Since this episodes is being released on a holiday for all of us at Help Me With HIPAA, we are sharing a special blooper episode our audio editor Bojan Sabioncello created specially for us. When you hear our recordings from his perspective, you will see what a great job he does making us sound so professional.
Friday, December 25, 2015
Friday, December 18, 2015
Episode 32: 2015 HIPAA Gift Giving Guide
Compliance officers need all kinds of help to get their jobs done. We came up with a list of ideas for gifts to help them out this holiday season.
Friday, December 11, 2015
Episode 31: Enforcement efforts by OCR should increase in 2016
Enforcement of HIPAA is changing
There are many indicators that make us believe that we will see a distinct uptick in OCR enforcement activity. The last two OIG reports say OCR isn't doing enough, the news points out issues with enforcement, and even Congress is getting in the mix. In this episode, we discuss why this makes us think you don't want to wait around to see IF OCR starts doing anything differently.
Friday, December 4, 2015
Episode 30: Can I Be Sued Under HIPAA?
The HIPAA legislation itself does not include the option for individual patients to sue any CE or BA that may violate their privacy protections included in the law.
HITECH added the ability for the States Attorney General offices to file a cased on behalf of their constituents, however.
The biggest change, however, is the ruling by several State Supreme Courts that allows a complaint to use HIPAA as a legal standard of care. That opens the door for all kinds of options.
Friday, November 27, 2015
Episode 29: HIPAA Black Friday Sale
Everyone is ready for the great deals retailers offer on Black Friday and Cyber Monday. We have a list of low-cost and no-cost deals on HIPAA Security & Privacy tools for you! Episode 29: HIPAA Black Friday Sale
Friday, November 20, 2015
Episode 28: Rise of The Machines, the Internet of Things in Healthcare
The Internet of Things (IoT) is already here, it isn't something that is coming. It is here and it is the future, it will just become more prominent in our daily lives.
Friday, November 13, 2015
Episode 27: Six Things To Expect From HIPAA Compliant IT providers
If you expect your IT company to do certain things as a HIPAA compliant vendor you are more likely to have the level of support you need. If you don't ask then they may not be fully aware of what you need or what it requires to be HIPAA compliant themselves.
Friday, November 6, 2015
Friday, October 30, 2015
Episode 25: Halloween Special - Scary HIPAA Stories
This week we get in the Halloween spirit and share some scary stories that make you have those compliance nightmares.
Friday, October 16, 2015
Episode 23: If it moves - encrypt it.
Description
We explained the concepts of encryption in Episode 2: Let’s Talk Encryption but people continue to ask more about what they really need to do with encryption.
Links
Episode 2: Let’s Talk Encryption
The government and privacy advocates can’t agree on what ‘strong’ encryption even means
Notes
First, what can encryption do for you and what it can't do for you.
- VPN, HTTPS, SSL, SFTP, etc. Protect communications from prying eyes.
- Everything else is about encrypting data on the devices themselves.
If you encrypt data on a device but you are hacked when you are logged into the device, encryption isn't too helpful. Encryption is helpful when someone tries to access the data on the device without your key (or password).
Strong Encryption is also subjective - there is no solid authority on what is really strong encryption because law enforcement wants a back door.
What does HIPAA say about encryption? Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Not very helpful.......
What does OCR say about it? At NIST / OCR HIPAA 2015 conference: If it moves it should be encrypted.
Now that's a line that can be drawn.
- Encryption of your files stored in the cloud (certainly something that moves)
- File encryption by an app on the computer over specific files like 7Zip
- Windows built in encryption - Bitlocker, EFS
- NAS and Flash drives with built-in encryption
- Encryption on your phone built-in
- Cloud based encryption management - MDM - Alertboot, MaaS360, Manage Engine https://www.manageengine.com/mobile-device-management/
Create an encryption plan:
- Includes all devices - laptops, phones, external drives, etc.
- Specs required like AES 128 or FIPS should be written down
- Methods used for implementation on all types of devices
- Encryption key management plan
- Audits and verification plans
Episode 23: To BAA or not to BAA, that is the question....
Description
Business Associates and required BAAs are discussed often but not resolved quickly. Let's talk about some ideas and issues that go with BAAs.
Links
Notes
Who is a BA?
- A business partner who provides a service to a CE or BA that requires them to CReMaT PHI.
- Anyone with persistent access to ePHI whether they do anything with it or not is irrelevant - the fact that they CAN do things is what matters.
- Complexity is increasing
- Dietitians at hospital needs info on the scripts for the diet but the employer never stores, accesses, or has persistent access to it but the workforce needs to see it. CE should train them on Privacy rules.
BA means it is not your data but you have it or have access to it from the owner of CE. - Medical director could be a BA or could be workforce member depending on the contract they have with the employer.
- Dietitians at hospital needs info on the scripts for the diet but the employer never stores, accesses, or has persistent access to it but the workforce needs to see it. CE should train them on Privacy rules.
- ACO formed by hospital as a completely separate legal entity
- But the ACO is staffed by hospital employees
- Plus the hospital provides IT services to the ACO legal entity
- Now that would make the hospital a BA of the ACO which is really the hospital.
- So, the hospital is a BA to itself
- Maintaining PHI vs. maintaining facilities with PHI
- Data center where you store your servers. Are they a BA?
