Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

HIPAA Breach Investigations – What You Should Know

Posted on September 5, 2018 I Written By

The following is a guest blog post by Moazzam Adnan Raja, Vice President of Marketing at Atlantic.Net.

Correctly handling a HIPAA breach recovery will benefit from a well-prepared and systematic approach. Investigation is one of a few key elements to consider, alongside speed, notification, and risk assessment. The specific issue of time deserves closer examination, as does the incorporation of risk management and auditing processes.

4 pillars of HIPAA breach response

Here are four key elements or pillars of a strong HIPAA breach response, a framework provided by Brach Eichler healthcare attorney Lani M. Dornfeld, that can be helpful in guiding your own response, as well as setting expectations with your healthcare hosts and other business associates:

Speed – Moving rapidly in response to a breach is fundamental to limiting the damage. Put together an investigation and response team, which should include the HIPAA security officer and HIPAA privacy officer, along with an attorney as necessary. You may want to standardly include your attorneys, along with members of a HIPAA compliance committee, if your organization is larger and requires more sophisticated oversight. The board of trustees and board of directors could also be included.

Investigation – The way that an investigation is conducted will depend heavily on the nature and scope of the breach. There is, of course, the issue of responsibility to patients but also liability to the organization. For the latter, Dornfeld noted, “If cloaking the investigation in the attorney-client privilege will be to your strategic advantage, then you will need to be counseled about how to manage the flow of information to maintain the privilege.” Breaches often occur because of internal errors by your staff, such as disclosure without proper authorization (e.g., telling a friend confidential patient information) or accidental disclosure to the incorrect party (e.g., sending a letter to the wrong address). Incredibly, insiders are responsible for more than half (58%) of healthcare breaches impacting electronic protected health information (ePHI), per a study released in March by Verizon. When breaches occur due to the insider threat, at the minimum, you want to conduct private interviews with relevant parties, with another person there to assist in asking questions and determining perceived honesty. Beyond what you are able to glean from interviews, it will also help to get any supporting evidence – which may include copies of social media posts, letters, or emails, as well as information from the data system. (Related to investigation, see the discussion of time below.)

Notification – Letting all pertinent parties know about healthcare data breaches is critical. Notification should occur quickly and always within 60 days of breach discovery (unless advised by law enforcement that notification would problematize its own investigations), per the Breach Notification Rule. When you notify patients or others that ePHI has been exposed, your communications should be clearly worded. They should mention the specific data involved (such as lab results or Social Security numbers) and the steps the company is taking toward investigation and mitigation. It should also let the patient know what protective steps they can personally take, along with how to get further details or ask questions.

Risk assessment – After the investigation is finished, you and the legal team can use the insight from it, along with whatever you have already done toward mitigation, to conduct a HIPAA-compliant risk assessment. The risk analysis parameters from the HHS explain that a full assessment should be conducted related to any threats to the availability, integrity, and confidentiality of health data. The HHS notes that the risk analysis is an important basis of information since it can be used to guide what is considered a “reasonable and appropriate” step (the determining factor for a HIPAA-compliant approach). While HIPAA is flexible on many parameters, it mandates that risk assessments be performed routinely (related to all ePHI systems) when contracting with new business associates (related to that specific information), and when security incidents occur (related to that specific information). Any access to ePHI that is disallowed by the Privacy Rule’s subpart E must be disallowed. Any time at which health data is accessed or used in a way that is noncompliant with those guidelines will be assumed breaches – except if your risk assessment can show that there is, in fact, low likelihood of a compromise. (Related to risk assessment, see the section on risk management and audits below.)

The specific issue of time

Time should be central to investigations, as indicated by Mayer Brown healthcare attorney Laura Hammargren. There is disagreement over whether the moment of discovery of a breach should be considered the moment when you reveal a potential breach or the moment when you have finished assessing the situation and understand what occurred.

While there may still be some debate related to discovery, the law is clear at least on the parameter of 24 hours. Discovery of a breach of ePHI occurs “as of the first day on which the breach is known to the organization, or, if exercising reasonable diligence would have been known to the organization,” noted Dornfeld.

Security events are common in which it is unclear if data was compromised or not. It can take a significant amount of time to confirm whether a breach occurred, and exactly how it might have occurred. Some means of assault are incredibly complex. Attackers may make it extraordinarily challenging to track their moves – in which case it can be a painstaking task to find out the data that they possibly accessed and removed.

Another concern of a HIPAA breach investigation is figuring out the length of time the intruder had access, which can have a huge influence on the breadth of the breach.

Risk management & audits

The risk assessment is part of the larger picture of risk management. When you are approaching a healthcare data breach investigation, you will benefit from comprehensive risk management and auditing processes. Through these safeguards, you will be much readier to send out notifications promptly, as well as to give clear information to police and other law enforcement officials.

Risk management is simplified when you have strong business associate agreements (BAAs), through which your standards can extend to third parties. By working with established, next-generation, HIPAA compliant cloud storage provider, you will have peace-of-mind that risks are properly controlled, backed by third-party certifications and audits.

Atlantic.Net is a proud sponsor of EMRandHIPAA.com. Atlantic.Net provides HIPAA compliant hosting, backed by 100% uptime guarantee.

About Moazzam Adnan Raja
Moazzam Adnan Raja has been the Vice President of Marketing at Atlantic.Net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.

The Cloud – Fun Friday

Posted on August 31, 2018 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Leave it to the one and only Dr. Deborah C. Peel, MD from Patient Privacy Rights to share with me this humorous look at the cloud and how many of us treat the cloud. I’m sure nothing like this would ever happen in healthcare. However, it sure does offer an interesting perspective of the cloud. This is particularly true with individual patients. I hope you enjoy learning about the cloud from Kitty Flanagan.

Regulatory Heat: Is Your BAA House in Order?

Posted on August 9, 2018 I Written By

The following is a guest blog post by Greg Waldstreicher, Founder and CEO of PHIflow.

Actions by the Office for Civil Rights (OCR) have clearly demonstrated stricter enforcement of HIPAA rules in recent years, specifically upping the ante on compliance with business associate agreements (BAAs). Much of this activity can be attributed to a grim outlook on security risks: globally, 70% of healthcare organizations have suffered a data breach, and a recent Ponemon Institute report found that the vast majority have experienced multiple security incidents involving protected health information (PHI).

BAAs play an important role in security as the framework by which an organization ensures that any vendor creating, receiving, maintaining or transmitting PHI complies with HIPAA. In recent years, these contracts have come under increased scrutiny amid high-level audits launched by OCR. Mismanagement of BAAs have thus far resulted in penalties ranging from $31,000 for simply not having a BAA in place to upwards of $5.5 million for more serious offenses.

While the stakes are high, healthcare organizations often lack effective oversight strategies for these important patient protection tools. In fact, it’s not uncommon for even the most basic information to elude the executive suite such as:

  • the number of BAAs that exist across an enterprise
  • where BAAs are located
  • the terms of each BAA

In an industry that has witnessed a significant uptick in security incidents and breaches in recent years, this current state of affairs is less than optimal. In truth, the reach of recent audit activity is still an unknown as the healthcare industry awaits full disclosure and recommendations from OCR. One of the latest OCR settlements —$3.5 million levied against Fresenuis Medical Care North America—resulted from multiple incidents that occurred in 2012, underscoring the lengthy timeframe associated with finalizing investigations and legal processes.

All told, current trends point to the need for better oversight and management of BAAs. While penalty activity subsided some in recent months as OCR went through internal transitions, industry legal experts expect that investigative momentum will continue to increase in proportion to heightened security risks across the healthcare landscape.

Unfortunately, healthcare organizations face notable roadblocks to getting their BAA house in order. Amid competing priorities, many simply lack the resources for tracking these agreements. Health systems are increasingly multi-faceted, and current trends associated with mergers, acquisitions and consolidations only exacerbate the challenge. The reality is that some large organizations have as many as 10,000 BAAs across the enterprise. Because these agreements are typically spread across multiple departments and facilities and have a multitude of different owners, managing them in a strategic way via manual processes is nearly impossible.

In tandem with the internal resource challenge, the language contained in BAAs has become significantly more complicated due to not only a fluid and evolving regulatory environment, but also the vital role they play in an overall security strategy. While a simple, cookie-cutter approach to these agreements was fitting a decade ago, BAAs are now intensely negotiated between covered entities and business associates and between business associates and sub-business associates, often involving HIPAA attorneys and resulting in requirements that go beyond HIPAA and HITECH. Subsequently, the terms of each BAA across an organization may vary, making efficient and effective management extremely difficult.

The good news is that there is a relatively simple solution—automated management of BAAs. The right technological framework can lay the foundation for timely access to all contracts across an enterprise, improving compliance and ensuring readiness for audits or breach response. Once consolidated, artificial intelligence can then be applied to BAAs to draw actionable insights in near real-time, informing key personnel of the key terms across all agreements.

The healthcare industry at large has drawn heavily on the promise of automation and data analytics in recent years to power more efficient and effective processes. Management of BAAs is no different and is an area ripe for improvement. Today’s healthcare executives need to consider the high stakes associated with ineffective management of BAAs and take action to shore up strategies amid greater security risks and a challenging regulatory environment.

About Greg Waldstreicher
Greg Waldstreicher is the founder and CEO of PHIflow, and the cofounder and former CEO of DoseSpot, where he worked at the forefront of the electronic prescribing (e-Prescribing) market for nine years. Under Greg’s leadership, DoseSpot licensed its SaaS e-Prescribing solutions to 175 healthcare software companies across the medical, dental, hospice and digital health markets. Greg received a B.S. from the University of Maryland College Park in Accounting and an M.S. from Northeastern University in Technological Entrepreneurship.

HIPAA Security Infographic

Posted on August 6, 2018 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

There are a lot of nuances to HIPAA. Hopefully, you’ve addressed them as part of your security risk analysis and any mitigation work that’s required as part of that analysis. Unfortunately, even an organization that does a solid HIPAA security risk analysis often doesn’t communicate what was done in that analysis to the rest of the organization.

With this in mind, I found this HIPAA security infographic by eFax to be valuable for those that aren’t deep in the nuances of HIPAA, but that want a quick overview of some common HIPAA issues that they should know about.

Embarrassment, Career Suicide, or Jail

Posted on July 26, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

What You Can Learn from the Russian Army, the US Navy, and a Suspended Nurse

The General Counsel at one of our clients is a former district attorney who prosecuted identity theft cases. When I told him we work with people who think Identity Theft is a victimless crime, he got very angry, and rattled off a list of cases he had tried that had lasting damage to the victims. Cybercrimes and compliance violations are not victimless.

Identity theft victims have suffered threats of violence, financial ruin, threats of arrest, effects of business interruptions, damaged careers, and emotional and physical stress.  Some considered suicide.

Most data breaches are malicious, but some who committed bad acts did not know they were breaking laws. They thought their actions were just ‘mischief’, or mistakenly thought what they were doing was OK, but found out the hard way that they had committed crimes. Their careers were killed and some faced criminal charges. Some blamed their training, which may have been incomplete, but ignorance of the law is no excuse.

SPEAR-PHISHING by the RUSSIAN ARMY

Twelve members of the GRU, the Russian military intelligence service, were indicted by the United States for meddling with our elections, by using spear-phishing techniques that were remarkably effective. Those who were targeted suffered public shame and career damage.

Phishing is when hackers send out broadly-targeted e-mails, seemingly from banks, fax services, and businesses, trying to sucker many people into clicking on the link and sharing their personal data, or having malicious software silently install on their computer.

Spear-phishing is when a personally-targeted message is sent just to you, seemingly from a colleague or vendor – using names you recognize – asking you to send sensitive information or to click on a link that will install malicious software. These messages can be very tough to spot, because the hackers make you think that this is a personal message from someone you know. One popular method is to send the message from an e-mail address that is one or two letters different from a real address. Your eyes play tricks and you miss the slight difference in the address.

Spear-phishing resulted in the Russians allegedly getting the logins and passwords of Democratic and Republican party officials, which they used to get access to e-mails and other sensitive data.

Another personally targeted attack resulted in a company’s HR staff sending its W-2 tax details, including all employee Social Security Numbers, at the request of their CEO, who actually was a hacker using a very similar e-mail address to the CEO at the targeted company. Employees filed their tax returns, only to find out the hackers had already filed phony tax returns and gotten refunds, using their names and Social Security Numbers. Now these employees are on special lists of victims, delaying their future tax refunds; making it more difficult to get loans and maintain their credit ratings; and creating real stress and anxiety.

