Friday, October 30, 2015

Episode 25: Halloween Special - Scary HIPAA Stories


This week we get in the Halloween spirit and share some scary stories that make you have those compliance nightmares.


Check out the latest episode!

Posted by at No comments:
Labels:

Friday, October 16, 2015

Episode 23: If it moves - encrypt it.


Description

We explained the concepts of encryption in Episode 2: Let’s Talk Encryption but people continue to ask more about what they really need to do with encryption.

Links

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

Episode 2: Let’s Talk Encryption

The government and privacy advocates can’t agree on what ‘strong’ encryption even means

Notes

First, what can encryption do for you and what it can't do for you.

  1. VPN, HTTPS, SSL, SFTP, etc. Protect communications from prying eyes.
  2. Everything else is about encrypting data on the devices themselves.

If you encrypt data on a device but you are hacked when you are logged into the device, encryption isn't too helpful. Encryption is helpful when someone tries to access the data on the device without your key (or password).

Strong Encryption is also subjective - there is no solid authority on what is really strong encryption because law enforcement wants a back door.

What does HIPAA say about encryption? Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Not very helpful.......

What does OCR say about it? At NIST / OCR HIPAA 2015 conference: If it moves it should be encrypted.

Now that's a line that can be drawn.

  • Encryption of your files stored in the cloud (certainly something that moves)
  • File encryption by an app on the computer over specific files like 7Zip
  • Windows built in encryption - Bitlocker, EFS
  • NAS and Flash drives with built-in encryption
  • Encryption on your phone built-in
  • Cloud based encryption management - MDM - Alertboot, MaaS360, Manage Engine https://www.manageengine.com/mobile-device-management/

Create an encryption plan:

  • Includes all devices - laptops, phones, external drives, etc.
  • Specs required like AES 128 or FIPS should be written down
  • Methods used for implementation on all types of devices
  • Encryption key management plan
  • Audits and verification plans

Check out the latest episode!

Posted by at No comments:
Labels:

Episode 23: To BAA or not to BAA, that is the question....


Description

Business Associates and required BAAs are discussed often but not resolved quickly. Let's talk about some ideas and issues that go with BAAs.

Links

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

Notes

Who is a BA?

  • A business partner who provides a service to a CE or BA that requires them to CReMaT PHI.
    • Anyone with persistent access to ePHI whether they do anything with it or not is irrelevant - the fact that they CAN do things is what matters.
  • Complexity is increasing
    • Dietitians at hospital needs info on the scripts for the diet but the employer never stores, accesses, or has persistent access to it but the workforce needs to see it. CE should train them on Privacy rules.
      BA means it is not your data but you have it or have access to it from the owner of CE.
    • Medical director could be a BA or could be workforce member depending on the contract they have with the employer.
  • ACO formed by hospital as a completely separate legal entity
    • But the ACO is staffed by hospital employees
    • Plus the hospital provides IT services to the ACO legal entity
    • Now that would make the hospital a BA of the ACO which is really the hospital.
      • So, the hospital is a BA to itself
  • Maintaining PHI vs. maintaining facilities with PHI
    • Data center where you store your servers. Are they a BA?
      • NO. They are just the landlord for your server - so they aren't a BA
      • YES. Physical, Administrative, Technical Safeguards are used to protect it, though
        • You are outsourcing part of your obligations because they are doing a all of the physical safeguards for you so you should make them a BA
    • Can be argued both ways but 2 out of 3 lawyers said BA plus a poll of room says they are a BA not just a landlord
      • BCBS of TN left drives at old office and landlord was securing the site
        • Why is there was no BAA if that is the case was the OCR response
        • Resolution didn't mention the BA argument but it was an expensive fine that clearly showed the OCR lawyers didn't see they were protected sitting in a closet of the facility you used to lease.
  • If you sell server space and store encrypted PHI you are a BA under current guidance.
    • Many will argue this point though.
    • You have to be prepared to decide for yourself
  • Even if you don't treat them like a BA, then you should have an agreement of some sort that protects the PHI
  • OCR working on Cloud Computing Guidance
    • Security Rule from early in this century couldn't really consider all the things that are done today
    • Before cloud computing when everyone has their own servers in their offices or owned huge data centers
  • You can't just counter this issue with making everyone sign a BAA, though.
    • Bad for the business that signs them and either fails to comply or does the work they may not need to be doing.
    • Bad for you because you are managing contracts that don't need to be managed and opening up cans of worms we haven't even found yet.
    • Make a decision about your business and be prepared to explain your logic
  • If you are doing the work of a BA you are still a BA without signing a BAA