- NO. They are just the landlord for your server - so they aren't a BA
- YES. Physical, Administrative, Technical Safeguards are used to protect it, though
- You are outsourcing part of your obligations because they are doing a all of the physical safeguards for you so you should make them a BA
- Can be argued both ways but 2 out of 3 lawyers said BA plus a poll of room says they are a BA not just a landlord
- BCBS of TN left drives at old office and landlord was securing the site
- Why is there was no BAA if that is the case was the OCR response
- Resolution didn't mention the BA argument but it was an expensive fine that clearly showed the OCR lawyers didn't see they were protected sitting in a closet of the facility you used to lease.
- BCBS of TN left drives at old office and landlord was securing the site
- Data center where you store your servers. Are they a BA?
- If you sell server space and store encrypted PHI you are a BA under current guidance.
- Many will argue this point though.
- You have to be prepared to decide for yourself
- Even if you don't treat them like a BA, then you should have an agreement of some sort that protects the PHI
- OCR working on Cloud Computing Guidance
- Security Rule from early in this century couldn't really consider all the things that are done today
- Before cloud computing when everyone has their own servers in their offices or owned huge data centers
- You can't just counter this issue with making everyone sign a BAA, though.
- Bad for the business that signs them and either fails to comply or does the work they may not need to be doing.
- Bad for you because you are managing contracts that don't need to be managed and opening up cans of worms we haven't even found yet.
- Make a decision about your business and be prepared to explain your logic
- If you are doing the work of a BA you are still a BA without signing a BAA
Included in BAA
- We are not lawyers but we are talking about the contracts just a little bit here
- Ask your attorney for advice on this stuff, don't relay on us or any other consultant for that advice
- Also, get a HIPAA attorney - not a tax attorney
- You should be reading these things, not just sign them
- Indemnification can be included and you need to know what you are committing to
- Insurance requirements
- Yours, mine, ours for cybersecurity
- What does it really cover - not just if you have it
- New complexity to negotiations because you don't cover a max level that your big groups need
- State law requirements
- 60 days - how far down the BA tail could it go with 60 days to notify
- Shorten the days but not too short
- But give them time to figure stuff out unless you want to know about incidents that turn out to be ok
- Breach notification responsibilities
- Can the BA notify a huge number of people within 60 days
- do they even have the resources to make that happen?
- Can the BA notify a huge number of people within 60 days
- De-identification of PHI clause is there to prevent selling of data
- They don't have to take out the doctor's name if they take out all other PHI
- That means some of your valuable info could end up in a file that gets sold because it has no PHI in it.
- They don't have to take out the doctor's name if they take out all other PHI
- Indemnification
- What liability limits are you going to include
- If I am acting reasonable then I shouldn't have to bear the whole burden but if I am reckless then it is fair to put most of the burden on you
- The Security Rule may not go far enough but you can up the ante in your agreements
- Should you require encryption be used both at rest and in transit
- Agreements may start to specify exactly what security standards you must adopt which creates new problems
Assessing BAs
- I have a BAA so I don't have to worry - not a good idea
- Does HIPAA even apply if they are off shore?
- US Law doesn't apply in other countries - do you know where your PHI really lives?
- CE is not responsible for acts of BA with a signed BAA but
- If you are aware of a pattern of non-compliance then you would be liable
- How much do you want to be unaware of vs aware of in advance of a problem happening
- What PHI are you talking about is key in assessing each situation
- Medical only
- Demographics
- SSN and Credit Cards
- Is it mental health, domestic abuse, STDs, etc with special limitations
- Just because you have SAS70, SSAE16, or SOC 1, 2, or 3 assessment doesn't mean it was a good assessment nor does it mean that it covers what you need covered for HIPAA
- Does provide a benchmark but that isn't necessarily enough for HIPAA
- A sophisticated BA questionnaire is where most CEs are moving until standards are made more specific
- Provides more specifics about the compliance programs
- Training
- Who is really in charge for you to deal with in a crisis
- Provides more specifics about the compliance programs
- Do you audit the BA after the fact?
- Once you learn problems you have to deal with them
- Would you rather know or not know, that is the question
- Easiest / Quickest way to know is just let the tech geeks talk to each other and form their own opinions of what is happening
- Let us handle the questions to ask
- We have to deal with each other any way
- No one else really understands
- If you are a BA then have something you can show the CE/BA clients proactively before they ask
Friday, October 9, 2015
Episode 22: So you think you're covered by cybersecurity insurance. Well...
Cybersecurity coverage being challenged in court has some important points that all businesses should consider.
Links
Notes
COLUMBIA CASUALTY COMPANY v. COTTAGE HEALTH SYSTEM
Data breach occurred
- Breach announcement said: Between October 8, 2013 and December 2, 2013, PHI of approximately 32,500 patients on the CEs servers weredisclosed to the public via the internet.
- Hospital got voicemail message from a third party, who informed it that he was able to read the PHI online.
- Patients seen Sept. 29, 2009, to Dec. 2, 2013 included names, addresses, DOB, MR#, Acct#, diag, lab results and procedures performed. No financial information or Social Security numbers were involved
- Insync, their IT vendor at the time, left anonymous access for FTP traffic active on an internet servers on or about Oct. 8, 2012. The change allowed ePHI to become available to the public via Google's internet search engine. The server was taken offline immediately on Dec 2 once the call came in.