Spear-phishing has been used successfully by hackers to get CFO’s to transfer money to a hacker’s bank account, at the supposed request of their company’s CEO. These scams are often discovered way too late, only after a CFO casually says to a CEO that they transferred the $ 500,000 the CEO requested, only to see the look of panic on the CEO’s face.

What You Should Do

  • Individuals: Beware of every e-mail asking you to provide personal information, click on a link, transfer money, or send sensitive information. Call or meet face-to-face with the person requesting the information, to ensure it is legitimate.
  • Employers: Use a phishing training vendor to train your employees to recognize and report phishing and spear-phishing attempts. Use spam filters to block messages from known hackers. Implement policies to slow down the transfer of sensitive data, by requiring a phone or in-person verification any time someone in your organization receives a request for sensitive data, or a money transfer. While inconvenient, a delay is much better than discovering the request was fraudulent.

STEALING DATA – US NAVY SECRETS, and a SUSPENDED NURSING LICENSE

A former employee of a US Navy contractor was found guilty in federal court of stealing secret information simply by using a company computer to create a personal DropBox account, and transferring thousands of company documents. Jared Dylan Sparks is awaiting sentencing on six convictions that can each bring 10 years in federal prison, after he stole trade secrets from his current employer while seeking employment at another company.

In another case, the New York State Department of Health suspended a FORMER nurse after she took 3,000 patient records from a previous employer to her new job.

According to healthitsecurity.com, “the list included the patients’ names, addresses, dates of birth, and diagnoses. Martha Smith-Lightfoot asked for the list to ensure continuity of care for the patients. However, she did not receive the permission of URMC or the patients to give the information to her new employer.”

Smith-Lightfoot agreed to a one-year suspension, one year stayed suspension, and three years’ probation. She can’t work as a nurse for a year. What do you think her career chances will be, after her suspension, any time someone verifies her license status and sees why she was suspended?

What You Should Do

  • Individuals: Understand the requirements of your license or certification, and the laws that protect data. Licensing requirements for privacy and confidentiality pre-date HIPAA. While your organization may face a HIPAA penalty, you may face a damaged or destroyed career, as well as jail time.
  • Employers: Educate your workforce (EVERYONE, including employees, volunteers, contractors, vendors, etc.) about keeping patient, employment, and sensitive business information secure and confidential. Have everyone sign confidentiality agreements. You must be willing to evenly enforce your policies. Terminating a long-term employee when they break your rules may seem harsh, but necessary if you want to avoid corporate theft, compliance violations, and wrongful termination lawsuits if you fire someone after letting another person get away with a policy violation.

We have worked with clients whose current and workforce members used cloud-sharing services, like DropBox, Google Drive, and Microsoft OneDrive. By the time we discovered that these tools were installed on their network, many times it was too late. Data was already out the door, and no one knew what was taken. Implement Data Loss Prevention (DLP) security software that will automatically block critical data from being transferred to e-mail, cloud services, or portable thumb drives. Those that need to move data can be exempt from blocking, but you should protect your organization against everyone else.

People get hurt by data theft and violating regulations. Protect yourself, your patients, and your organization.

Are You Investing Enough in IT Security?

Posted on July 20, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Would you put a $ 10 fence around a $ 100 horse?

Does it make sense to put a $ 100 fence around a $ 10 horse?

For the right security, you need to know what your horse is worth.

The same concepts apply to protecting your data. What is your data worth?

Ask Cottage Health , which had two data breaches, totaling 55,000 records., and settled a $ 4.1 million lawsuit with patients, then paid a $ 2 million California penalty. They were sued by their insurer, which wanted the $ 4.1 million settlement money back, after it discovered Cottage Health had not consistently implemented the security controls it claimed on its insurance application. The $ 6.1 million in the settlement and penalty does not include its costs for legal fees, credit monitoring, notifying patients, public relations, or recovering the business lost from patients who moved to another provider.

One of our clients was audited for HIPAA compliance by the venture capital firm that wanted to invest in their company. Another client had us do a compliance assessment on a healthcare company they wanted to purchase. In both cases, HIPAA compliance was worth millions of dollars.

We asked a client how much the financial impact would be on their business if they lost the sensitive personal data they collected about business partners, and had to notify everyone. The owner said they would be out of business, costing millions of dollars.

