Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Don’t Let a Business Associate Compromise Your HIPAA Compliance

Posted on August 5, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest post by Kari Woolf, Senior Global Product Marketing Manager, Novell.
Kari Woolf - Senior Global Product Marketing Manager at Novell
Traditional healthcare organizations are no longer the only enterprises expected to comply with the strict rules and regulations of the Health Insurance Portability and Accountability Act (HIPAA). The U.S. Department of Health and Human Services (HHS) recently issued the final omnibus rule of HIPAA, which creates significant liability for many technology enterprises, as it has extended the requirement of HIPAA compliance to healthcare “business associates.”

Defining an “organization” and a “business associate.”

A healthcare organization is a healthcare provider, health plan or healthcare clearing house. A business associate is defined as any company that provides its services to healthcare providers, health plans or healthcare clearing houses. These organizations have always been required to comply with HIPAA. Under the new omnibus rule of HIPAA, business associates are now required to be HIPAA-compliant as well. Even companies that may not view electronic protected health information (ePHI), but store, transfer, conduct transactions or in any way manage files for healthcare organizations must comply, and healthcare organizations have to have a business associate agreement in place with those companies.

What does this mean for healthcare organizations?

Organizations often let their employees use cloud-based solutions because they believe sharing internally is not in violation of any HIPAA ordinance. However, any time a file is shared via the cloud it is then in the hands of a company that could be considered a business associate. In most cases, these business associates are not HIPAA-compliant, creating an unnecessary risk for the organization.

The business associate might get in trouble—but the healthcare organization is almost sure to get in trouble. HIPAA regulators are cracking down on traditional healthcare organizations. HHS recently announced the first HIPAA breach settlement involving less than 500 patients at the Hospice of North Idaho (HONI). According to the HHS resolution agreement, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices. This resulted in a $50,000 fine, a two year probation period and extensive reporting requirements for up to six years.

What can healthcare organizations do?

Regardless of any regulations, organizations must enable employee access to important materials from whichever devices or locations employees need to work from. This challenges IT to maintain control of ePHI while still enabling employees to access and share files.

An on-premise solution is a viable option for these organizations to remain HIPAA compliant. Employee productivity and user experience don’t have to be abandoned, as a robust on-premise solution can enable a cloud-like, user-friendly experience with corporate data and files. Organizations can remain HIPAA compliant with certain, trusted cloud solutions, but IT needs to ensure that the cloud provider they choose has the enterprise experience to keep data safe, and with controls and restrictions that only allow the right people to access the right files. Consumer-focused cloud solutions like Dropbox won’t be sufficient for HIPAA compliance. SkyDrive from Microsoft, for example, just announced that IT can now see who has viewed and altered certain documents from the platform. While this is a step in the right direction, visibility alone does not prevent data breaches; it only serves as a notification after the fact, when it may already be too late.

Here’s a quick list of action items to help you maintain HIPAA compliance:

  1. Consider an on-premise solution: Reconsider whether the trouble of relying on a business associate is worth the benefit. On-premise solutions offer all the same capabilities that cloud solutions do, and in fact, most on-premise solutions are more mature and offer better features. Most importantly, they provide a secure foundation for accessing and working with ePHI.
  2. Conduct a full audit of third-party apps in use: Popular mobile apps like Dropbox, Evernote and even Gmail are not HIPAA-compliant. Using these apps constitutes giving ePHI to noncompliant business associates.  Employees may not realize this—they simply want to use the apps they’re familiar with. You need to police the issue. Not sure how to do this? A good mobile device management solution should have tools to help you.
  3. Use a mobile device management tool that can remotely wipe a device if it is lost or stolen: This empowers the network administrator to track and manage access to sensitive data. If a device with ePHI is compromised the network administrator can quickly and efficiently delete the data and minimize any risks. Better yet…
  4. Use your mobile devices as gateways, not destinations: Employees are going to use mobile devices, and there’s little sense in trying to stop them. Instead, make sure those devices don’t become the destination for your ePHI and instead act as a gateway. Employees can access files through their mobile devices without having the actual files on the mobile devices. On-premise solutions will keep ePHI in your data center without it being compromised through cloud storage and file-sharing services.    
  5. Audit mobile devices frequently: All organizations need to have an updated auditing schedule for mobile devices to ensure they are in compliance with any and all organization and regulatory requirements.
  6. Sign a business associate agreement with any outside organization that touches your ePHI: If a cloud vendor or other business associate won’t sign an agreement, find one that will or consider an on-premise solution.

Kari Woolf is a Senior Product Marketing Manager and Collaboration Marketing Lead for Novell. She has been with the company for more than 14 years in a variety of marketing and communications capacities. In addition to her high tech marketing experience, she served as an account manager and content director for a creative agency specializing in live events. She holds a Bachelor of Arts degree in Political Science from Brigham Young University.

HIPAA Fines and Penalties in a HIPAA Omnibus World

Posted on July 25, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Lately I’ve been seeing a number of really lazy approaches to making sure a company is HIPAA compliant. I think there’s a pandora’s box just waiting to explode where many companies are going to get slammed with HIPAA compliance issues. Certainly there are plenty of HIPAA compliance issues at healthcare provider organizations, but the larger compliance issue is going to likely come from all of these business associates that are now going to be held responsible for any HIPAA violations that occur with their systems.

For those not keeping up with the changes to HIPAA as part of the HITECH Act and HIPAA Omnibus, here are a couple of the biggest changes. First, HITECH provided some real teeth when it comes to penalties for HIPAA violations. Second, HIPAA Omnibus puts business associates in a position of responsibility when it comes to any HIPAA violations. Yes, this means that healthcare companies that experience HIPAA violations could be fined just like previous covered entities.

To put it simply, hundreds of organizations who didn’t have to worry too much about HIPAA will now be held responsible.

This is likely going to be a recipe for disaster for those organizations who aren’t covering their bases when it comes to HIPAA compliance. Consider two of the most recent fines where Idaho State University was fined $400k for HIPAA violations and the $1.7 million penalty for WellPoint’s HIPAA violations. In the first case, they had a disabled firewall for a year, and the second one failed to secure an online application database containing sensitive data.

Of course, none of the above examples take into account the possible civil cases that can be created against these organizations or the brand impact to the organization of a HIPAA violation. The penalties of a HIPAA violation range between $100 to $50,000 per violation depending on the HIPAA violation category. I’ll be interested to see how HHS defines “Reasonable Cause” versus “Willfull Neglect – Corrected.”

I’ve seen far too many organizations not taking the HIPAA requirements seriously. This is going to come back to bite many organizations. Plus, healthcare organizations better make sure they have proper business associate agreements with these companies in order to insulate them against the neglect of the business associate. I don’t see HHS starting to search for companies that aren’t compliant. However, if they get a report of issues, they’ll have to investigate and they won’t likely be happy with what they find.

The message to all is to make sure your HIPAA house is in order. Unfortunately, I don’t think many will really listen until the first shoe falls.

HIPAA Applies To Those Who Don’t Know About It

Posted on May 17, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Now here’s a pretty how-to-do for HIPAA lawbreakers. According to a new appellate decision in California, people convicted of accessing patient records illegally can be punished whether or not they knew it was illegal.

The case, United States v. Zhou, concerned the acts of one Huping Zhou, a former research assistant in rheumatology at the University of California at Los Angeles Health System. After being fired from his job as a research assistant in 2003, Zhou accessed patient records without authorization at least four times (and obviously, got caught).  After some sparring over charges, the feds eventually prosecuted him for HIPAA violations.

For years, the case worked its way through the system, with Zhou taking the position that he didn’t know accessing the patient records was illegal, and for that reason should not be found guilty.

Last month, the case ended up in the United States District Court for the Central District of California last month. It took the judges only a few weeks to decide that yes, Zhou was responsible even though he may not have known that his data spying was illegal under HIPAA.  Wow.

The HIPAA provision the judges relied on was the following:

HIPAA provides that: “[a] person who knowingly and in violation of this part — (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b).” 42 U.S.C. § 1320d-6(a).

And their analysis of Zhou’s defense did not go the way he had hoped. Again, from the appellate decision:

[T]he plain text of Section 1320d-6(a)(2) [of HIPAA]  is not limited to defendants who knew that their
actions were illegal. Rather, the misdemeanor applies to defendants who knowingly obtained individually identifiable health information relating to an individual, and obtained that information in violation of HIPAA.

In other words,  if you knowingly snoop into patient records, you’re on the hook even if you never knew HIPAA existed. (Note, I am not a lawyer or court-watcher, but this is how most legal commentators have interpreted the decision.)

