Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

There’s More to HIPAA Compliance Than Encryption

Posted on March 24, 2015 I Written By

The following is a guest blog post by Asaf Cidon, CEO and Co-Founder of Sookasa.
Asaf Cidon
The news that home care provider Amedisys had a HIPAA breach involving more than 100 lost laptops—even though they contained encrypted PHI—might have served as a wake-up call to many healthcare providers.  Most know by now that they need to encrypt their files to comply with HIPAA and prevent a breach. While it’s heartening to see increased focus on encryption, it’s not enough to simply encrypt data. To ensure compliance and real security, it’s critical to also manage and monitor access to protected health information.

Here’s what you should look for from any cloud-based solution to help you remain compliant.

  1. Centralized, administrative dashboard: The underlying goal of HIPAA compliance is to ensure that ­­organizations have meaningful control over their sensitive information. In that sense, a centralized dashboard is essential to provide a way for the practice to get a lens into the activities of the entire organization. HIPAA also stipulates that providers be able to get Emergency Access to necessary electronic protected health information in urgent situations, and a centralized, administrative dashboard that’s available on the web can provide just that.
  1. Audit trails: A healthcare organization should be able to track every encrypted file across the entire organization. That means logging every modification, copy, access, or share operation made to encrypted files—and associating each with a particular user.
  1. Integrity control: HIPAA rules mandate that providers be able to ensure that ePHI security hasn’t been compromised. Often, that’s an element of the audit trails. But it also means that providers should be able to preserve a complete history of confidential files to help track and recover any changes made to those files over time. This is where encryption can play a helpful role too: Encryption can render it impossible to modify files without access to the private encryption keys.
  1. Device loss / theft protection: The Amedisys situation illustrates the real risk posed by lost and stolen devices. Amedisys took the important first step of encrypting sensitive files. But it isn’t the only one to take. When a device is lost or stolen, it might seem like there’s little to be done. But steps can and should be taken to decrease the impact a breach in progress. Certain cloud security solutions provide a device block feature, which administrators can use to remotely wipe the keys associated with certain devices and users so that the sensitive information can no longer be accessed. Automatic logoff also helps, because terminating a session after a period of inactivity can help prevent unauthorized access.
  1. Employee termination help: Procedures should be implemented to prevent terminated employees from accessing ePHI. But the ability to physically block a user from accessing information takes it a step further. Technical tools such as a button that revokes or changes access permission in real-time can make a big impact.

Of course encryption is still fundamental to HIPAA compliance. In fact, it should be at the center of any sound security policy—but it’s not the only step to be taken. The right solution for your practice will integrate each of these security measures to help ensure HIPAA compliance—and overall cyber security.

About Asaf Cidon
Asaf Cidon is CEO and co-founder of cloud security company Sookasa, which encrypts, audits and controls access to files on Dropbox and connected devices, and complies with HIPAA and other regulations. Cidon holds a Ph.D. from Stanford University, where he specialized in mobile and cloud computing.

What Is Population Health?

Posted on I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This is a really important question that I think healthcare leaders across the country and even the world are trying to figure out. This video does a pretty good job of explaining the current state of population health.

We’d love to hear your thoughts and comments on population health as it stands today and where it’s headed in the comments.