Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Does Your HIPAA Risk Analysis Tool Protect Your Practice?

Posted on December 15, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Fourth quarter signifies more than a countdown to the holidays, many healthcare organizations are met with the realization that it is time to complete HIPAA risk analysis in order to comply with MACRA – MIPS. Of course, HIPAA risk analyses are nothing new, practices should be conducting  them regularly,  in light of the HIPAA Omnibus Rule which gave teeth to the regulations and made  an annual HIPAA risk analysis a requirement for every healthcare organization.

Recently, I was recently reading a blog post by HIPAA One called “Not All Risk Analysis Tools Created Equal” and it made me think about the requirements for a bona fide risk analysis. I realize that HIPAA One provides a risk analysis solution and therefore, approaches the conversation as a vendor would, however, they are also deeply embedded in the HIPAA risk assessment world and have a unique understanding of what’s happening.

I’ve seen first-hand the principle they describe in the post with many medical practices. Most medical practices are so overwhelmed  with the daily grind of dealing with staff issues, schedules, billing, supplies, etc that it’s hard for them to distinguish between a high quality risk analysis tool and one that was built 3 years ago and hasn’t been updated since then.

In HIPAA One’s blog post they offered a list of what you should look for in a HIPAA risk analysis solution and I think this is a great  starting point for any organization that needs a tool or is evaluating their existing tool:

  1. Industry-Certified Auditors on Staff – Verify the vendor has:
    1. Auditors who are certified professionals, such as CHPS, CISSP, HCISPP, CISA, etc. and
    2. Previous experience responding to AND PASSING government and private-sector audits.
  2. Compliance Gap-Assessment – This assessment determines if your workplace meets each of the HIPAA requirements as selected the Office for Civil Rights’ (OCR) HIPAA Audit Protocol.
  3. Mock-Audit – Put your money where your mouth is. If your workplace maintains HIPAA compliance, prove it with proper supporting documents and examples per the OCR’s HIPAA Audit Protocol.
  4. Risk Analysis –Bona Fide security risk analysis which digs into any non-compliant areas along with a calculation tool that addresses which gaps are low, medium or high risk to the organization using NIST-based methodologies (i.e. at minimum NIST800-30 rev1 and NIST 800-53 rev 4).
  5. Remediation Plan – This documented plan answers the questions: “Who will do what by when” in regards to remediating gaps in compliance.
  6. Final Report – Key deliverable proving compliance with HIPAA security risk analysis.
  7. Ongoing Tracking – Track the resolution of those gaps in compliance by proving due diligence in the event of an audit.
  8. Periodic Re-evaluation – Each year take a new “snapshot” performing steps 2-6 on any changes that happened from the previous year.

The item on this list that I see fall short in many solutions and services on the market today is the remediation plan. It’s amazing how many tools only account for a risk analysis, and do not provide any guidance on creating remediation plans for any risks you find. That’s a big deal and could leave you in trouble if your practice is ever audited and hasn’t remediated any of your security deficiencies .

The good news is that HIPAA risk analysis tools have come a long way over the years. ]  Much like you need to make sure EHR vendors are updating and improving their systems to meet your needs and comply with changes in government regulations, the same is true with HIPAA risk analysis tools. Make sure you take the time needed to ensure the quality of the tools and services you’re using. Ignorance is not bliss when a HIPAA audit occurs.

Note: HIPAA One is a Healthcare Scene sponsor.

Slow Learners Teach Big Lessons – $2 Million State HIPAA Penalty

Posted on December 4, 2017 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Editor’s Note: We’d like to welcome Mike Semel as the latest addition to the Healthcare Scene blog team.  We’ve been working with Mike for quite a while as a guest blogger, so it’s great to have Mike now covering security and privacy with us in a more formal capacity.  Check out all of Mike Semel’s EMR and HIPAA blog posts.

I think it is fair to call people slow learners if they get caught violating HIPAA:

  • after they published 50,000 patient records to the Internet for a 2-year period, so patients Googling themselves found their medical records,
  • and THEN DID IT AGAIN DURING THE INVESTIGATION for the first incident.

Duh.

On November 22, California Attorney General Xavier Becerra announced a $2 million settlement with Cottage Health System and its affiliated hospitals for violating both state and federal privacy laws. The settlement came after two separate data breaches where more than 50,000 patient records were made publicly available online. The state settlement is on top of a $4.125 million class-action settlement with its patients, that Cottage Health’s insurance company is trying to recover, because it said Cottage Health was not truthful on its insurance application.

It’s bad enough that from 2011 until 2013 (after it was notified by a patient that he found his medical records online), Cottage Health had a server with protected health information that was not encrypted, password protected, protected by firewalls, or protected against unauthorized access.

What is truly stunning is that, in 2015, during the federal investigation for the first incident, Cottage Health reported that it made another 4,596 patient records available online.

I have been the Chief Information Officer in a hospital, and know how bad executive and departmental management and oversight would have to be to create an environment where that can happen once, let alone twice.

Based on the complaint provided by the California Attorney General, there are a lot of lessons you can learn from this penalty.

LESSONS

1. It not just the OCR. This HIPAA penalty was issued by a state Attorney General. The federal HITECH Act (2009) gave state AG’s the authority to enforce civil penalties for violations of the HIPAA Privacy and Security Rules. It doesn’t take the federal Office for Civil Rights to go after you. It could be your state Attorney General, who is probably motivated by wanting to impress voters for his campaign to be governor or senator someday.

2. Know your state laws. California’s Confidentiality of Medical Information Act and Unfair Competition Law were also cited in the penalty. Forty-eight states, plus DC and Puerto Rico, have their own laws protecting Personally Identifiable Information. Some, like California, have state laws that protect medical records beyond the scope of HIPAA. State laws have different patient notification requirements than HIPAA’s maximum of 60 days. In California, patients must be notified within just 15 days.