Breaches result in lawsuits, with settlements in the millions. If you are a licensed or certified professional, you can lose your license or certification if you are breached.

Federal HIPAA penalties in 2014 – 2015 were $ 14 million. In 2016 – 2017 they tripled to $ 42 million. In 2018, they have already reached $ 7.9 million.

Data is worth more than gold.

Instead of words and images in a computer, think of your data as a pile of gold bars that is worth protecting.

When we work with our clients, we help you identify the types of data you have, where it is located, and how it is protected. We recently worked with a client that came to us for help protecting their patient information. They were shocked when we showed them that they had bigger risks related to the data they stored about workforce members, and job applicants they did not hire, than the people they served.

  • What data do you have that is regulated, that you must protect to comply with laws and other regulations?
  • What fines and lawsuit judgments might you face if your data is breached?
  • Beyond HIPAA that protects patient information, do you know your state data breach laws that apply to employee data?
  • Do you know the regulations that protect credit card data?
  • Do you have enough of the right type of insurance to protect your finances if you are breached?

Everyone has unregulated data that is sensitive or proprietary, that could hurt your business if it is lost, stolen, or accessed by a competitor or someone who wants to hurt you? Salaries, trade secrets, employment records, pricing models, merger and acquisition plans, lawsuit files, have all been stolen.

As part of our assessments, we search the Dark Web (the criminal side of the Internet) to see if our clients have employee passwords for sale by hackers. Over 90% have had at least one employee’s credentials stolen and offered for sale.

Most of our clients start out not knowing the value of their risks. They hadn’t approved IT security purchases, because the costs were high, and they didn’t know if security was worth the investment.

So, how much should you invest in protecting your data?

The recently-released 2018 Cost of a Data Breach report shows, through research of actual breaches, that in 2017 the average cost to a breached organization for a single lost healthcare record was $408. Across all industries the cost was $ 233 per record. Only a third of the cost was for the direct response to the breach – notifying patients, hiring lawyers and IT security experts, and paying for credit monitoring. Two-thirds of the $ 408/record was the financial effect on the healthcare organizations, by losing patients after violating their trust.

Here is a calculation you can use to estimate the value of protecting your patient data.

Number of Patient Records x $ 408 (cost per record of a breach) = $ ________________ in risk.

Example: 25,000 records x $ 408 = $ 10.2 million. (If this number startles you, imagine if your costs were only 25% of the total, which is still $ 2.5 million.)

Other ways to put a dollar value on your risk

  • How much would a breach affect the market value of your business?
  • How much investment capital do you need for expansion?
  • Personally, what will your retirement look like if you had to pay $ 1 million, $ 2 million, or more, to cover the costs of a breach?
  • What would your life be like if you went out of business?

Know the value of your cyber security risk. Do the math.

Ask your IT department, or an outsourced independent IT security consultant, to assess your risks, and recommend what you need to be fully protected. Our assessments calculate your risks based on dollars, and provide ‘under the skin’ data about the current status of your security. Don’t settle for guesses.

Base your security investment on the value of your risks, not just the general idea that your data needs to be protected.

And, if you own a $ 100 horse, upgrade your $ 10 fence.

Is Amazon Ready To Protect Patient Data?

Posted on July 6, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Late last month, a Connecticut woman found out that a third-party Amazon vendor she had done business with had exposed her personal medical data to the world, including her medical conditions, along with her name, birthdate and emergency contact information.

The story suggests that Amazon engaged in a bit of bureaucratic foot shuffling when called on the privacy lapse. According to the woman, an Amazon call center rep told her it would investigate the issue, but a further email told her they would not be able to release the outcome of this investigation. It’s little wonder she wasn’t satisfied.

Ultimately, it appears that she was only able to get immediate action once she contacted the third-party seller, which took the photos containing the information down promptly upon her request.

Though no small matter for the woman involved, the episode means little for the future of Amazon, in and of itself. However, it does suggest that the marriage of Amazon technology and healthcare data may pose unexpected problems.

For those who have been sleeping under a rock, in late June Amazon announced that it had acquired online pharmacy PillPack for what reports say was just under $1 billion. PillPack, which competes with services delivered by giants like CVS, lets users buy their meds in pre-made doses. News stories suggest that Amazon beat out fellow retail giant Walmart in making the buy, which should close the second half of this year.

