
  • Does the practice close the privacy window to the lobby except when speaking to a patient directly?
  • Does the practice use an acceptable procedure to hide patient names on the sign-in form?
    • What is acceptable?  Here are a few examples:
      • Individual sign-in slips that are handed to the receptionist
      • Peel-off name labels that are removed by the receptionist and stuck to the file (yes, even in the electronic world paper still exists)
      • An electronic sign-in system – this is a fancy way of saying a computer in the lobby on which the patient signs in.
  • Who has keys to the office?
  • Where is the list of who has keys to the office?
  • Who has the alarm code to the office?
  • Where is the list of who has the alarm code?
  • Is the door from the waiting area always locked?
  • Does the facility have a sprinkler fire system?
  • Does the server have a fire system sprinkler above it?
  • Are all computers at least 3 inches off the ground?

Now we’ve hit 3 of the 4 HIPAA items in the required Risk Analysis in the Meaningful Use Core Objectives.

Next time we’ll at least start on Risk Management.

 

Post a Comment(1)
April 6, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: ARRA  HealthCare IT  HIPAA General  HIPAA Training  HITECH
Tags:          

Meaningful Use and HIPAA – The Sanction Policy

Written by:

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

As previously mentioned, the Sanction Policy is an integral part of Meaningful Use.

What exactly is a Sanction Policy?

Quite simply, it is clarification to your staff…all staff…yes, this includes the physicians, that there are ramifications for breaking company computer policies, specifically HIPAA violations.

First, your practice must have policies.  Without knowing the rules, nobody will know if they are breaking them or not.

The computer policies of a practice are the foundation on which your office will operate.  The computer policies are different than human resource company policies…actually, they are different, but enhance the HR policies.

For example:

  • Which websites can staff go to during business hours?
  • Which websites are completely banned?
  • Is your staff allowed to check their personal email on office computers?

These are all policies you may think are understood by your staff, but if you do not have these policies in writing AND ensure all staff has signed a document of understanding AND have them sign this document of understanding every year…you will run into trouble

So, this sanction policy will generally be in addition to any Human Resources sanction policy that exists (it does exist, right?).  Remember, this Sanction Policy is geared toward HIPAA violations and computer use violations.

This Sanction Policy should cover:

  • Initial reaction to a violation
    • Document the violation
    • Detail the exact violation to the offender
    • Document this communication
    • Initiate any company checklists that may be required depending on the specific violation
  • Secondary reaction to a violation
    • Retraining
      • Re-attend Annual Awareness Training
      • Document this re-training
    • Document understanding of the violation
  • Repeat violations
    • Repeat violations need to be dealt with in a solid and consistent way
    • How many repeat violations before termination?
    • Is any HIPAA violation a “counter” toward termination or should it be an exact repeat violation?
    • Is the training for repeat violations different?

As you can see, there are many parts to what appears to be a “single line” requirement within the Core Requirements for Meaningful Use.

Also note, this Sanction Policy originally reared its head in the HIPAA regulations, and yes, it is still a HIPAA requirement.  As I expected, the feds are using Meaningful use to push you toward HIPAA compliance.

Next time, the Risk Analysis (you guessed it, another HIPAA requirement).

 

Post a Comment(1)
March 16, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: ARRA  HealthCare IT  HIPAA General  HIPAA Training  HITECH
Tags:            

Domain Controlled Networks and Management Servers

Written by:

Trent Peters from Umbrella Medical Systems added an interesting comment on my previous post about Domain Controlled Networks and HIPAA that I thought really added to my original post. Plus, Trent goes into a nice list of other benefits of having a “Management” server in an office. It gets a little technical for some of my readers I’m sure, but is valuable if you’re office is embarking on this adventure.

Here’s Trent’s comment:

This is an interesting question and can be argued either way, but again it comes down to what’s “reasonable and appropriate”. A little background, my company is a IT Consultant group that works specifically in the healthcare arena offering services to medium-sized and small healthcare organizations, we have plenty of EMR implementation experience. Over 95% of our clients are in a domain environment and we always push for an Active Directory environment if one is not present. However, in the small offices (1 – 2 providers) this can be difficult because of the initial cost and the fact it’s “server” based. Many small offices will choose a “hosted” emr solution for the low up front cost and adding on the extra 5 -7K is not a valid option as the cost outweighs the benefits (from their perspective). The other 5% simply do not have the same security and manageability as the domain environments.