3. Management should pay attention to security and compliance, before it has to sign $6 million in checks, plus legal fees. From the IT department to the executive suite, this penalty is proof that management was not validating the organization’s security and compliance.

Cottage Health isn’t a small, rural hospital with 25 beds, trying its best, with limited resources, to serve a community. According to its 2016 Annual Report, Cottage health generated over $746 million in revenue and had 3,120 employees.  Seventeen of them are Vice Presidents.

At least Cottage Health’s CEO didn’t publicly blame his IT guy, like the former CEO of Equifax did in front of Congress. Maybe he realizes he could have avoided spending $6 million by having better management.

4. Patients are Consumers, who are protected against Negligence & Unfair Business Practices. The $4 million settlement plus the $2 million penalty are proof that management was ignoring the commitment it made to its patients every day in the Cottage Health Notice of Privacy Practices.

Our Pledge
We understand that medical information about you and your health is personal, and we are committed to protecting it.

The Federal Trade Commission forced the closure of a small medical lab because it said the lab violated its prohibition of Unfair Business Practices by not protecting patient information.

There is a lawsuit in Connecticut where the state appeals court certified a Notice of Privacy Practices as a contract with a patient.

Yes, patients (and now their lawyers) really do read those notices. Treat yours with respect because it is a contract, not a brochure.

5. Don’t Assume Your HIPAA Compliance Program is Working. Not having policies, procedures, basic IT security like passwords and firewalls, means that a lot of Cottage Health managers and executives had to be asleep at the switch. Not complying with the HIPAA Security Rule, effective since 2005, which protects electronic data, means that Cottage Health’s compliance program was a mirage. I can imagine their compliance and security staff telling management that they had everything handled. Management believed them. Over 50,000 patients and an Attorney General disagree.

6. Prevent the Triggering Event. This wildfire started with a small spark. An IT engineer configured a server and plugged it into the network. Things as simple as checklists could have prevented the negligent publication of the medical records to the Internet.

The NIST Cybersecurity Framework (NIST CSF) is a 41-page document simple enough for even small organizations to use to improve their data security.

Bring in a qualified independent third party to evaluate your compliance and security against the HIPAA rules and the NIST CSF, and give the report directly to the CEO. Not a good use of the CEO’s time? It’s much better than the CEO’s involvement after an investigation has started.

7. If You Are Being Investigated, Don’t Let the Same Problem Happen Again. Duh.

Vanderbilt Disputes Suggestion That Larger Hospitals’ Data Is Less Secure

Posted on November 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Ordinarily, disputes over whose data security is better are a bit of a snoozer for me. After all, if you’re not a security expert, much of it will fly right over your head, and that “non-expert” group definitely includes me. But in this case, I think the story is worth a closer look, as the study in question seems to include some questionable assumptions.

In this case, the flap began in June, when a group of researchers published a study in JAMA Internal Medicine which laid out analysis of HHS statistics on data breaches reported between late 2009 to 2016. In short, the analysis concluded that teaching hospitals and facilities with high bed counts were most at risk for breaches.

Not surprisingly, the study’s conclusions didn’t please everyone, particularly the teaching-and high-bed-count hospitals falling into its most risky category. In fact, one teaching hospitals’ researchers decided to strike back with a letter questioning the study’s methods.

In a letter to the journal editor, a group from Nashville-based Vanderbilt University suggested that the study methods might hold “inherent biases” against larger institutions. Since HHS only requires healthcare facilities to notify the agency after detecting a PHI breach affecting 500 or more patients, smaller, targeted attacks might fall under its radar, they argued.

In response, the authors behind the original study admitted that the with the reporting level for PHI intrusions starting at 500 patients, larger hospitals were likely to show up in the analysis more often. That being said, the researchers suggested, large hospitals could easily be a more appealing target for cybercriminals because they possess “a significant amount of protected health information.”

Now, I want to repeat that I’m an analyst, not a cybersecurity expert. Still, even given my limited knowledge of data security research, the JAMA study raises some questions for me, and the researchers’ response to Vanderbilt’s challenge even more so.

Okay, sure, the researchers behind the original JAMA piece admitted that the HHS 500-patient threshold for reporting PHI intrusions skewed the data. Fair enough. But then they started to, in my view at least, wander off the reservation.

Simply saying that teaching hospitals and hospitals with more beds were more susceptible to data breaches simply because they offer big targets strikes me as irresponsible. You can’t always predict who is going get robbed by how valuable the property is, and that includes when data is the property. (On a related note, did you know that older Toyotas are far more likely to get stolen than BMWs because it’s easier to resell the parts?  When I read about that trend in Consumer Reports it blew my mind.)

Actually, the anecdotes I’ve heard suggests that the car analogy holds true for data assets — that your average, everyday cyber thief would rather steal data from a smaller, poorly-guarded healthcare organization then go up against the big guns that might be part of large hospitals’ security armament.

If nothing else, this little dispute strongly suggests that HHS should collect more detailed data breach information. (Yes, smaller health organizations aren’t going to like this, but let’s deal with those concerns in a different article.) Bottom line, if we’re going to look for data breach trends, we need to know a lot more than we do right now.

HIPAA May be the Least of Your Compliance Worries

Posted on November 21, 2017 I Written By

The following is a guest blog post by Mike Semel from Semel Consulting.  Check out all of Mike Semel’s EMR and HIPAA blog posts.

What requirements have you hidden away?

I visited a new healthcare client last week, and asked if anything in particular made them call us for help with their HIPAA compliance. They surprised me by saying that their insurance company had refused to sell them a cyber-liability/data breach insurance policy, after they saw the answers on our client’s application.

When was the last time you heard about an insurance company not selling a policy? That’s like McDonalds looking you over, and then refusing to sell you a Big Mac.

Our client was scared that they would have to risk the full financial burden of a data breach, which, based on the number of medical records they have, could exceed $10 million.

Everyone knows that HIPAA is a compliance requirement. But it isn’t the only one you should focus on. Use my definition of Compliance, which is, simply, having to do things required by OTHERS.

We personally deal with compliance requirements all the time. We stop at traffic lights. We have our car inspected. We fasten our seat belts. We empty our pockets at airport security. We pay our bills on time. At work, we wear an ID badge, show up on time, and park in an approved space. At home, we take our dirty shoes off before walking on the carpet. There are risks associated with NOT doing each of these things.

It can be a big mistake to focus so much on HIPAA that you forget other compliance requirements, including:

  • Other Federal and State Laws
  • Industry Requirements
  • License Requirements
  • Contractual Obligations
  • Insurance Requirements
  • Lawsuits

You should not take the narrow HIPAA approach, like buying a policy manual, using an online ‘We Make HIPAA Easy’ service, or think hiring out a Security Risk Analysis is going to make you compliant.

When we work with our clients, before we get started we help you identify all your compliance requirements.

OTHER FEDERAL REGULATIONS

Depending on the services you offer, you may be required to comply with other federal regulations, like Title 42, governing substance abuse treatment.

The Federal Trade Commission has come down hard on data breaches, including the controversial closure of a small medical lab. The FTC looks at patients as consumers, and considers a data breach to be an Unfair Business Practice because the organization losing the data failed to protect its consumers, and is in violation of its Notice of Privacy Practices.

STATE LAWS

Forty-eight states, plus DC and Puerto Rico, have data breach laws. Most states protect Personally Identifiable Information (PII), including driver’s license and Social Security numbers. Some states cover medical records, no matter who has them, while HIPAA only covers medical records held by certain types of organizations. Some of the state laws change the reporting requirements after a breach of patient records. For example, California requires patient notification within 15 days, instead of the 60-day maximum permitted by HIPAA.

Most states have separate laws requiring confidentiality of mental health, HIV, substance abuse, or STD treatment records. State attorneys general are willing to cross their state lines to protect the confidentiality of their voters.

We work with our clients to identify the states where your patients come from, not only where you are located. We build an Incident Management program that includes each applicable notification and reporting requirement.

INDUSTRY REQUIREMENTS

Industry requirements include PCI-DSS, the data security standards protecting credit card information. PCI stands for the Payment Card Industry. While not a law, if you don’t comply with PCI you can be prevented from accepting credit cards. What would that do to your bottom line and patient satisfaction?

LICENSING

Licensing requirements protecting patient confidentiality go back long before HIPAA, which became law in 1996. In 1977, 19 years before HIPAA, I became an Emergency Medical Technician (EMT). The first class I took was about maintaining confidentiality. After that, I knew that violating a patient’s confidentiality could cost me my license.

Think about your license, your certifications, even the Code of Ethics in your professional association. If I really wanted to get back at someone for violating my confidentiality, my first complaint would be to their licensing board, even before I submitted a complaint to their employer or the federal government. Losing your license may kill your career, and being investigated by your licensing board will certainly get your attention.

When you are justifying the costs related to Security and Compliance, be sure to quantify the effect on your income, lifestyle, and retirement, if you were to lose your license.

CONTRACTS

Many of our clients have signed contracts with other organizations, that include cyber security requirements as a contractual obligation to do business together. These contracts are often reviewed by attorneys, signed by executives, and then filed away. The requirements are not always communicated to the people on the front lines.

In 2012, Omnicell, a drug cart manufacturer, breached the records of 68,000 patients when an employee’s unencrypted laptop was stolen. The health systems – clients of Omnicell –  announced that Omnicell’s contract with them included a requirement that patient data would only be stored on encrypted devices. The loss of the laptop became a breach of contract discussion, not just a simple data breach.

My guess is that the contract was signed, and then just filed away. I don’t think Omnicell’s purchasing department was told it was supposed to order encrypted laptops for its field technicians. I don’t think its IT department knew it had a contractual obligation to install encryption on all laptops, and I doubt the field tech knew he was violating a contract when he transferred patient data to his unencrypted computer. Worse, no one who was aware of the contract requirements was auditing the company’s compliance.

During a recent client visit, I asked if our client had signed any contracts with their clients. She went through a list that included one of the top health systems in the country. I’m not a lawyer, but I asked to see the contract, because I knew the health system had included cyber security requirements as a contractual obligation with our other clients.

After a few minutes, she returned with the file folder containing the contract. I found the cyber security section, and read it to her. I asked if her company was meeting the requirements in the contract. She said no. I asked her what the future of her business would look like if they lost the business of one of the country’s leading health systems, because they breached their contract. She replied that her business probably would not survive.

We focused our project around meeting the specific requirements of their contract, not the vague and flexible requirements in HIPAA.

INSURANCE

Cyber Liability (also known as Data Breach) Insurance is a popular line of revenue for insurance companies. Unlike malpractice insurance, which assumes you will make a mistake, cyber insurance may only protect you if you are doing all the things you included on your insurance application. It may pay a claim only if you are doing everything correctly, and still suffer a breach. What you answer on the application may come back to haunt you.

In 2013, Cottage Health’s IT vendor accidently published a file server to the Internet, exposing patient information. Patients Googling themselves got back their medical records. The patients filed a class action suit, so Cottage Health brought in Columbia Casualty, their cyber liability insurance provider, to provide legal representation, and settle the claim.

The lawsuit was settled for $4.1 million, which was paid by Columbia Casualty. Columbia told Cottage Health that, even though it was making the payment, it still reserved its rights and would continue investigating the case.

Columbia Casualty then sued its own client, Cottage Health, to get the $ 4.1 million back. It said it determined that Cottage Health had made misstatements when it answered questions on the original policy application, including that it regularly maintained security patches on its devices. Columbia also said it should be excluded from losses because Cottage Health failed to continuously maintain the level of security stated on its application.

The lawsuit said that it did not matter if Cottage Health was mistaken, or had intentionally lied on the application.

As part of our assessments, we review insurance applications. When we work with our clients, we help you implement consistent programs to maintain the level of security you claim on your application.