- Insync doesn't mention healthcare on their website any more
- People make mistakes even the IT folks - theirs are just big ones
Law Suits and Investigations
- Civil Suit filed January 27, 2014 and settled December 2014
- $4,125 million along with related expenses and attorneys'
fees - 50,917 patients included in the settlement
- $4,125 million along with related expenses and attorneys'
- On-going investigation for HIPAA violations currently
- Involves CA Dept of Justice and likely OCR
- The DOJ Proceeding will determine whether Cottage complied with its
obligations under HIPAA and any other pertinent state and federal laws and may potentially result in the imposition of fines, sanctions or penalties.
Insurer Columbia Casualty filed suit
- Saying they shouldn't have to pay the claim for the $4.1 nor any expense they have or will incur over this case
- Columbia also seeks a declaration of its entitlement to reimbursement in full from Cottage for any and all attorney's fees or related costs or expenses Columbia has paid or will pay in connection with the defense and settlement of the class action lawsuit and any related proceedings and an award of damages consistent with such declaration.
- INSYNC, the IT company, does not maintain sufficient liquid assets to contribute towards the proposed settlement fund and does not maintain liability insurance that applies with respect to the privacy claims asserted in the Underlying Action.
Why does Columbia think they shouldn't pay?
- The Columbia Policy contains the following exclusion: Whether in connection with any First Party Coverage or any Liability Coverage, the Insurer shall not be liable to pay any Loss: Failure to Follow Minimum Required Practices based upon, directly or indirectly arising out of, or in any way involving... Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured's application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing; This Policy shall be null and void if the Application contains any misrepresentation or omission: a. made with the intent to deceive, or b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the
Policy. - The Columbia Policy application contained the following questions that were answered by the hospital
- Do you check for security patches to your systems at least weekly
and implement them within 30 days? • Yes - Do you replace factory default settings to ensure your information
security systems are securely configured? • Yes - Do you re-assess your exposure to information security and
privacy threats at least yearly, and enhance your risk controls in
response to changes? • Yes - Do you outsource your information security management to a
qualified firm specializing in security or have staff responsible for
and trained in information security? • Yes - Whenever you entrust sensitive information to 3rd parties do
you...- contractually require all such 3rd parties to protect this
information with safeguards at least as good as your own • Yes - perform due diligence on each such 3rd party to ensure that
their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) • Yes - Audit all such 3rd parities at least once per year to ensure that
they continuously satisfy your standards for safeguarding
sensitive information? • Yes - Require them to either have sufficient liquid assets or
maintain enough insurance to cover their liability arising from
a breach of privacy or confidentiality. • Yes (Which INSYNC did not) - Do you have a way to detect unauthorized access or attempts to
access sensitive information? • Yes - Do you control and track all changes to your network to ensure it
remains secure? • Yes
- contractually require all such 3rd parties to protect this
- Do you check for security patches to your systems at least weekly
- Failure to Follow Minimum Required Practices is clear according to the ins company which is why they shouldn't have to pay
- failure to replace factory default settings its failure to ensure that its information security systems were securely configured
- failure to regularly check and maintain security patches on its systems
- failure to regularly re-assess its information security exposure and enhance risk controls
- failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers
- failure to control and track all changes to its network to ensure it remains secure
Final Notes
- If you don't have coverage you really should be looking at it because this isn't going to get easier as these things continue to occur.
- If you do have coverage you should revisit that application and check that you are following the standards you said you were doing in the policy. This probably won't be the first time this kind of thing comes up.
- If you are a BA, you should check yourself and your coverage because your clients may start asking you what you have covered in order to do business with them.
Friday, October 2, 2015
Episode 21: Where does your fruit hang?
Show Notes
If they were shocked that no one was actually watching for security holes at Ashley Madison you can bet they will be shocked that you haven't been looking because Healthcare is supposed to be private.
Ashley Madison: Nobody was watching
Top 10 Tech Companies with Ashley Madison Accounts
What kinds of things do you need to do to actually be considered looking for them, though?
- HIPAA Compliant IT
- Router / Firewall test showed 600% Increase in Unique Vulnerabilities Discovered Last Year (OCR / NIST conference)
- Within hours or days of a release of software (firmware) vulnerabilities will be identified.
- Keep firmware up-to-date
- UTM - what is a UTM
- not just a router off the shelf at best buy
- IPS
- Antivirus
- Support Subscription!
- Reporting each month - look at what is going on - if you have IT they can do it but you should be asking them for reports.
- Printers / Copiers easy for hackers to get to first
- Smart TVs
- Patching helps when
- Hackers
- Start with "low hanging fruit"
- Beginning hackers look for easy challenges to practice their skills
- Vulnerabilities for sale to each other
- They just want in to see what you have and then see where they can go
- Hacktivist - target you because of who works there or who you treat or your type of business
- There is no way to know how many different parts of software are used from all over the world on any device or in any given application today
- No list of ingredients on the back of your router or mobile device
- None of this is new
- We have all talked about it but no one listening to the security people until it happens at your business, office, or home
- 10 vulnerabilities account for nearly 97% of all exploits
- Write little script yourself you could be opening a hole because you don't realize there are security implications to what you just wrote
Doctor convicted of illegally accessing medical records Doctor having an affair and looked at the mistress' medical records. Looking to see if she had STDs. Plead guilty in federal court and kept his license but must be monitored.