Included in BAA

  • We are not lawyers but we are talking about the contracts just a little bit here
    • Ask your attorney for advice on this stuff, don't relay on us or any other consultant for that advice
    • Also, get a HIPAA attorney - not a tax attorney
  • You should be reading these things, not just sign them
  • Indemnification can be included and you need to know what you are committing to
  • Insurance requirements
    • Yours, mine, ours for cybersecurity
    • What does it really cover - not just if you have it
    • New complexity to negotiations because you don't cover a max level that your big groups need
  • State law requirements
  • 60 days - how far down the BA tail could it go with 60 days to notify
    • Shorten the days but not too short
    • But give them time to figure stuff out unless you want to know about incidents that turn out to be ok
  • Breach notification responsibilities
    • Can the BA notify a huge number of people within 60 days
      • do they even have the resources to make that happen?
  • De-identification of PHI clause is there to prevent selling of data
    • They don't have to take out the doctor's name if they take out all other PHI
      • That means some of your valuable info could end up in a file that gets sold because it has no PHI in it.
  • Indemnification
    • What liability limits are you going to include
    • If I am acting reasonable then I shouldn't have to bear the whole burden but if I am reckless then it is fair to put most of the burden on you
  • The Security Rule may not go far enough but you can up the ante in your agreements
    • Should you require encryption be used both at rest and in transit
    • Agreements may start to specify exactly what security standards you must adopt which creates new problems

Assessing BAs

  • I have a BAA so I don't have to worry - not a good idea
  • Does HIPAA even apply if they are off shore?
    • US Law doesn't apply in other countries - do you know where your PHI really lives?
  • CE is not responsible for acts of BA with a signed BAA but
    • If you are aware of a pattern of non-compliance then you would be liable
    • How much do you want to be unaware of vs aware of in advance of a problem happening
  • What PHI are you talking about is key in assessing each situation
    • Medical only
    • Demographics
    • SSN and Credit Cards
    • Is it mental health, domestic abuse, STDs, etc with special limitations
  • Just because you have SAS70, SSAE16, or SOC 1, 2, or 3 assessment doesn't mean it was a good assessment nor does it mean that it covers what you need covered for HIPAA
    • Does provide a benchmark but that isn't necessarily enough for HIPAA
  • A sophisticated BA questionnaire is where most CEs are moving until standards are made more specific
    • Provides more specifics about the compliance programs
      • Training
      • Who is really in charge for you to deal with in a crisis
  • Do you audit the BA after the fact?
    • Once you learn problems you have to deal with them
    • Would you rather know or not know, that is the question
  • Easiest / Quickest way to know is just let the tech geeks talk to each other and form their own opinions of what is happening
    • Let us handle the questions to ask
    • We have to deal with each other any way
    • No one else really understands
  • If you are a BA then have something you can show the CE/BA clients proactively before they ask

Check out the latest episode!

Posted by at No comments:
Labels:

Friday, October 9, 2015

Episode 22: So you think you're covered by cybersecurity insurance. Well...


Cybersecurity coverage being challenged in court has some important points that all businesses should consider.