Without a doubt, this was a banner day in the history of Amazon, which has officially stamped into healthcare in 10-ton boots. The deal could not only mark the beginning of new era for the retailer, but also the healthcare industry, which hasn’t yet seen a tech company take a lead in any consumer-facing healthcare business.

That being said, perhaps a more important question for readers of this publication is how it will manage data generated by PillPack, a store likely to grow exponentially as Amazon integrates the online pharmacy into its ecosystem.

While there are obviously many good things its staggering fulfillment and logistics capabilities can bring to PillPack, Amazon’s otherwise amazing systems weren’t built to protect patient health information.

When it comes to most any other company, I’d imagine these problems could be addressed by layering HIPAA-compliant technologies and policies over its existing infrastructure. However, given the widely distributed nature of its retail network, it’s not just a matter of rethinking some architecture. Sealing off health data could require completely transforming its approach to doing business. Just about every retail transaction could prove a chink in its armor.

Since it wasn’t itself required to meet HIPAA standards in this instance, Amazon won’t get any flack from regulators over the recent PHI exposure. Still, issues like this could undercut the trust it needs to integrate PillPack into its core business successfully.

If nothing else, Amazon had better put a strong PHI protection policy in place on its retail side. Otherwise, it could undermine the business it just spent almost $1 billion to buy.

MD Anderson Fined $4.3 Million For HIPAA Violations

Posted on June 21, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

An administrative law judge has ruled that MD Anderson Cancer Center must pay $4.3 million to the HHS Office of Civil Rights due to multiple HIPAA violations. This is the fourth largest penalty ever awarded to OCR.

OCR kicked off an investigation of MD Anderson in the wake of three separate data breach reports in 2012 and 2013. One of the breaches sprung from the theft of an unencrypted laptop from the home of an MD Anderson employee. The other two involved the loss of unencrypted USB thumb drives which held protected health information on over 33,500 patients.

Maybe — just maybe — MD Anderson could’ve gotten away with this or paid a much smaller fine. But given the circumstances, it was not going to get away that easily.

OCR found that while the organization had written encryption policies going back to 2006, it wasn’t following them that closely. What’s more, MD Anderson’s own risk analyses had found that a lack of device-level encryption could threaten the security of ePHI.

Adding insult to injury, MD Anderson didn’t begin to adopt enterprise-wide security technology until 2011. Also, it didn’t take action to encrypt data on its devices containing ePHI during the period between March 2011 and January 2013.

In defending itself, the organization argued that it was not obligated to encrypt data on its devices. It also claimed that the ePHI which was breached was for research, which meant that it was not subject to HIPAA penalties. In addition, its attorneys argued that the penalties accrued to OCR were unreasonable.

The administrative law judge wasn’t buying it. In fact, the judge took an axe to its arguments, saying that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” noting that its leaders “not only recognized, but [also] restated many times.” That’s strong language, the like of which I’ve never seen in HIPAA cases before.

You won’t be surprised to learn that the administrative law judge agreed to OCR’s sanctions, which included penalties for each day of MD Anderson’s lack of HIPAA compliance and for each record of individuals breached.

All I can say is wow. Could the Cancer Center’s leaders possibly have more chutzpah? It’s bad enough to have patient data breached three times. Defending yourself by essentially saying it was no big deal is even worse. If I were the judge I would’ve thrown the book at them too.

Alexa Voice Assistant Centerpiece Of Amazon Health Effort

Posted on June 1, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I don’t know about you, but until recently I had thought of the Amazon Echo is something of a toy. From what I saw, it seemed too cute, too gimmicky and definitely too expensive for my taste. Then I had a chance to try out the Echo my mother kept in her kitchen.

It’s almost embarrassing to say how quickly I was hooked. I didn’t even use many of Alexa’s capabilities. All I had to do was command her to play some music, answer some questions and do a search on the Amazon.com site and I was convinced I needed to have one. Its $99 price suddenly seemed like a bargain.

Of course, being a health IT geek I immediately wondered how the Alexa voice assistant might play a part in applications like telemedicine, but I was spending too much time playing “Name That Song” (I’m an 80s champ) to think things through.

But I had the right instincts. It’s become increasingly clear that Amazon sees Alexa as a key channel for reaching healthcare decision-makers.