Any networks Security solution is only as strong as the weakest link. While not having a domain controller doesn’t necessarily equate to not being HIPAA compliant, it sure helps secure the environment to IT best practices. We call the Domain / Active Directory server the “Management” server because it provides more functions than just AD. For instance, WSUS patch management to make sure all computers have the latest security patches and don’t have the updates that may conflict with the EMR (some EMR software are not compatible with IE8 or SQL 2005 SP3, etc), centralized backup and client folder redirection for non-EMR critical data, centralized monitoring platform for servers (hardware + software), workstations, UPS, networks, VPN, etc, centralized AntiVirus protection is also important to notify the support team of malicious software and vulnerabilities. Group Policies is a big part of the overall security that can manage (if properly configured) all aspects of the network including password policies, computer and user permission rights, power setting, audit controls, etc. There are many benefits to a DC / Management and is the choice to achieve IT best practices (I believe MS recommend 3+ computers to be on a domain environment, although this is aggressive).

It’s nice to be able to bundle server roles (such as SQL or FAX) in order to justify the management server, but generally it comes down to cost. We hold our HIT practices to the highest standard, so our rule is that if the organization has +5 computers, you must have a Domain Controller / Management Server in order to qualify for our full support program. We can’t justify the extra effort required to properly manage the environment without it. In those rare cases where a small organization choses to not invest in a Domain Controller when we feel it’s required, then unfortunately we wish them the best of luck and turn down their business.

Post a Comment(2)
July 8, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: EMR Technology  HealthCare IT  HIPAA General
Tags:          

Fear of HIPAA Audits Despite 0.002% Chance

Written by:

Anyone that has worked in healthcare has the palpable fear of the word HIPAA. Any time the word’s mentioned, I have this visceral emotion shoot threw my body. I’m sure it’s the same for many people. HIPAA is like the nasty word that no one can argue with. Just say something is a HIPAA violation and no one can argue with you (assuming you’re right).

In the clinics I’ve worked in, there really is a desire to try and follow the HIPAA rules as best as possible. They all hate it, but they all try in good faith to follow the HIPAA rules. They likely do this because of fear of the dreaded HIPAA audit. Check out this interesting comment made on a previous post I did which puts the HIPAA audit in a new light:

Same goes for the HIPAA rules. We all spend so much effort and time to comply, yet the handful of cases arise when a disgrunted, recently fired employee becomes a whistleblower to screw their past boss and “tells all” to the feds who then pounce on the poor unsuspecting doctor to showcase their enforcement muscle. I’ve heard of anecdotal cases s.a. this, but I have never actually seen an office raided for an HIPAA violation or a major article on the subject in my medical journal reading. Considering that, if say, there are a dozen cases, then 12/780000 practicing doctors, my chances of an HIPAA audit are about 0.002%.

It’s a crazy world we live in. I agree that the risk of a HIPAA audit is pretty small and I think most people acknowledge this internally. Yet, people are afraid to say this publicly, because it sends a message that they don’t care about patient privacy. I think most clinics go through this amazing internal conflict. Basically, they want to support patient privacy, but they also don’t want HIPAA to get in the way of caring for patients and running their business.

The solution I believe most clinics employ: If I don’t talk or acknowledge it, then I don’t have to worry about it. Basically, ignorance is bliss. So, they address any privacy issues that come out and they try to maintain privacy generally, but few of them take it head on and make sure that they are HIPAA compliant. Should they? There’s only a 0.002% chance they’ll have a HIPAA audit.

Note 1: Hospitals are different than clinics. There’s other issues related to HIPAA at hospitals.

Note 2: See, I do occasionally write about HIPAA. That’s why this website is named EMR and HIPAA. Every 6 months is about right, no?

Note 3: Patient Privacy is very important to me, so this post isn’t meant as an excuse for people to not protect their patients’ privacy. It is an attempt to discuss openly what I think is really happening with HIPAA in clinics.

Post a Comment(0)
May 19, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

Filed Under: HIPAA General
Tags: