Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Compromise Assessments & Penetration Testing in Healthcare

Posted on June 21, 2017 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
As healthcare providers continue to embrace technology, are patients being left vulnerable? If a recent incident involving patient portals is any indication, then the answer is a resounding “yes.”

True Health Diagnostics, a Frisco, TX-based healthcare services company recently became aware of a security flaw in their patient portal after an IT consultant logged in to view their test results and accessed other patient’s records by accident.  Upon investigating the issue it was determined that because True Health uses sequential numbers on their patient record PDF files, users of the patient portal could easily alter a digit in the URL and therefore view the medical information of other patients (also known as Forceful Browsing).

This recent event should serve as both a reminder and a warning to healthcare organizations using patient portals that in order to prevent a similar disclosure, implementing (and testing!) safeguards is necessary. There are two different actions an organization can take to either understand the scope of a breach and/or assess their level of security to prevent a disclosure.

Compromise Assessment: Due-Diligence Task

A compromise assessment is a due-diligence task used to verify that an organization hasn’t experienced a security breach. Essentially, it answers the question: “Have we been breached?”

Completed by a group of whitehat hackers or IS professionals, the goal is to access an organization’s various systems and verify if/when they were comprised and estimate the damage/exposure that has/could be done on their customer’s data. By gaining an understanding of the extent of the breach, the organization can in turn create a plan to remedy the issue and notify the appropriate parties of the disclosure.

Penetration Testing: Proactive Approach

In simple terms, conducting a penetration test is a proactive approach to finding any security deficiencies before a breach occurs or hackers find a way in. A penetration test answers to the question “How secure are we?”

By performing an authorized simulated attack, organizations can gain a much greater understanding of their security infrastructure. Although penetration testing alone will not ensure a network is compliant or secure, it will identify gaps between the existence threats and controls that an organization has in place.

Penetration testing has many other benefits, including:

  • Revealing where procedures may be failing – Especially if insecure services are being used for administration or if critical security patches are missing due to inadequate configuration and change management processes/procedures.
  • Exposing poor password policy – Including the use of default or weak passwords, password reuse and use of incremental passwords.
  • Justification to management – For approval of additional security technologies. For example: Showing upper management that penetration testers were able to hack into the system and email the entire customer database.
  • Acts as a “second set of eyes” – Critical if using an independent provider when hosting ePHI/PII.

Interested in more details on penetration testing? Check out HIPAA One’s penetration testing blog post.

About Steven Marco
Steven Marco is the President of HIPAA One®, leading provider of HIPAA Risk Assessment software for practices of all sizes.  HIPAA One is a proud sponsor of EMR and HIPAA and the effort to make HIPAA compliance more accessible for all practices.  Are you HIPAA Compliant?  Take HIPAA One’s 5 minute HIPAA security and compliance quiz to see if your organization is risk or learn more at HIPAAOne.com.

Whitepaper: Is Windows 10 HIPAA Compliant?

Posted on February 22, 2017 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
HIPAA One has collaborated with Microsoft on a new whitepaper that addresses Windows 10 and HIPAA compliance.

The whitepaper, HIPAA Compliance with Microsoft Windows 10 Enterprise, provides guidance on how to leverage Microsoft Windows 10 as a HIPAA-compliant, baseline operating system for functionality and security. Additionally, the paper tackles head on (and debunks) the myth that Microsoft Windows is not HIPAA compliant.
In light of the recent focus on HIPAA enforcement actions; hospitals, clinics, healthcare clearinghouses and business associates are trying to understand how to manage modern operating systems with cloud features to meet HIPAA regulatory mandates. Along with adhering to HIPAA, many healthcare organizations are under pressure to broadly embrace the benefits of cloud computing and manage the security implications.

Microsoft has invested heavily in security and privacy technologies to address and mitigate today’s threats. Windows 10 Enterprise has been designed to be the most user-friendly Windows yet and includes deep architectural advancements that have changed the game when navigating hacking and malware threats. For this reason, organizations in every industry, including the Pentagon and Department of Defense have upgraded to Windows 10 Enterprise to improve their security posture. However, as with all software upgrades; functionality, security and privacy implications must be understood and addressed.

The intersection between HIPAA compliance and main stream applications can often be confusing to navigate. This industry-leading whitepaper addresses the questions and concerns that are currently top-of-mind for healthcare IT and legal professionals responsible for managing ePHI and maintain HIPAA compliance.

Download your copy today and learn now Microsoft Windows 10 Enterprise enables its users to meet and/or exceed their HIPAA Security and Privacy requirements.

About Steven Marco
Steven Marco is the President of HIPAA One®, leading provider of HIPAA Risk Assessment software for practices of all sizes.  HIPAA One is a proud sponsor of EMR and HIPAA and the effort to make HIPAA compliance more accessible for all practices.  Are you HIPAA Compliant?  Take HIPAA One’s 5 minute HIPAA security and compliance quiz to see if your organization is risk or learn more at HIPAAOne.com.

Quality Reporting: A Drain on Practice Resources, New Study Shows

Posted on November 17, 2016 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
If time is money, medical practices are sure losing a lot of both based on the findings in a new study published in Health Affairs. The key take-a-way, practices spend an average of 785 hours per physician and $15.4 billion per year reporting quality measures to Medicare, Medicaid and private payers.

The study, conducted by researchers from Weill Cornell Medical College, assessed the quality reporting of 1,000 practices, including primary care, cardiology, orthopedic and multi-specialty and the findings are staggering.

Practices reported spending on average 15.1 hours per week per physician on quality measures. Of that 15.1 hours per week, physicians account for 2.6 hours with the rest of the administrative work divided between nurses and medical assistants. About 12 of those 15.1 hours are spent logging data into medical records solely for quality reporting purposes. Additionally, despite a wealth of software tools on the market today, about 80 percent of practices spend more time managing quality measures than they did three years ago and half call it a “significant burden.”

Aside from the major drain on administrative resources, there are heavy financial ramifications for such lengthy and cumbersome reporting as well. The report found practices spend an average of $40,069 per physician for an annual national total of $15.4 billion.

The findings of this study clearly demonstrate the need for greater reporting automation in the healthcare industry. By embracing technology to manage labor-intensive, error-prone and mundane tasks; practices free up their staff to focus on patient care. In the past few years, we have watched electronic medical record (EMR) companies do just that by embracing cloud-based software solutions.
physician-and-administrator-growth-over-time
This overwhelming administrative bloat and financial burden can be addressed by implementing software tools and solutions designed to streamline reporting and compliance management. For example, if your practice or organization is still conducting your annual risk analysis through spreadsheets and other manual methods, it is time to embrace automation and a Security Risk Analysis software solution. Designed to control costs, a cloud based Security Risk Analysis solution automates 78% of the manual labor needed to calculate risk for organizations of all size.

There’s no time like the present to embrace best practices for your quality reporting. Allow technology to do the heavy lifting and free up your resources.

About Steven Marco
Steven Marco is the President of HIPAA One®, leading provider of HIPAA Risk Assessment software for practices of all sizes.  HIPAA One is a proud sponsor of EMR and HIPAA and the effort to make HIPAA compliance more accessible for all practices.  Are you HIPAA Compliant?  Take HIPAA One’s 5 minute HIPAA security and compliance quiz to see if your organization is risk or learn more at HIPAAOne.com.