While I like my privacy as much as anyone else, this case does trouble me. While it’s unlikely that a hospital staffer would think PHI peeping was OK, some healthcare workers — in settings such as, say, home care or a small mental health practice — might have no idea that the Department of Justice might come knocking at their door.

Wouldn’t it be more logical to prosecute the hospital for being so insecure that its data could be accessed by an angry ex-employee?  If it were my PHI, that’s where I’d be venting my wrath.

Meaningful Use and HIPAA – The Risk Analysis

Posted on April 6, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

So far we’ve covered Information System Activity Review & Sanction Policy.

The next item to tackle for the HIPAA side of Meaningful Use is the Risk Analysis.  This may also be referred to by some as the Risk Assessment also.

The Risk Analysis is simply a look at the way your practice operates as it pertains to PHI and your computer network.

Your risk analysis shouldn’t be a handful of questions.  It should be a set of targeted questions – partly to see that your practice is doing things correctly and partly to invoke conversation to ensure you fix other areas of how your practice does business.

The risk analysis we use is just north of 100 questions…and it continually grows as technology changes and new phishing scams arrive on the scene.

How often should a risk analysis be accomplished?

Once a year is reasonable for most practices.  An additional risk analysis should be accomplished anytime there is a major technological or physical change.

A technological change would include: a new EHR, a new component to your EHR new computer network architecture, and even something as innocent as a new photocopier (more on this later).

Physical change would include any remodeling that might change the layout to the waiting area or a complete location change for the office.

Can I accomplish the risk analysis?

Sure, you or your staff may accomplish the risk analysis.  Be aware though, the risk analysis can become quite technical, so you may need to have your IT staff involved, at least in part of this analysis.

But don’t be fooled, this risk analysis is not just technology based.  Your risk analysis should cover areas including:

  • Does the practice have a privacy window at the sign in station?
  • Does the practice close the privacy window to the lobby except when speaking to a patient directly?
  • Does the practice use an acceptable procedure to hide patient names on the sign-in form?
    • What is acceptable?  Here are a few examples:
      • Individual sign-in slips that are handed to the receptionist
      • Peel-off name labels that are removed by the receptionist and stuck to the file (yes, even in the electronic world paper still exists)
      • An electronic sign-in system – this is a fancy way of saying a computer in the lobby on which the patient signs in.
  • Who has keys to the office?
  • Where is the list of who has keys to the office?
  • Who has the alarm code to the office?
  • Where is the list of who has the alarm code?
  • Is the door from the waiting area always locked?
  • Does the facility have a sprinkler fire system?
  • Does the server have a fire system sprinkler above it?
  • Are all computers at least 3 inches off the ground?

Now we’ve hit 3 of the 4 HIPAA items in the required Risk Analysis in the Meaningful Use Core Objectives.

Next time we’ll at least start on Risk Management.

 

Meaningful Use and HIPAA – The Sanction Policy

Posted on March 16, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

As previously mentioned, the Sanction Policy is an integral part of Meaningful Use.

What exactly is a Sanction Policy?

Quite simply, it is clarification to your staff…all staff…yes, this includes the physicians, that there are ramifications for breaking company computer policies, specifically HIPAA violations.

First, your practice must have policies.  Without knowing the rules, nobody will know if they are breaking them or not.

The computer policies of a practice are the foundation on which your office will operate.  The computer policies are different than human resource company policies…actually, they are different, but enhance the HR policies.

For example:

  • Which websites can staff go to during business hours?
  • Which websites are completely banned?
  • Is your staff allowed to check their personal email on office computers?

These are all policies you may think are understood by your staff, but if you do not have these policies in writing AND ensure all staff has signed a document of understanding AND have them sign this document of understanding every year…you will run into trouble

So, this sanction policy will generally be in addition to any Human Resources sanction policy that exists (it does exist, right?).  Remember, this Sanction Policy is geared toward HIPAA violations and computer use violations.

This Sanction Policy should cover:

  • Initial reaction to a violation
    • Document the violation
    • Detail the exact violation to the offender
    • Document this communication
    • Initiate any company checklists that may be required depending on the specific violation
  • Secondary reaction to a violation
    • Retraining
      • Re-attend Annual Awareness Training
      • Document this re-training
    • Document understanding of the violation
  • Repeat violations
    • Repeat violations need to be dealt with in a solid and consistent way
    • How many repeat violations before termination?
    • Is any HIPAA violation a “counter” toward termination or should it be an exact repeat violation?
    • Is the training for repeat violations different?