Friday, September 25, 2015
Episode 20: Its The People, People
Show Notes
When it comes to securing anything the weakest link in the chain is always people. People are the ones who make mistakes, over-share, and are also the criminals. This episode talks about what people can manage to do so you have to think of all kinds of things outside the norm.
University of Pittsburgh MC BA breach after being hacked the year beforeEmployee of the billing service call center copied personal information from the billing system. 2,259 patients were then passed on to a third-party. Notification that it happened came from FBI. Last year UPMC was hacked and employee information taken for all 62,000 employees. Over 800 employees reported ID theft.
Oakwood Healthcare worker fired for HIPAA-violating Facebook commentsTerminated after posting disparaging comments about a patient on her Facebook page. Worked at a hospital that had to treat a suspect in a police shooting. Her posts were pointing out her disgust in having to treat him. It is still a violation.
Roanoke, Va. Carilion Clinic - 14 employees admitted snooping Found it by random log reviews. Previously, only checked on patients where a big new story was happening.
Physician Suffers Second 2015 Data Breach Break-in in Jan requires breach notification to 350 patients. Break-in again in March they got computers and patient charts. The computers were not encrypted and they had patient info OTHER THAN THE LETTERS to the 350 patients. This time the total patients involved are 1,342. At this point they hire a security guard who stops a third break-in. The doctor is moving their office to a new town. Encryption could have saved a lot here, increased security after the first break-in would be the most obvious requirement. That is a simple decision that was just not made. Now over 4 times the number of patients are involved.
Doctor convicted of illegally accessing medical records Doctor having an affair and looked at the mistress' medical records. Looking to see if she had STDs. Plead guilty in federal court and kept his license but must be monitored.
Final Note
Medical is years and years behind other industries on security requirements and criminals are figuring that out. Plus, those that are way ahead are getting breaches like Home Depot, Target, and more. In all those cases there was a person somewhere involved in the process, in some cases several people made mistakes are took the wrong action.
Friday, September 18, 2015
Episode 19: "I am vulnerable, too" said your smartphone
Mobile devices are vulnerable just like your network, servers, laptops, and desktops. Your risk analysis should include checking on any types of messages, pictures, or access to your data that can be done on your smartphones. Even if you don't put PHI on them they may be able to be used against you in some way to crack your network and your PHI.
Patches
- Android updates and know your version of Android
- Wipe leaves some stuff on old Android versions
- iOS updates and know your version
- Windows is so small market share but mention it
Encryption
- Android
- Option to encrypt this device
- Lock screen setting to wipe device after X failed logins
- iOS
- data protection turns on with password set
- set to wipe if after X number failed logins
- data protection turns on with password set
MDM - Mobile Device Management
- What is it
- What can you do with it
BYOD - Bring Your Own Device
- Set rules to follow
- Do checks for software updates
- Don't let kids play with phone
- MDM?
Backup
If you lose the phone or it dies will you lose important things? Figure out a backup plan but make sure it is properly secured too.
Unsecured WiFi and Bluetooth
- Try not to use it unless necessary
- Bluetooth can be used to connect to your phone within 30 feet
- Personal WAN can be used to jump on your connection and use your data plans
Final Notes
Understand this is the new frontier for hackers. Ransomware and malware for smartphones are growing quickly
Friday, September 11, 2015
Episode 18: Email isn't secure, really, it isn't
Let's review email systems and how they can be secured for ePHI and other sensitive data.
Alston Article on Email Security
Notes
Leigh from Florida sent us an email asking for us to explain some more specifics about email. She had been listening to Episode 8: HIPAA Myths Part 2 which mentioned it but she had specific questions how can email be secured. This couldn't be covered in a quick 5 minute HIPAA answer episode so we are doing a whole episode.
- How does email work - for "real people" to understand
- Compare to the post office since that is the way it was originally modeled to match
- Why that isn't secure at all, really
- http://www.healthcareitnews.com/news/hipaa-breach-letters-go-out-after-email-hack (article on email hacked and it had patient info in it)
- open transmissions and many different servers
- Misconceptions
- I use a password so it is secure
- I use https so it is secure
- I use TLS so it is secure
- I use updated Outlook with Hosted Exchange so that should be secure
- Secure email via
- End to end encryption tools - each party knows the key
- Messaging system - you get an email telling you to log in to get the secure email
- Hosted services that allow for specific types of messaging
- Hosted exchange
- Plug-in apps
- Secured internal only messaging systems
- Very specific set up to secure the mail database on your internal server
- Controls you have in place to prevent email to other domains outside the secure system (usually software required)
- Some systems are automatic encryption / others require you to hit a button on the mail to send it secured.