LAWSUITS

While you don’t comply with a lawsuit, watching court cases can help you understand your risks and how to protect your organization.

Many people think that a HIPAA Notice of Privacy Practices is just a basic brochure you have to include with new patient paperwork. A patient is suing her doctor for negligence after her information was shared without her authorization. She claimed that the practice did not follow its Notice of Privacy Practices, and the Connecticut Supreme Court upheld that HIPAA can be used as a Standard of Care in a negligence suit.

Walgreen’s lost $1.44 million in a lawsuit after a pharmacist breached a customer’s confidentiality. Walgreens proved its pharmacist had received HIPAA training and had signed a confidentiality agreement. The company said it had done everything possible to prevent the breach. The jury disagreed.

By looking at law suits you can see that attorneys are using compliance requirements as the basis for claims. That can be scarier compared to the likelihood is that the federal government will make the effort to go after you.

LESSONS LEARNED

It’s really easy to focus just on HIPAA and think you are compliant. It’s also a mistake.

HIPAA is vague. It is flexible, giving you a lot of freedom to choose how to comply with the regulation. The ‘HIPAA-in-a-Box’ solutions can give you a false sense of Security and Compliance, because they are so narrowly focused.

The Federal Trade Commission can assess stronger penalties than the OCR, the federal agency that enforces HIPAA. The FTC has put businesses on 20-year monitored compliance programs. When we work with our clients, we help you create written evidence that your security policies and procedures are working.

State laws can change your patient reporting requirements. They also protect confidential information you have for your workforce members. Your Incident Management program can’t just focus on HIPAA.

Industry requirements can be very serious. Can you risk not accepting credit cards? Contact the merchant service that processes your cards to make sure you are complying with PCI-DSS.

Verify the reporting requirements of the entities that license your staff. You may have an obligation to report a breach to them, instead of waiting for someone to file a complaint.

Review the contracts you have in your files for cyber security requirements, and note any in new contracts you are about to sign. Make sure everyone in your organization who must comply with the contract requirements know about them.

You can’t buy insurance instead of doing the right things to protect data. However, if you do things right insurance may save you millions of dollars. You should review your policy application every quarter, and demand evidence from your IT department or vendor that you are in compliance with the policy requirements. Too much work? Would you rather have your insurance company fail to pay a multi-million-dollar claim?

Keep repeating to yourself, “Compliance isn’t just about HIPAA” and uncover the rest of your compliance requirements.

About Mike Semel

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Nuance Takes Page from Healthcare Clients in Petya Outage Aftermath

Posted on November 6, 2017 I Written By

Colin Hung is the co-founder of the #hcldr (healthcare leadership) tweetchat one of the most popular and active healthcare social media communities on Twitter. Colin speaks, tweets and blogs regularly about healthcare, technology, marketing and leadership. He is currently an independent marketing consultant working with leading healthIT companies. Colin is a member of #TheWalkingGallery. His Twitter handle is: @Colin_Hung.

On June 27th the Petya Malware (or NotPetya or ExPteya) struck Nuance Communications (NASDAQ: NUAN). For days the company’s eScription speech-recognition platform were unavailable, forcing thousands of healthcare clients to find alternatives for their medical transcription. During the crisis and in the weeks that followed, Nuance borrowed a page from their healthcare clients: not offering false hope and deconstructing the incident to learn from it.

At the recent CHIME Fall Forum in San Antonio Texas, I had the opportunity to sit down with Brenda Hodge, Chief Marketing Officer – Healthcare and Ed Rucinski, Senior Vice President of World Wide Healthcare Sales of Nuance to talk about the Petya outage and where the company is headed.

“The challenge we faced with Petya brought us all together as a company,” explained Ed. “When our systems went offline, the entire organization rallied together. We had engineers and support staff who slept at the office on couches and cots. We had developers who went with less than 2hrs of sleep for 4 days straight because they wanted to help clients and bring our systems back online as quickly as possible. We became a nameless and rank-less organization working towards a common goal.”

As the outage went from minutes to hours to days, Nuance resisted the temptation to offer false hope to its clients. Instead, the company opted to be truthful and transparent. Nuance sent emails and directly called clients to let them know they had suffered a cyber attack, that the full extent of the damage was not known and that they did not know when their systems would be back online. The company did, however, commit to providing regular updates and being available to answer questions and address concerns.

The following is an abbreviated excerpt from a Nuance communication posted online by one of its clients:

Nuance corporate systems were unfortunately affected by a global cyber attack today. We went into immediate security protocol by shutting down our hosted production systems and platforms. There is no update at this time as to when the accounts will be back online but we will be holding regular calls throughout the day and night to gain insight into the timeline for resolution and I will update you again when I have more info. We are sorry for the inconvenience this outage has caused and we are working diligently to get things back online.

Clinicians are coached never to give patients in crisis or their families false hope. They calmly explain what happened, state the facts and talk about potential next steps. They do not, however, say that “things will be alright”, even though they know that is what everyone desperately wants to hear. Nuance used this same protocol during the Petya outage.

The company also used protocols similar to those used following an adverse event.

Healthcare is complex and despite the best efforts and best intentions of care teams, errors occur. These errors are referred to as adverse events. Adverse events that impact patient safety or that cause actual harm to patients are thoroughly documented, deconstructed and analyzed by clinical leaders as well as risk managers. The lessons gleaned from these unfortunate events are captured and used to improve operations. The goal is to prevent or mitigate the impact of similar events in the future.

After their systems were fully restored, the Nuance team embarked on a thorough review of the incident – from technical procedures to client communication protocols.

“We learned a lot through this incident” says Hodge. “We got a first-hand education on how sophisticated malware has become. We’ve gone from viruses to malware to ransomware to coordinated nation-state attacks. That’s what Petya really is – a coordinated attack on company infrastructure. Now that we have been through this type of attack, we have put in new processes and technologies to prevent similar attacks in the future. Most importantly we have made investments in improving our response to these types of attacks.”