As you can see, there are many parts to what appears to be a “single line” requirement within the Core Requirements for Meaningful Use.

Also note, this Sanction Policy originally reared its head in the HIPAA regulations, and yes, it is still a HIPAA requirement.  As I expected, the feds are using Meaningful use to push you toward HIPAA compliance.

Next time, the Risk Analysis (you guessed it, another HIPAA requirement).

 

HIPAA Lawsuit – PHI by Un-encrypted Email

Posted on December 29, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In kind of ironic timing, the news was recently reported of a patient talking to lawyers about a possible lawsuit against a doctor who sent her protected health information (PHI) to his home email in an un-encrypted format. The irony is that for the past week, my post on Email not being HIPAA secure has been having a really good discussion happening in the comments about these very issues (you should go read through the comments, they’re very interesting).

One interesting part of the above news story is that it didn’t even include the most common personal information used for identity theft. Certainly a person’s name and medical information should be kept private as well and could have consequences related to its release on the internet. However, it definitely doesn’t bring out the privacy critics like a breach of financial related info would bring.

While I personally hate lawsuits, a part of me kind of hopes that this or some other lawsuit happens related to email and PHI. Not because I like lawsuits or I want someone to be held responsible. Mostly because we could use some legal precedent to better enable those who want to use technology like email. Until the precedence is set (or a more specific law), I think that many people are just too afraid to use email for any sort of health care related communication.

In the comments I mentioned above, someone even commented about them wanting a doctor who would let them waive their right to privacy in the name of convenience. Basically, they would rather use email to communicate even PHI at the risk of someone seeing their health information so that they can use communication tools like email in their healthcare. I bet there are a lot more people who would opt in for this also. The problem is that the law is such that I don’t know many doctors who are willing to take the risk even if the patient gives them permission.

The best alternative right now is the patient portal where a patient receives an email saying something has been added or updated on the portal and invites them to login to the private secured portal to see the PHI or other health information. Not perfect and not that broadly adopted.

Lots of other issues related to email with doctors, but at least resolving the privacy and security ones would allow us to focus on those other issues.

Hospital Breach by Job Applicant

Posted on October 27, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

During a bond hearing Thursday in Superior Court, Wheeler’s Macon attorney Reza Sedghi described his client’s actions as a job application gone awry with “no criminal intent or compromise of sensitive patient information.” Sedghi said Wheeler had obtained access to the database with a password and access codes obtained while working on a Macon physician’s connectivity problems with the hospital.

The attorney said Wheeler uncovered seven flaws in the hospital’s system and sought to use the discovery to land a job with the countywide medical complex, spending several hours with Rhodes and David Griffin, the hospital’s security chief.

“They asked for and received a copy of his resume and a written report of his findings,” Sedghi reported in court. “Then they walked out of the conference room and returned with two Warner Robins police officers.”

Wheeler’s acts were stupid, the Macon attorney conceded, but “he had no malicious intent. He was the one exposing the flaws.” –source

I must admit that I’m a bit torn by the story of this kid who I believe didn’t have any malicious intent when he breached the hospitals security system. The crazy thing is that if he’d had malicious intent they wouldn’t have likely known that there were these security holes and that he had breached them.

Certainly the kid is dumb to have done it, but the reaction by the hospital system is terrible. Here’s a quote from the same article excerpt above:

“I condemn any effort of any party to justify his acts,” Rhodes [CIO] said in an exclusive Warner Robins Patriot interview. “This is a criminal act and he did not do Houston Healthcare or its patients any favors. His actions were illegal and we will support the authorities in prosecuting this to the full extent of the law.”

Talk about a major overreaction. Of course his condemnation of efforts to justify his acts makes people more interested in doing so. Honestly, Robert Rhodes, chief information officer for Houston Healthcare, just sounds like an angry CIO whose security efforts were torn to shreds by a 21 year old. I’d be angry too if I were Robert Rhodes. Mostly because Robert Rhodes is the one that should be fired for having such porous security and they should hire Christopher Wheeler to help them actually implement some real security.

Of course, the CIO is quick to point out that “He did not breach our internet security. He got in through a stolen pass word. He didn’t discover a breach. He was the breach.”