-
Secure messaging systems for internal discussions that don't use email
- whole new way of communications in forums / chats instead of email
-
Texting also matters but that is a different episode we can touch on it here
-
A word about spear phishing - excellent example this week from a client
Friday, September 4, 2015
Episode 17: Compliance Management with ComplyAssistant
Links
Notes
- Who is Gerry Blass
- Been in healthcare for the long ride
- Consultant for years
- Now consultant and software company
- ComplyAssistant - when did you start development and what was your vision for it? What kinds and size of clients do you have - hospital, practices, BAs and CEs of all types
- ComplyAssistant features
- Due Diligence for BAs
- Contract management
- Incident Management
- Project Management
- Documentation, Documentation, Documentation Management
- Incident Management
- Whatever else Gerry wants to add
- Importance of having a documentation and management system of some sort in place
- Why ComplyAssistant instead of using a spreadsheet / folder approach?
Friday, August 28, 2015
Episode 16: Seven Steps for Nurturing a Culture of Compliance
Culture of compliance is the phrase OCR uses when defining what they are looking for in an audit or investigation. They also use the phrase robust compliance program in the same manner. Using these steps is a great way to make sure your organization is following their lead.
Links
ComplyAssistant Compliance Management Solution
Spher EHR Access Monitoring Solution
Notes
7 steps to improving your Privacy & Security policies and procedures and nurturing a Culture of Compliance:
-
Designate a Compliance (Privacy & Security) Officer
First, the law requires you do this. But, if no one is in charge then nothing will happen, we all know that to be the case. Or, in a vacuum of leadership someone else will take charge and handle things the way they think they should be done without the support of management. -
Train and educate your staff and BA partners
Constantly restating the same information over and over in a variety of ways may be annoying to some but that means they have heard it! Also, don't forget to work with your BA partners to confirm they actually understand what HIPAA compliance requires in their organizations. -
Implement an ongoing Compliance maintenance solution
This is what we talk about using tools such as ComplyAssistant, Spher, and professional MSP monitoring and management applications. Either use the tools or develop manual internal controls and processes to accomplish those same documentation and audit tasks on a regular basis. -
Conduct regular and complete audits and monitoring of all ePHI systems If you are ignoring it then so will everyone else in your organization.
-
Monitor and respond to Incidents in a timely manner (State & Federal regulations)
We all freak out together as soon as we know something could havehappened to our PHI. -
Adhere to a strict breach remediation protocol
Define your breach plan and use it every time. After any case that it was used, then review it to make sure you don't need to change or add things in the plan. -
Create a open line of communication for management and staff
The law requires you to never retaliate towards any person who files a complaint or reports a problem including a breach. If you don't make it clear that you fully support that rule and all workforce members are free to ask any question, file any complaint, and report any concern then you will likely be missing things just because someone was afraid to tell.
Friday, August 21, 2015
Episode 15: It's not just about HIPAA anymore
In 2014 NIST introduced the National Cybersecurity Framework (CSF). It is designed for all businesses, large and small, to know things they should be doing to protect their businesses, data, customers, and more. Just how does it compare to HIPAA?
Notes
DHS Getting Started for Small and Midsize Businesses (SMB)
US Chamber of Commerce: Internet Security Essentials for Business 2.0
C3 Voluntary Program: Begin the Conversation: Understand the Threat Environment
Notes
It's not just HIPAA. All the different guides spell out the same basic concepts.
For example:
- NIST - Cybersecurity Framework
- US Chamber of Commerce: Internet Security Essentials for Business 2.0
- STRONG SECURITY IS SMART FOR BUSINESS AND THE NATION COMMON THREATS TO BUSINESS INFORMATION
- Hacking and Malware
- Lost or Stolen Physical Storage Media
- Insider Threat and Human Error
- Accidents and Natural Disasters
- CYBERCRIME ON THE RISE
INTERNET SAFETY AND SECURITY FUNDAMENTALS - Set Up a Secure System
- Protect Business Data
- Train Your Workforce
- Be Prepared
- ADD BUSINESS VALUE THROUGH INFORMATION SECURITY
- NATIONAL AND PRIVATE SECTOR PERSPECTIVES
- FBI - Deputy Director
- DHS - Undersecretary for Cybersecurity
- Secret Service - Atlanta Office Cybersecurity Team
- Army Lt Col - Cybersecurity Command
Friday, August 14, 2015
Episode 14: HIPAA Log Audits with AMS Spher
An interview with Ray Ribble discussing the AMS Spher product. We learn how Spher can automatically "learn" what access patterns are normal and ask you when something isn't right. Your HIPAA compliance requirement to audit access logs may be solved with this tool. Your very own HIPAA Breach Detection Service!
Links
Notes
Who is AMS and Ray Ribble?
Tell us about The AMS SPHER™ Solution.
Behaviorial Analytics
SPHER leverages pattern recognition algorithms to determine if there was suspicious behavior on the EHR. It does this by comparing past behaviors to behaviors in the audit log file SPHER is currently reviewing. For example, SPHER may have learned over the past months that an EHR user named John is typically active between 8 AM and 4 PM. In the current audit log file, SPHER notices that John was active on the EHR from 4 PM to 12 midnight which causes SPHER to send you an unusual time of access alert.
It Learns!
You know that John’s shift recently changed from 8 PM to 4 AM. Going through the SPHER incident resolution process, you indicate that this behavior is Normal and Permitted. Based on this feedback, SPHER has now learned that this is normal EHR behavior for John and will not send an alert the next time it sees EHR activity for John during this new time span. As normal behavior on your EHR changes, SPHER learns and does not send false alerts for behaviors you’ve already indicated are normal.
Friday, August 7, 2015
Episode 13: What is a HIPAA Risk Analysis
Description
What a HIPAA Risk Analysis includes and why you need it for your cybersecurity risk management.
Glossary
CReMaT'ed - Create, Receive, Maintain, Transmit
CIA - Confidentiality, Integrity, Availability
Links
Training Documentation for this episode
Notes
Not a simple checklist it requires a lot of thought, data collection, and analysis.
The analysis part
- Define where e-PHI is CReMaT'ed in your organization.
- Not just the server that holds the EMR.
- Cloud apps used, messaging tools, mobile devices, USB storage devices, home computers
- Practice Management system and data analysis tools
- Don't forget to include downloads folders and temp folders on all PCs.
- Do you need to worry about vendors or consultants - your BAs that may move data around your network, systems, etc.
- If they handle it for you do you even know where it is going?
- What are the threats to the CIA of the PHI that you have located and identified above?
- Human
- Natural
- Environmental
- What would be the impact to your business if the threat did act against your PHI?
- Would it be a bump in the road or a sinkhole?
- What is the likelihood this threat will actually act against your PHI?
- Very likely down to not likely at all
- With all this considered what level risk do you think this threat creates to your PHI?
- High, Medium, or Low
- Based on everything you know then you decide what you are going to do about the threat and the risk it presents?
- Accept the risk is just part of doing business
- Address the risk with some type of safeguards in your organization
- Outsource the risk by hiring another company to handle managing it for you
The assessment part
- At this point, you review that plan you have just made to address risks against what you are actually doing
- Are doing everything you can to protect the PHI and meet your obligations under HIPAA laws from all those threats?
- If you are outsourcing threat management, have you made sure your BAAs are in order?
- If you are handling it internally do you have all the written policies and procedures
- Is your staff trained to respond accordingly?
- Once you complete that process you draw up your final report on what was determined during your analysis and assessment.
- What actions need to take place to address those threats and what priority should be applied to them?
This is your full analysis and assessment report that you will use to inform your decision making process for your security policies and procedures.
It is also the report you will review and update on a regular basis. Sometimes minor updates are needed but other times you will need to do most of the whole thing over if there is a major change in your business.
Tuesday, August 4, 2015
Episode A2: HIPAA Answers - BA question from a listener
We have a listener who called in with an example situation to find out what we thought. Is the company a Business Associate? Listen to Donna's answer in Episode A2.
These short "answer episodes" are released weekly on Tuesday mornings when we have them come in.
Send us your questions and we will publish them with our thoughts and the best answers we can muster!
Use the Website form or Speakpipe voicemail You can also find all our social media contact information at HelpMeWithHIPAA.com.
Friday, July 31, 2015
Episode 12: Breach Response Plans
Description
A Breach Response plan is a required element of your compliance program since HITECH became effective. Everyone must have a written plan and know what needs to be done.
Glossary
NIST National Institute of Standards and Technology
Links
NIST SP 800-61 Revision 2 - Computer Security Incident Handling Guide
APDerm Resolution Agreement See item 2(2)
Notes
Establishing an incident response capability should include the following actions:
- Creating an incident response policy and plan
- Written required - already had an OCR resolution that mentioned not having one (APDerm - $150,000)
- Developing procedures for performing incident handling and reporting
- Who is your "go to" team for forensics
- Setting guidelines for communicating with outside parties regarding incidents
- PR will be critical for reputation managment
- Selecting a team structure and staffing model
- Someone has to be in charge of the whole thing and then others in charge of the parts.
- Establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies)
- Bigger organizations need to know who is responsible for talking with each department.
- Determining what services the incident response team should provide
- How far is the team going through the process? Will they pass off follow up or will they do all the activity required from beginning to end. Again, large organizations need to worry about this.
- Staffing and training the incident response team
- Make a written list and have the team meet regularly to review how to respond to any incident that may come up in the organization.
Tuesday, July 28, 2015
Episode A1: HIPAA Answers - How do I get rid of my printers properly?
How do I get rid of my printers properly? Find out in HIPAA Answers Episode A1.
Thanks for our listener questions that are coming in! It took us a bit to work out the best way to get back to you, so sorry for the delay.
Today we introduce, HIPAA Answers episodes. These short "answer episodes" will be released weekly on Tuesday mornings.
Send us your questions and we will get them answered. Lots of ways to contact us below!
Website form or Speakpipe voicemail
Friday, July 24, 2015
Episode 11: Ponemon Study 2014 on Healthcare Compliance
Description
A discussion of the findings in the recently released study concerning healthcare breaches in 2014.
Glossary
A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations.
Links
Fourth Annual Benchmark Study on Patient Privacy and Data Security
Criminal Attacks: The New Leading Cause of Data Breach in Healthcare
Notes
Represented in this study are 90 CE and 88 BAs.
This year is the first time BAs were added to the study data. Previous fours years only CEs were included.
A security incident is defined as a violation of an organization’s security or privacy policies involving protected information such as social security numbers or confidential medical information.