Nuance has gone one step further. They have committed to sharing their painful lessons learned with other companies and healthcare institutions. “Like it or not, we are all in this together”, continued Hodge. “The Petya attack came on the heels of the WannaCry ransomware attack that impacted many of our healthcare clients – so there was a lot of empathy from our clients. In fact this whole incident has created a sense of solidarity in the healthcare technology community. Cyber attacks are not going to stop and we need to come together as an industry so that we are as prepared as we can be for the next one.”

“It’s unfortunate that it took an incident like this to show us what we are made of,” says Rucinski. “We had executives making coffee and fetching lunch for the support teams. We had leaders offering to run errands for staff because they knew they were too tired to keep up with those types of things. In the end we found out we truly embody the values and principles that we have hanging on posters around the office.”

New Service Brings RCM Process To Blockchain

Posted on October 6, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Much of the discussion around blockchain (that I’ve seen, at least) focuses on blockchain’s potential as a platform for secure sharing of clinical data. For example, some HIT experts see blockchain as a near-ideal scalable platform for protecting the privacy of EHR-based patient data.

That being said, blockchain offers an even more logical platform for financial transactions, given its origins as the foundation for bitcoin transactions and its track record of supporting those transactions efficiently.

Apparently, that hasn’t been lost on the team at Change Healthcare. The Nashville-based health IT company is planning to launch what it says is the first blockchain solution for enterprise-scale use in healthcare. According to a release announcing the launch, the new technology platform should be online by the end of this year.

Change Healthcare already processes 12 billion transactions a year, worth more than $2 trillion in claims annually.  Not surprisingly, the new platform will extend its new blockchain platform to its existing payer and provider partners. Here’s an infographic explaining how Change expects processes will shift when it deploys blockchain:

Change_Healthcare_Intelligent_Healthcare_Network_Workflow_Infographic

To build out blockchain for use in RCM, Change is working with customers, as well as organizations like The Linux Foundation’s Hyperledger project.

Hyperledger encompasses a range of tools set to offer new, more-standardized approaches to deploying blockchain, including Hyperledger Cello, which will offer access to on-demand “as-a-service” blockchain technology and Hyperledger Composer, a tool for building blockchain business networks and boosting the development and deployment of smart contracts.

It’s hard to tell how much impact Change’s blockchain deployment will have. Certainly, there are countless ways in which RCM can be improved, given the extent to which dollars still leak out of the system. Also, given its existing RCM network, Change has as good a chance as anyone of building out blockchain-based RCM.

Still, I’m wondering whether the new service will prove to be a long-term product deployment or an experiment (though Change would doubtless argue for the former). Not only that, given its relatively immature status and the lack of broadly-accepted standards, is it really safe for providers to rely on blockchain for something as mission-critical as cash flow?

Of course, when it comes to new technologies, somebody has to be first, and I’m certainly not suggesting that Change doesn’t know what it’s doing. I’d just like more evidence that blockchain is ready for prime time.

Top Five Challenges of Healthcare Cloud Deployments and How to Solve Them

Posted on October 2, 2017 I Written By

The following is a guest blog post by Chad Kissinger, Founder of OnRamp.

According to the HIMSS 2016 Survey, 84 percent of providers are currently using a cloud service, showing security and compliance issues are not preventing organizations from deploying cloud environments. Despite growing adoption rates, breaches and security incidents continue to rise. Cloud deployments and ongoing environment management errors are to blame. 

Cloud services offer clear benefits—performance, cost savings, and scalability to name a few—so it’s no wonder healthcare organizations, like yours, are eager to take advantage of all that the cloud has to offer. Unfortunately, vulnerabilities are often introduced to your network when you adopt new technology. Let’s discuss how to identify and overcome common challenges in secure, compliant cloud deployments so you can opportunistically adopt cloud-based solutions while remaining on the right side of the law.

1. Ambiguous Delegation of Responsibilities
When technology is new to an organization, the responsibility of finding and managing that solution is often unclear. You must determine who owns your data. Is it your IT Department? Or perhaps your Security Department? It’s difficult to coordinate different people across departments, and even more difficult to communicate effectively between your organization and your provider. The delegation of responsibilities between you and your business associate will vary based on your service model—i.e. software as a service, infrastructure as a service, etc.

To prevent these issues, audit operational and business processes to determine the people, roles, and responsibilities for your team internally. Repeat the process for those services you will outsource to your cloud provider. Your business associate agreement should note the details of each party’s responsibilities, avoiding ambiguity and gaps in security or compliance. Look for provider credentials verified by third-party entities that demonstrate security levels at the data center level, such as HITRUST CSF and SSAE 16 SOC 2 Type 2 and SOC3.

2.    Lack of Policies, Standards, and Security Practices
If your organization doesn’t have a solid foundation of policies, standards, and security practices, you will likely experience one or more of the security-related issues outlined below. It’s necessary to not only create policies, but also ensure your organization is able to enforce them consistently.

  • Shadow IT. According to a recent HyTrust Cloud Survey of 51 organizations, 40% of cloud services are commissioned without IT input.
  • Cloud Portability and Mobility. Mitigating risks among many endpoints, from wearables to smart beds, becomes more difficult as you add more end points.
  • Privileged User Access. Divide your user access by work role and limit access to mitigate malicious insider attacks.
  • Ongoing Staff Education and Training. Your team needs to be properly trained in best practices and understand the role that they play in cybersecurity.

Proper security and compliance also involves the processes that safeguard your data and the documentation that proves your efforts. Such processes include auditing operational and business processes, managing people, roles and identities, ensuring proper protection of data and information, assessing the security provisions for cloud applications, and data decommissioning.

Communicate your security and compliance policies to your cloud provider to ensure their end of the operations falls in line with your overall plan.

3. Protecting Data and Meeting HIPAA Controls
The HIPAA Privacy Rule, the HIPAA Security Rule, and HITECH all aim to secure your electronic protected health information (ePHI) and establish the national standards. Your concern is maintaining the confidentiality, availability, and integrity of sensitive data. In practice, this includes:

  • Technology
  • Safeguards (Physical & Administrative)
  • Process
  • People
  • Business Associates & Support
  • Auditable Compliance

Network solution experts recognize HIPAA compliant data must be secure, but also needs to be readily available to users and retain integrity across platforms. Using experienced cloud solution providers will bridge the gap between HIPAA requirements, patient administration, and the benefit of technology to treat healthcare clients and facilitate care.

Seek the right technology and implement controls that are both “required and addressed” within HIPAA’s regulations. When it comes to security, you can never be too prepared. Here are some of the measures you’ll want to implement:

  • Data encryption in transit and at rest
  • Firewalls
  • Multi-factor Authentication
  • Cloud Encryption Key Management
  • Audit logs showing access to ePHI
  • Vulnerability scanning, intrusion detection/prevention
  • Hardware and OS patching
  • Security Audits
  • Contingency Planning—regular data backup and disaster recovery plan

The number one mistake organizations make in protected data in a cloud deployment is insufficient encryption, followed by key management. Encryption must be FIPS 140-2 compliant.

4.    Ensuring Data Availability, Reliability, and Integrity
The key to service reliability and uptime is in your data backups and disaster recovery (DR) efforts. Data backup is not the same as disaster recovery—this is a common misconception. Data backup is part of business continuity planning, but requires much more. There’s a gap between how organizations perceive their track records and the reality of their DR capabilities. The “CloudEndure Survey of 2016” notes that 90% of respondents claim they meet their availability, but only 38% meet their goals consistently, and 22% of the organizations surveyed don’t measure service availability at all. Keep in mind that downtime can result from your cloud provider—and this is out of your control. For instance, the AWS outage earlier this year caused a ruckus after many cloud-based programs stopped functioning.

5.    Ability to Convey Auditable Compliance (Transparency)
Investors, customers, and regulators cannot easily discern that your cloud environment is compliant because it’s not as visible as other solutions, like on-premise hosting. You will have to work closely with your cloud provider to identify how to document your technology, policies, and procedures in order to document your efforts and prove auditable compliance.

Putting It All Together
The cloud provides significant advantages, but transitioning into the cloud requires a thorough roadmap with checkpoints for security and compliance along the way. Remember that technology is just the first step in a secure cloud deployment—proper security and compliance also involves the processes that protect your sensitive data and the documentation that proves your compliance efforts. You’ll want to identify resources from IT, security and operations to participate in your cloud deployment process, and choose a cloud provider that’s certified and knowledgeable in the nuances of healthcare cloud deployments.

For more information download the white paper “HOW TO DEPLOY A SECURE, COMPLIANT CLOUD FOR HEALTHCARE.”

About OnRamp

OnRamp is a HITRUST-certified data center services company that specializes in high security and compliant hybrid hosting and is a proud sponsor of Healthcare Scene. Our solutions help organizations meet compliance standards including, HIPAA, PCI, SOX, FISMA and FERPA. As an SSAE 16 SOC 2 Type 2 and SOC 3, PCI-DSS certified, and HIPAA compliant company, OnRamp operates multiple enterprise-class data centers to deploy cloud computing, colocation, and managed services. Visit www.onr.com or call 888.667.2660 to learn more.

HHS HIPAA Breach Wall of Shame Updated

Posted on August 28, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HHS has recently updated the HHS Wall of Shame…I mean the HIPAA Breach Reporting Tool (HBRT). Whatever you want to call the tool, you can find the most updated version here. Here’s a short description from the press release about the updates to the breach notification tool:

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) today launched a revised web tool that puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how all breaches of health information are investigated and successfully resolved. The HIPAA Breach Reporting Tool (HBRT) features improved navigation for both those looking for information on breaches and ease-of-use for organizations reporting incidents. The tool also helps educate industry on the types of breaches that are occurring, industry-wide or within particular sectors, and how breaches are commonly resolved following investigations launched by OCR, which can help industry improve the security posture of their organizations.

The new design is nice and it makes sense to finally archive some of the breaches on the list. How long should we condemn an organization that’s had a breach by having them on the list? Of course, it is still available on the archive.

Since the start of the HIPAA Breach notification tool (October 2009), there have been 1674 breach notifications (only includes breaches of 500 people or more). In just the last 24 months they’ve posted 364 breaches with nearly 28 million individuals affected. I’ll have to get my friends at Qlik to import the data to do more analysis of the data. Here’s a look at the data the tool provides:

The tool includes: the name of the entity; state where the entity is located; number of individuals affected by the breach; the date of the breach; type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure); and location of the breached information (e.g., laptop, paper records, desktop computer).

I wish they included more details on what caused the breach and more practical ways to defend against the various breaches. That would make the list a lot more actionable. However, I also understand why that would be a hard task to accomplish.

Just looking over some of the recent breaches, I wasn’t shocked by the number of hacking incidents that are being reported. We’ve widely reported on these types of hacking incidents as well. However, I was pretty shocked by how many of the recent breaches were by email. Once again, I wish I had a lot more information about what actually happened with these email breaches. Looks like HHS collects it when someone files a breach. I guess I understand why they can’t share the individual answers, but it would be nice to have some summary reports of actions taken by those that were breached.

What do you think of HHS’ updates to this tool? Is it useful in helping them reach their goal of making the industry safer? Is there something else they could do with the tool to make it work better? We look forward to reading your thoughts in the comments.

Business Associates are NOT Responsible for Clients’ HIPAA Compliance, BUT They Still Might Be At-Risk

Posted on August 25, 2017 I Written By

The following is a guest blog post by Mike Semel from Semel Consulting.

“Am I responsible for my client’s HIPAA compliance?”

“What if I tell my client to fix their compliance gaps, and they don’t? Am I liable?”