This is just wrong. It wasn’t stolen, but given to him as part of his duties to help the doctor connect to the hospital. That’s not a breach. What’s insane is that a doctor’s password would have the ability to create all these back doors and expose seven flaws in the hospital’s IT systems. The CIO should be held accountable for that. So much for only giving users the access that they need. Or maybe the doctors at Houston Healthcare need that ability. Yeah, right.

I don’t want to give the impression that security isn’t important. It is and what this guy did was wrong and he’ll be punished in the legal system for what he did. Although, it does seem that it wasn’t with malicious intent and so some leeway should be given there. However, the CIO accepting a c-level executive salary with responsibility over a network with so many security flaws that could be exposed by a 21 year old using a doctor’s password sounds much more inappropriate to me.

A Look Back at Popular EMR and HIPAA Posts

Posted on June 6, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I told you on the weekends I’d try to go through and highlight some of my previous 774 posts (but who’s counting?). Obviously, there’s a lot to choose from. So, this time I decided to hit the big red button on my stats program that said “Top Posts for All Time” Yes, that’s crunching 2,636,682 pageviews to provide this data. That’s right. Over 2.6 million pageviews. I kind of shutter thinking about that. Plus, I didn’t implement this stats system (since it didn’t exist) until well into this blog, but I digress.

2 posts that I knew would be near the top is my Overwhelming List of EMR Companies post which I did back on 2/21/06 and my EMR and EHR vendors page. The former just barely edged out the prior.

Man a lot has changed since early 2006 with that list of EMR vendors. Kind of fun to look back at the state of EMR vendors in 2006. A lot more entrants. Also, I’ve mostly stopped updating that page, and instead have been linking to this EMR and EHR matrix wiki page. Although, I do generally update the EMR and EHR vendors page for those vendors that advertise on EMR and HIPAA.

Coming in close behind my list of EMR and EHR vendors was a couple posts about the EMR stimulus package (imagine that). One was called, “Details of Obama’s EMR stimulus Package” that I posted on 1/24/09 and the other was titled,”Economic Stimulus Bill Simplified” that I posted February 17, 2009.

I kind of shudder going back and reading those initial posts. So much of the information was vague and we were doing our best to guess what the government process would produce. Needless to say, we know a lot more about it now then we did then. I’m also glad I updated those posts with a link to my EMR Stimulus presentation. It’s mostly right, but we just have a lot more information now about Meaningful Use and Certified EHR than we had when I gave that presentation. The sad part of course, is that we’re still missing a lot of necessary details.

Another one that’s pretty interesting was a post I did back on June 21, 2006 about HIPAA Violation Examples. Turns out, a lot of people search the web for examples of HIPAA violations. I guess it’s kind of like passing a car wreck. You just need to look. This post is also proof that at least at some point, I’ve written about HIPAA. Thus the name EMR and HIPAA. Ok, I admit it’s probably about 99.6% EMR posts and 0.4% HIPAA posts. When I started I thought HIPAA would be interesting. I was wrong (at least for a computer nerd like me).

Another popular post was one listing the Top 10 Open Source EMR projects. Make sure you read the comments. That’s where the real action happened in that post. I might have to contact Sam Bowen about the Open Source Medical Software’s move to get OpenEMR certified. I’m guessing they still want to, but are just waiting for HHS to get their ducks in a row first.

I still love open source. I’d love to hear more updates about these open source EMR projects. So, if you’re someone who uses or codes for these open source EMR projects, I’d love to get an update (hopefully one I can share on the site).

Ok, that’s enough for now. Let me know if you like these type posts or not. I bet they’ll get better as I go down the list even more.

Guest Post: Will Your New Smartphone Ruin Your Practice?

Posted on April 29, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Guest Post: Hayden Hartland works at Spearstone, makers of Spearstone’s DiskAgent offering which provides a multi-platform approach to smartphone security by allowing lock, data-wipe, and GPS-tracking from any web-browser along with online backup for your business.

Breathtaking advances in smartphone capabilities are changing the ways we work and live. In their latest forms, phones such as the iPhone, Android, Blackberry, Windows Phone, Symbian, and Palm are beginning to rival, and in several areas (think GPS, camera and video) exceed the capabilities of laptops and desktops.

