Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

OCR Cracking Down On Business Associate Security

Posted on May 13, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For most patients, a data breach is a data breach. While it may make a big difference to a healthcare organization whether the source of a security vulnerability was outside its direct control, most consumers aren’t as picky. Once you have to disclose to them that the data has been hacked, they aren’t likely be more forgiving if one of your business associates served as the leak.

Just as importantly, federal regulators seem to be growing increasingly frustrated that healthcare organizations aren’t doing a good job of managing business associate security. It’s little wonder, given that about 20% of the 1,542 healthcare data breaches affecting 500 more individuals reported since 2009 involve business associates. (This is probably a conservative estimate, as reports to OCR by covered entities don’t always mention the involvement of a business associate.)

To this point, the HHS Office for Civil Rights has recently issued a cyber-alert stressing the urgency of addressing these issues. The alert, which was issued by OCR earlier this month, noted that a “large percentage” of covered entities assume they will not be notified of security breaches or cyberattacks experienced by the business associates. That, folks, is pretty weak sauce.

Healthcare organizations also believe that it’s difficult to manage security incidents involving business associates, and impossible to determine whether data safeguards and security policies and procedures at the business associates are adequate. Instead, it seems, many covered entities operate on the “keeping our fingers crossed” system, providing little or no business associate security oversight.

However, that is more than unwise, given that the number of major breaches have taken place because of an oversight by business associates. For example, in 2011 information on 4.9 million individuals was exposed when unencrypted backup computer tapes are stolen from the car of a Science Applications International Corp. employee, who was transporting tapes on behalf of military health program, TRICARE.

The solution to this problem is straightforward, if complex to implement, the alert suggests. “Covered entities and business associates should consider how they will confront a breach at their business associates or subcontractors,” and make detailed plans as to how they’ll address and report on security incidents among these group, OCR suggests.

Of course, in theory business associates are required to put their own policies and procedures in place to prevent, detect, contain and correct security violations under HIPAA regs. But that will be no consolation if your data is exposed because they weren’t holding their feet to the fire.

Besides, OCR isn’t just sending out vaguely threatening emails. In March, OCR began Phase 2 of its HIPAA privacy and security audits of covered entities and business associates. These audits will “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standard interpretation specifications of the Privacy, Security, and Breach Notification Rules,” OCR said at the time.

Combating Mobile Health Threats: 13 Tips Everyone Should Read

Posted on June 29, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

There is a common theme I’ve noticed while I’ve been researching mHealth over the past few months: a great concern for safety and security. No one wants to download an app, or have their doctor use some kind of technology, if the information could somehow be leaked. A few months ago in Utah, there was a huge security breach where Medicaid and CHIP recipient’s information (birthdays, social security numbers, addresses…you know, all that information no one wants a hacker to have) was stolen. This kind of opened my eyes to how there needs to be security measures in place to make sure things like that don’t happen. While that didn’t have to do with security within mHealth, I feel like similar things could happen with patient information being transmitted within mobile devices.

So is there anything that can be done to protect this information? Well, I think for apps, it starts with the creator making sure there is a secure network. However, apps aren’t the only mobile health devices. There’s USB devices, laptops, and tablets as well. Michelle McNickle, New Media Producer for Healthcare IT News over at mhimss.com, posted 13 tips from ID experts on how to fight mobile device threats:

  1. Consider USB Locks
  2. Try geolocation tracking software or services
  3. Brick the device if it gets stolen or lost
  4. Encrypt, encrypt, encrypt
  5. Forget about “sleep” mode
  6. Recognize that employees will use personal devices
  7. Use strong safeguards to permit access to PHI through mobile devices
  8. Educate employees on the importance of safeguarding their mobile devices
  9. Implement electronic protector health information (EPHI) security
  10. Work to get ahead of the BYOD upgrade curve
  11. Have a proactive data management strategy
  12. Keep in mind transparency and end-user consent opt-in.
  13. Remember that the mobile Web and “app” landscape is not your father’s Internet

While some of this tips didn’t really pertain to me, overall, I found the list to be very helpful. Awhile back, I downloaded an app on my phone that allows me to “brick the device”, as was mentioned in step three. While the only part of the app I’ve (thankfully) had to use was the feature that sets off a very loud alarm because I couldn’t find it (we’re talking ambulance siren loud), I’m glad I would be able to wipe data if I truly did lose it and didn’t want my personal information stolen. Whether you are a consumer, employer, or a creator of apps or technology, reading through this list is important. More detailed explanations of each of the points can be found here.