“I told a client to replace the free cable Internet router with a real firewall to protect his medical practice, but the doctor just won’t spend the money. Can I get in trouble?”

“We are a cloud service provider. Can we be blamed for what our clients do when using our platform?”

 “I went to a conference and a speaker said that Business Associates were going to be held responsible for their clients’ compliance. Is this true???”

I hear questions like these all the time from HIPAA Business Associates.

The answers are No, No, No, No, and No.

“A business associate is not liable, or required to monitor the activities of covered entities under HIPAA, but a BA has similar responsibilities as a covered entity with respect to any of its downstream subcontractors that are also BA’s,” said Deven McGraw, Deputy Director for Health Information Privacy, US Department of Health and Human Services Office for Civil Rights (OCR), Acting Chief Privacy Officer for the Office of the National Coordinator for Health Information Technology. on August 17, 2017.

So, while you aren’t responsible for your clients’ HIPAA compliance, what they do (or don’t do) still might cost you a lot, if you aren’t careful.

In my book, How to Avoid HIPAA Headaches, there are stories about HIPAA Covered Entities that suffered when their Business Associates failed to protect PHI. North Memorial Health Care paid $ 1.55 million in HIPAA penalties based on an investigation into the loss of an unencrypted laptop by one of its Business Associates, Accretive Health.

Cottage Health, a California healthcare provider, is being sued by its insurance company to get $ 4.1 million back from a settlement after Cottage Health’s IT vendor, a Business Associate,  accidently published patient records to the Internet.

Your marketing activities; what you and your salespeople say to prospects and clients; and your written Terms & Conditions; may all create liability and financial risks for you. These must be avoided.

Semel Consulting works with a lot of Business Associates.

Many are IT companies, because I spent over 30 years owning my own IT companies. I’ve been the Chief Information Officer for a hospital and a K-12 school district, and the Chief Operating Officer for a cloud backup company. I now lead a consulting company that helps clients address their risks related to regulatory compliance, cyber security, and disaster preparedness. I speak at conferences, do webinars, and work with IT companies that refer their clients to us.

I look at the world through risk glasses. What risks do our clients have? How can I eliminate them, minimize them, or share them? When we work with our healthcare and technology industry clients, we help you identify your risks, and quantify them, so you know what resources you should reasonably allocate to protect your finances and reputation.

Under HIPAA, compliance responsibility runs one way – downhill.

Imagine a patient on top of a hill. Their doctor is below the patient. You are the doctor’s IT support company, below the doctor, and any vendors or subcontractors you work with are below you.

The doctor commits to the patient that he or she will secure the patient’s Protected Health Information (PHI) in all forms – verbal, written, or electronic. This is explained in the Notice of Privacy Practices (NPP) that the doctor gives to patients.

Under HIPAA, the doctor is allowed to hire vendors to help them do things they don’t want to do for themselves. Vendors can provide a wide variety of services, like IT support; paper shredding; consulting; malpractice defense; accounting; etc. The patient is not required to approve Business Associates, and does not have to know that outsourcing is happening. This flexibility is also explained in the patient’s Notice of Privacy Practices.

As a vendor that comes in contact with PHI, or the systems that house it, you are a HIPAA Business Associate. This requires you to sign Business Associate Agreements and, since 2013, when the HIPAA Omnibus Final Rule went into effect, it also means that you must implement a complete HIPAA compliance program and be liable for any breaches you cause.

IT companies may decide to resell cloud services, online backup solutions, or store servers in a secure data center. Since the HIPAA Omnibus Final Rule went into effect, a Business Associate’s vendors (known as subcontractors) must also sign Business Associate Agreements with their customers, and implement complete HIPAA compliance programs.

Because compliance responsibility runs downhill, the doctor is responsible to the patient that his Business Associates will protect the patient’s confidential information. The Business Associates assures the doctor that they, and their subcontractors, will protect the patient’s confidential information. Subcontractors must commit to Business Associates that they will protect the information. A series of two-party agreements are required down the line from the doctor to the subcontractors.

It doesn’t work the other way. Subcontractors are not responsible for Business Associates, and Business Associates are not responsible for Covered Entities, like doctors.

HIPAA compliance responsibility, and legal and financial liability, are different.

A HIPAA Covered Entity is responsible for selecting compliant vendors. Business Associates are responsible for selecting compliant subcontractors. Subcontractors must work with compliant subcontractors.

Because Covered Entities are not liable for their Business Associates, and Business Associates are not liable for their Subcontractors, they are not required to monitor their activities. But, you still need to be sure your vendors aren’t creating risks. The Office for Civil Rights (OCR) says that:

… if a covered entity finds out about a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the business associate. If termination is not feasible (e.g., where there are no other viable business alternatives for the covered entity), the covered entity must report the problem to the Department of Health and Human Services Office for Civil Rights. See 45 CFR 164.504(e)(1).

With respect to business associates, a covered entity is considered to be out of compliance with the Privacy Rule if it fails to take the steps described above. If a covered entity is out of compliance with the Privacy Rule because of its failure to take these steps, further disclosures of protected health information to the business associate are not permitted.

In its Cloud Service Provider (CSP) HIPAA Guidance released in 2016, the OCR said:

A covered entity (or business associate) that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies, as well as enter into appropriate BAAs.  See 45 CFR §§ 164.308(a)(1)(ii)(A); 164.308(a)(1)(ii)(B); and 164.502. 

Both covered entities and business associates must conduct risk analyses to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.  For example, while a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.),[3] provided it enters into a BAA with the CSP, the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.

How can a Business Associate be affected by a client’s compliance failure?  Here are some scenario’s.

(FYI, I am not a lawyer and this is not legal advice. These ideas came out of meetings I had with my attorney to review our contracts and our marketing. Talk to your lawyer to make sure you are protected!)

  1. IT companies should never tell your client, “We’ll be responsible for your IT so you can focus on your medical practice.”

Sound familiar? This is what many IT Managed Service Providers tell their prospects and clients.