According to a story appearing on the CNBC website, Amazon has built a 12-person team within the Alexa voice-assisted division called “health & wellness” whose focus is to make Alexa more useful to healthcare patients and providers. Its first targets include diabetes management, care for mothers and infants and aging, according to people who spoke anonymously with CNBC.

Of course, this effort would involve working through HIPAA rules, but it’s hard to imagine that a company like Amazon couldn’t buy and/or cultivate that expertise.

In the piece, writers Eugene Kim and Christina Farr argue that the mere existence of the health & wellness group is a clear sign that Amazon plans to bring Alexa to healthcare. As long as the Echo can share and upload data in a secure, HIPAA-compliant fashion, the possibilities are almost endless. In addition to sharing data with patients and clinicians, this would make it possible to integrate the data with secure third-party apps.

Of course, a 12-person unit is microscopic in size within a company like Amazon, and from that standpoint, the group might seem like a one-off experiment. On the other hand, its work seems more important when you consider the steps Amazon has already taken in the healthcare space.

The most conspicuous move Amazon has made in healthcare came in early 2018, when it announced a joint initiative with Berkshire Hathaway and J.P. Morgan focused on improving healthcare services. To date, the partnership hasn’t said much about its plans, but it’s hard to argue that something huge could emerge from bringing together players of this size.

In another, less conspicuous move, Alexa took a step towards competing in the diabetes care market. In the summer of 2017, working with Merck, Amazon offered a prize to developers building Alexa “skills” which could help people with diabetes manage all aspects of their care. One might argue that this kind of project could be more important than something big and splashy.

It’s worth noting at this point that even a monster like Google still hasn’t made bold moves in healthcare (though it does have extraordinarily ambitious plans). Amazon may not find it easy to compete. Still, it will certainly do some interesting things, and I’m eager to see them play out. In fact, I’m on the edge of my seat – aren’t you?

The State Of Healthcare Cybersecurity (Part 2)

Posted on May 22, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In Part 1 of this series, which drew data from a study by Black Book Market Research, I described how insecure healthcare leaders felt their cybersecurity protections to be. I also noted that a large number of providers are struggling to recruit senior health IT experts, and as a result are basically winging it when it comes to breach protection.

Healthcare organizations’ data security problems run deeper than that, however, the study suggests. Not only are C-level execs finding security investments to be troublesome, IT managers responding to the survey admit that they, too, feel that they are not fully prepared to defend their institution’s data.

To begin with, 74% of surveyed CIOs admitted that they failed to evaluate the total cost of ownership before signing a deal with a cybersecurity solution or service provider, and 89% said they bought their cybersecurity solution to be compliant with security regs, and often, not necessarily to reduce security risks.

And the failure to protect critical information doesn’t stop there.  For example, 57% of IT managers said that they hadn’t taken stock of the full variety of cybersecurity solutions that currently exist, notably mobile security environments, intrusion detection, attack prevention, forensics and testing.

Also, many healthcare institutions seem to react only after they’ve been invaded. According to Black Book, 58% of hospitals didn’t select their current security vendor until after a data security incident, and 32% of healthcare organizations hadn’t scanned for vulnerabilities before an attack.

What’s more, 83% of healthcare organizations haven’t staged a cybersecurity drill which included an incident response process, which arguably leaves them particularly unprepared. Not only that, when an attack comes, some won’t catch it right away, as 29% said they don’t have an adequate solution to instantly detect and respond to cyberattacks.

Meanwhile, 16% of respondents reported being uncomfortable working with vendors that do a hard sell when they find security flaws and vulnerabilities. These insecurities aren’t surprising given that 60% of healthcare enterprises haven’t formally identified specific security objectives and requirements and integrated them into a strategic and tactical plan for breach prevention.

Given how unfocused many security plans are, it’s not surprising that 22% of provider organizations believe their cybersecurity position will worsen between now and the second quarter of 2019. Only 12% of hospitals and 9% of physician organizations reported that they expected to see cybersecurity improvements.

The bottom line here is that if the Black Book research is correct, many healthcare organizations are frighteningly unprepared to protect their data, much less survive a serious attack relatively unscathed. For everyone’s sake, let’s hope that providers wise up to the need for strategic, substantial investments in security technology and staff.