Increasingly, we email, keep contacts, track tasks and appointments, browse the internet, capture family moments, connect with friends, shop, and even run powerful business apps from our hand-held do-it-alls. No wonder then that surveys show some people giving up computers altogether for smartphones. Trends indicate smartphone sales and usage will exceed that of laptops in the next five years. Analysts describe a future where Smartphones that dock to keyboards and monitors obsolesce the laptop altogether.

The problem is that while smartphones are leapfrogging laptops and desktops in utility and connectivity, they have introduced security risks that too few take seriously. Unlike desktops and laptops where some of the biggest risks lie in viruses, and the eventual failure of spinning hard drives, the biggest risk with a smartphone is the loss and exposure of the information you store on it.

More than 5,000 smartphones are lost or stolen each day. Most smartphones hold thousands of confidential records – patient lists, emails, documents, medical records, patient payment records, and so on – yet there is little or no ability to prevent their compromise if your phone is lost or stolen. Many were carried by healthcare professionals (doctors, nurses, dentists, office managers, billing providers, support staff, and so on) whose information represents real risk to their practices and patients if compromised.

Next time you notice a staff member, equipment rep, supply rep  or any BAA using a smartphone, consider asking, “Are our emails accessible on that phone?” and “If you lose it, can anyone access them on the phone?” If you are a medical professional carrying a smartphone you need protection because odds are that eventually you will lose your phone. Furthermore, HIPAA, the FTC and state consumer organizations require notification of all patients of a data breach (not exactly good for any practice or healthcare business).

Current phones and typical user practices do a poor job of safeguarding your confidential information. While many smartphones can require a password or PIN number to use them, few of us can tolerate the hassle of actually using one. We simply use our phones too frequently to put up with it. Yet without one, we’re completely exposed. And while a phone password may protect your information in the case of loss, it can’t stop someone with phone hacking skills who wants to access your information.

Here are some practical tips you can employ to reduce your risks:

  1. Create a passcode for your phone. If you (like me) hate being pestered by it, set it to be required after 4 or 8 hours, so that you only need to enter it once or twice a day. If your phone is stolen and locked the thief will either need to hack your phone or reset the phone to factory settings thereby removing all the data in the process.
  2. Create a splash screen when your phone is locked displaying a contact phone number or email address and reward value. Consider etching your name and contact information somewhere on the phone.
  3. Remove sensitive information from your phone as soon as possible.
  4. Write down your IMEI (International Mobile Equipment Identity) number. If your phone is stolen, call your carrier immediately and ask them to deactivate the IMEI number and the phone will be rendered inoperable for calling on all networks. This ensures the phone is unusable although it doesn’t protect any unencrypted information on your phone.

Fortunately, a few larger clinics and hospitals are beginning to address these concerns. If yours is a larger practice with a Blackberry Enterprise server and or Exchange Mail Server and your users exclusively use the corresponding phones (Blackberries, and Windows Mobile devices), you can remotely remove emails and some other sensitive information in the event of a loss or theft. Other alternatives are to deploy encryption software or use the expensive MobileMe services provided by Apple. For other organizations, Spearstone’s DiskAgent offering provides a multi-platform approach to smartphone security by allowing lock, data-wipe, and GPS-tracking from any web-browser.

Lost Laptop with Patient Names, Treatment Summaries and Other PHI

Posted on June 21, 2009 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This story coming out of Oregon came across my feeds today which tells of the Oregon Health and Science University contacting 1,000 patients after a physician’s laptop was stolen from a car parked at the doctor’s home.

This story made me think of two things:
1. Why is PHI being stored on the laptop in the first place? I wish I could find out if there was an EMR involved. If there was, then the EMR should be storing all of the patient information on the server and none of that data should be stored on the laptop. So, if it gets stolen there’s no breach. That’s the beauty of an EMR these days. There should be no need for this to happen.

2. There’s some really cool technology that’s been coming out in recent laptops that will allow you to remotely wipe out the laptop if it ever gets connected to a network. Basically, once your laptop is stolen you report it stolen and they start tracking it down kind of like they do with stolen cars (same people from what I understand).

Once the stolen laptop is connected to the network, it will call back to the main center and receive the command to wipe out the laptop. Then, it will also give them information about where it was connected in order for police to possibly recover the stolen laptop as well. We’re implementing this on all our new laptops. I’ll be very happy once we have them all with this feature.