A data breach is an incident that meets specific legal definitions per applicable breach law(s). Data breaches require notification to the victims and may result in regulatory investigation, corrective actions, and fines.
Points to note:
- There has been a 125% increase in breaches due to criminal attacks on healthcare data over last 5 years.
- Only 40% of healthcare organizations and 35% of BAs are concerned about cyber attackers even though it is now the number one reason for breaches and increasing rapidly.
- Security incidents that aren’t breaches are also primarily criminal attacks: 78 percent of healthcare organizations and 82 percent for BAs security incidents.
- 87% of BAs had multiple security incidents in the past 2 years involving the exposure, theft or misuse of electronic information.
- 70% say they have had between 11 and 30 electronic information-based security incidents.
- Most involved the exposure of less than 100 PHI records.
- 87% of BAs had multiple security incidents in the past 2 years involving the exposure, theft or misuse of electronic information.
- Medical identity theft has nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014.
- Employee negligence remains a top concern when it comes to exposing patient data inappropriately.
- Many victims of medical identity theft report they spent an average of $13,500 to:
- Restore their credit,
- Reimburse their healthcare provider for fraudulent claims and
- Correct inaccuracies in their health records.
- According to the findings of this research, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million.
- No healthcare organization, regardless of size, is immune from data breach.
- The average cost of a data breach to BAs represented in this research is more than $1 million.
- Even though organizations are slowly increasing their budgets and resources to protect healthcare data, they continue to believe not enough investment is being made to meet the changing threat landscape.
Interesting question details:
Friday, July 17, 2015
Episode 10: ONC Sample Seven-Step Approach for Implementing a Security Management Process
ONC recently published an updated guide for Privacy and Security of Electronic Health Information. This episode David and Donna discuss what that guide calls the Seven-Step Approach for Implementing a Security Management Process.
Links
Guide to Privacy and Security of Electronic Health Information
Notes
The 7 Steps
Step 1: Lead Your Culture, Select Your Team, and Learn
Assign your officers, make sure they are trained, show compliance is a top down commitment
Step 2: Document Your Process, Findings, and Actions
If you can't prove it then it didn't happen. Document your decisions, plans and activity
Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis)
Review or perform your Security Risk Analysis and current security assessment
Step 4: Develop an Action Plan
The plan needs to address all the things you identified in your assessments, policies, and procedures
Step 5: Manage and Mitigate Risks
This is where your project management skills come into play making sure you have addressed all the risks in your Analysis and new ones aren't showing up
Step 6: Attest for Meaningful Use SecurityRelated Objective
If you are attesting make sure you have done the previous steps
Step 7: Monitor, Audit, and Update Security on an Ongoing Basis
Remember it isn't a project that has a beginning and ending date
Friday, July 10, 2015
Episode 9: HIPAA Myths Part 3
We finish up our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements.
Glossary
Myth is a widely held but false belief or idea.
Links
HealthIT.gov Top 10 Myths of Security Risk Analysis
HealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis
Notes 1 - 7 of 10 Covered in two previous episodes.
-
HIPAA covers all PHI no matter who possesses the information. False. HIPAA law applies to entities that are health plans, healthcare clearinghouses, and most healthcare providers and the businesses that create, receive, maintain, or transmit PHI on their behalf. Not every person or organization that possesses PHI falls under the CE or BA categories of HIPAA.
-
A one hour video course is all that a compliance officer needs to implement HIPAA in any organization. Mostly false. The law requires you have an educated person in charge of privacy and security compliance. It does not define what that education should contain. I can't imagine how anyone could do it with such little training. Nor do any others who do the job themselves. Training is essential to understanding the requirements enough to perform them.
-
HIPAA training requirements are met with an annual training for all employees. Mostly false. It could be argued that all is required is a quick reminder/refresher course. However, the amount of training provided for privacy and security awareness is directly related to the results you will get from your workforce. If you don't worry about it more than once a year, neither will they.
Friday, July 3, 2015
Episode 8: HIPAA Myths Part 2
We continue our discussion about some common myths (or points of confusion) surrounding HIPAA compliance requirements.
Glossary
Myth is a widely held but false belief or idea.
Links
HealthIT.gov Top 10 Myths of Security Risk Analysis
HealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis
Notes 1-3 In previous episode
-
Communicating with patients via email, fax, or telephone violates HIPAA. Actually, not true. But.... reasonable and appropriate safeguards must be in place.
-
HIPAA compliance is just like all the other compliance rules for other industries. You learn the requirements and you do what they say. Not at all true. HIPAA rules were designed to allow for every size and type of healthcare entity and business associate to use one set of regulations. That means there are phrases like "reasonable and appropriate" thrown all over them. Every single organization can determine what is reasonable and appropriate for their environment as long as they document how they are addressing the standards. Not even a risk analysis has one method to be performed across all organization.
-
A website is HIPAA compliant if it uses HTTPS. False. There are two parts of electronic compliance security. You must secure data in motion (like when it is transmitted to a web page via HTTPS). You must also secure the data at reset (what happens to the data once it gets to the server on the other end). Just letting a web designer throw up a registration form or appointment request form will not meet the compliance standards for HIPAA by simply adding HTTPS.