Then the client has a data breach because they were too cheap to buy a firewall, they refused to let you implement secure passwords because it would inconvenience their staff, or they lost an unencrypted thumb drive even though you had set up a secure file sharing platform.

Someone files a HIPAA complaint, the OCR conducts an investigation, and your client pays a big fine. Then they sue you, saying you told them IT was your responsibility. Maybe they misunderstood what you included in your Managed Services. Maybe you did not clearly explain what responsibility you were accepting, and what IT responsibility was still theirs. Either way, you could spend a lot on legal fees, and even lose a lawsuit if a jury believes you made the client believe you were taking over their compliance responsibility.

  1. You must clearly identify what is, and what is not, included in your services.

Your client pays you a monthly fee for your services. Then they have a breach. They may expect that all the tasks you perform, and the many hours of extra labor you incur, are included in their monthly fee. They get mad when you say you will be charging them for additional services, even though they have just hired a lawyer at $ 500 per hour to advise them. Without written guidelines, you may not be able to get paid.

  1. You must be sure you get paid if your client drags you into something that is not your fault.

Imagine you were the IT company that set up an e-mail server for a recent presidential candidate. As unlikely as this may sound, this becomes a political issue. You just did what the client requested, but now you must hire attorneys to advise you. You must hire a public relations firm to deal with the media inquiries and protect your name in the marketplace. You must send your techs and engineers – your major source of a lot of income – to Washington for days to testify in front of Congress, after they spent more unbillable time preparing their testimony.

Who pays? How do you keep from losing your client? How do you protect your reputation?

HOW TO PROTECT YOUR FINANCES AND YOUR REPUTATION

  • Make sure you and your salespeople are careful to not overpromise your services. Make sure you and your sales team tell your prospects and clients that they are always ultimately responsible for their own security and compliance.
  • Make sure your contracts and Terms and Conditions properly protect you by identifying what services are/aren’t covered, and when you can bill for additional services. Don’t forget to include your management time when sending bills. Use a competent lawyer familiar with your needs to write your agreements and advise you on any agreements presented to you by others.
  • State in your Terms & Conditions that you will be responsible for your own company’s compliance (you are anyway) but that you are not responsible for your clients’ compliance.
  • Include terms that require your client to pay for ALL costs related to a compliance violation, government action, investigation, lawsuit, or other activity brought against them, that requires your involvement. Use a competent lawyer familiar with your needs to write your agreements and advise you on any agreements presented to you by others.
  • My attorney said we should include “change in government regulations” in our Force Majeure clause to allow us to modify our contract or our pricing before a contract expires. The 2013 HIPAA Omnibus Rule created a lot of expensive responsibilities for Business Associates. You don’t want to get stuck in an existing contract or price model if your costs suddenly increase because of a new law or rule.
  • Get good Professional Liability or Errors & Omissions insurance to protect you if you make a mistake, are sued, or dragged into a client’s investigation. Make sure you understand the terms of the policy and how it covers you. Make sure it includes legal representation. Ask for a custom policy if you need special coverage.
  • Make a negative a positive by promoting that you offer the specialized services clients will need in case they are ever audited, investigated, or sued.

If you do this right, you will protect your business and leverage compliance to increase your profits. When you focus on compliance, you can get clients willing to pay higher prices because you understand their compliance requirements. I know. I have generated millions of dollars in revenue using compliance as a differentiator.

About Mike Semel

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author. He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA (and other regulatory) compliance; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Healthcare Orgs May Be Ramping Up Cybersecurity Efforts

Posted on August 18, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

As I’ve noted (too) many times in the past, healthcare organizations don’t have a great track record when it comes to cybersecurity. Compared to other industries, healthcare organizations spend relatively little on IT security overall, and despite harangues from people like myself, this has remained the case for many years.

However, a small new survey by HIMSS suggests that the tide may be turning. It’s not incredibly surprising to hear, as health it leaders have been facing increasingly frequent cybersecurity attacks. A case in point: In a recent study by Netwrix Corp., more than half of healthcare organizations reported struggling with malware, and that’s just one of many ongoing cyber security threats.

The HIMSS cybersecurity survey, which tallies responses from 126 IT leaders, concluded that security professionals are focusing on medical device security, and that patient safety, data breaches and malware were their top three concerns.

In the survey, HIMSS found that 71% of respondents were allocating some of their budgets toward cybersecurity and that 80% said that their organization employed dedicated cybersecurity staff.

Meanwhile, 78% of respondents were able to identify a cybersecurity staffing ratio (i.e. the number of cybersecurity specialists versus other employees), and 53% said the ratio was 1:500 which, according to HIMSS is considered the right ratio for information-centric, risk-averse businesses with considerable Internet exposure.

Also of note, it seems that budgets for cybersecurity are getting more substantial. Of the 71% of respondents whose organizations are budgeting for cybersecurity efforts, 60% allocated 3% or more of their overall budget to the problem. And that’s not all. Eleven percent of respondents said that they were allocating more than 10% of the budget to cybersecurity, which is fairly impressive.

Other stats from the survey included that 60% of respondents said their organizations employed a senior information security leader such as a Chief Information Security Officer.  In its press release covering the survey, it noted that CISOs and other top security leaders are adopting cybersecurity programs that cut across several areas, including procurement and education/training. The security leaders are also adopting the NIST Cybersecurity Framework.

According to HIMSS, 85% of respondents said they conduct a risk assessment at least once a year, and that 75% of them regularly conduct penetration testing. Meanwhile, 75% said they had some type of insider threat management program in place within their healthcare organization.

One final note: In the report, HIMSS noted that acute care providers had more specific concerns was cybersecurity than non-acute care providers. Over the next few years, as individual practices merge with larger ones, and everyone gets swept up into ACOs, I wonder if that distinction will even matter anymore.

My take is that when smaller organizations work with big ones, everyone’s tech is set up reach the level better-capitalized players have achieved, and that will standardize everyone’s concerns. What do you think?