-
If a vendor signs a Business Associate Agreement there is nothing else for me to worry about concerning them. False. If you have knowledge that a vendor is not compliant and you continue to use their services simply because they signed a BAA you aren't much better off than if you never signed one. Your liability is still tied to the fact that you don't have a compliant BA. By working with them while knowing (or doubting) their compliance understanding and commitment makes you complicit in any failures they may have with PHI. Perform a due diligence of some sort to get assurances they actually have a compliance program in place.
8-10 In next episode
Friday, June 26, 2015
Episode 7: HIPAA Myths Part 1
we discuss some common myths (or points of confusion) surrounding HIPAA compliance requirements.
Glossary
Myth is a widely held but false belief or idea.
Links
HealthIT.gov Top 10 Myths of Security Risk Analysis
HealthIT.gov Guide to Privacy and Security of Electronic Health Information Analysis
Notes
-
Providersarenotallowedtoshareinformationaboutapatientwith others unless authorized by the patient to do so. False. Providers can share:
With anyone the patient identifies as a caregiver
When the information is directly relevant to the involvement of spouse, family member, friends, or caregivers. (Ebola for example)
When necessary to notify a caregiver about a change in condition or location of a patient (as long as the patient doesn't object)
When in the best interest of the patient regardless of their ability to object or not
-
Thesecurityriskanalysisisoptionalforsmallprovidersandbusiness associates. False. Everyone is required to abide by the Security Rule which specifically requires a security risk analysis.
-
Achecklistwillsufficefortheriskanalysisrequirement.False.Checklists are tools for doing the analysis and gathering your data but they aren't enough to meet the risk analysis requirement. A Security Risk Analysis must include three main elements (according to OCR guidance):
A. Identification of all PHI sources
B. Human, electronic and environmental threats to the PHI
C. Review of current security measures to protect the PHI from those
Friday, June 19, 2015
Episode 6 - HIPAA Compliant IT
In this episode we discuss technology support requirements under HIPAA and why professional, HIPAA compliant IT services are an important part of managing your security compliance.
The Security Rule has so many specific technical things to consider it really requires professional technology services to handle it properly. We discuss why that is needed and what to expect from a HIPAA Compliant IT company.
Glossary
A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations.
Links
Notes
Friday, June 12, 2015
Without Documentation It Didn't Happen
In this episode we discuss the importance of documentation for your HIPAA compliance program. You can be doing everything right but without documentation there is now way for you to show anyone else that is the case. If you can't prove it then you aren't doing it as far as OCR is concerned.
Glossary
A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations.
Links
Notes
- OCR says "don't just tell me you are compliant, show me you are"
- What do you need to document
- Policies and Procedures, including archive history
- Risk Analysis and Risk Assessment
- Training for workforce (who, what, where, when)
- Risk Mitigation project plans
- Issue/Incident details
- BAAs and BA Due Diligence
- Activity monitoring reports and logs
- Audit plans and results
- Assessment plans and results
- Inventories of software, hardware, etc
- Breach response plans and documentation
- Spreadsheets and documents in folders or document management tools
- Compliance Management tools
Friday, June 5, 2015
How Do You Eat An Elephant?
In this episode we discuss how to take the first steps to building a "culture of compliance" in your organization. Every project has to start somewhere but where do you start with something as big and complicated as HIPAA? Well.... Just like the joke goes "How do you eat an elephant?" "One bite at a time."
How do you break HIPAA Compliance into bite sized pieces and get your project moving? We have some tips for you.
Glossary
A culture of compliance is when an organization establishes standards, rules, and policies that aren't simply distributed to the workforce. The organization as a whole takes their compliance serious at a personal level. Each person agrees to abide by the standards, rules, and policies set forth and holds themselves accountable to each other for doing so. This culture can only be accomplished if it is done from the CEO all the way down the organization to the volunteers and/or temporary employees.
Links
Posts From Donna's Blog SmallProviderHIPAA.com
How do you create a culture of HIPAA compliance?
HIPAA Documentation AKA Telling Your Compliance Story
How long will it take to get HIPAA compliant?
Simple HIPAA Checklist – Well Sort of
5 Tips to Just Get Your Risk Analysis Done
Please, Just Do My HIPAA For Me!
Notes
- What is a culture of compliance?
- What are the parts I need to build a culture of compliance?
- Established and supported by Senior Mgmt
- Integrated into all training and education done for the workforce
- Programs are designed to reward compliance
- Sanctions are applied equally to all levels for failure to comply
- All technology is reviewed and managed with compliance in mind
- Every decision, project, addition, and subtraction to the business includes considerations for compliance
- How can you really break HIPAA into small bites?
- Documentation management plan
- Business Associates
- Privacy
- Security
- Breach
- How to motivate myself to take the first bite of the elephant?
- Every single week start with one task that must be completed
- Policy or procedure reviewed
- BA evaluated and audited
- Procedure audited
- Training class attended
- Allocate time to complete a task each week
- It isn't something you do last, it should be something that is as important as completing you accounting reports, payroll, accounts receivable management, etc.
- Build the habit or assign it to someone who has the time to apply to getting it done.
- Build on what you started
- HIPAA compliance is never "done"
- Every single week start with one task that must be completed
Subscribe to:
Posts (Atom)