Links

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

Help Me With HIPAA 

Notes

COLUMBIA CASUALTY COMPANY v. COTTAGE HEALTH SYSTEM

Data breach occurred

  • Breach announcement said: Between October 8, 2013 and December 2, 2013, PHI of approximately 32,500 patients on the CEs servers weredisclosed to the public via the internet.
  • Hospital got voicemail message from a third party, who informed it that he was able to read the PHI online.
  • Patients seen Sept. 29, 2009, to Dec. 2, 2013 included names, addresses, DOB, MR#, Acct#, diag, lab results and procedures performed. No financial information or Social Security numbers were involved
  • Insync, their IT vendor at the time, left anonymous access for FTP traffic active on an internet servers on or about Oct. 8, 2012. The change allowed ePHI to become available to the public via Google's internet search engine. The server was taken offline immediately on Dec 2 once the call came in.
    • Insync doesn't mention healthcare on their website any more
    • People make mistakes even the IT folks - theirs are just big ones

Law Suits and Investigations

  • Civil Suit filed January 27, 2014 and settled December 2014
    • $4,125 million along with related expenses and attorneys'
      fees
    • 50,917 patients included in the settlement
  • On-going investigation for HIPAA violations currently
    • Involves CA Dept of Justice and likely OCR
    • The DOJ Proceeding will determine whether Cottage complied with its
      obligations under HIPAA and any other pertinent state and federal laws and may potentially result in the imposition of fines, sanctions or penalties.

Insurer Columbia Casualty filed suit

  • Saying they shouldn't have to pay the claim for the $4.1 nor any expense they have or will incur over this case
    • Columbia also seeks a declaration of its entitlement to reimbursement in full from Cottage for any and all attorney's fees or related costs or expenses Columbia has paid or will pay in connection with the defense and settlement of the class action lawsuit and any related proceedings and an award of damages consistent with such declaration.
  • INSYNC, the IT company, does not maintain sufficient liquid assets to contribute towards the proposed settlement fund and does not maintain liability insurance that applies with respect to the privacy claims asserted in the Underlying Action.

Why does Columbia think they shouldn't pay?

  • The Columbia Policy contains the following exclusion: Whether in connection with any First Party Coverage or any Liability Coverage, the Insurer shall not be liable to pay any Loss: Failure to Follow Minimum Required Practices based upon, directly or indirectly arising out of, or in any way involving... Any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured's application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing; This Policy shall be null and void if the Application contains any misrepresentation or omission: a. made with the intent to deceive, or b. which materially affects either the acceptance of the risk or the hazard assumed by the Insurer under the
    Policy.
  • The Columbia Policy application contained the following questions that were answered by the hospital
    • Do you check for security patches to your systems at least weekly
      and implement them within 30 days? • Yes
    • Do you replace factory default settings to ensure your information
      security systems are securely configured? • Yes
    • Do you re-assess your exposure to information security and
      privacy threats at least yearly, and enhance your risk controls in
      response to changes? • Yes
    • Do you outsource your information security management to a
      qualified firm specializing in security or have staff responsible for
      and trained in information security? • Yes
    • Whenever you entrust sensitive information to 3rd parties do
      you...
      • contractually require all such 3rd parties to protect this
        information with safeguards at least as good as your own • Yes
      • perform due diligence on each such 3rd party to ensure that
        their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) • Yes
      • Audit all such 3rd parities at least once per year to ensure that
        they continuously satisfy your standards for safeguarding
        sensitive information? • Yes
      • Require them to either have sufficient liquid assets or
        maintain enough insurance to cover their liability arising from
        a breach of privacy or confidentiality. • Yes (Which INSYNC did not)
      • Do you have a way to detect unauthorized access or attempts to
        access sensitive information? • Yes
      • Do you control and track all changes to your network to ensure it
        remains secure? • Yes
  • Failure to Follow Minimum Required Practices is clear according to the ins company which is why they shouldn't have to pay
    • failure to replace factory default settings its failure to ensure that its information security systems were securely configured
    • failure to regularly check and maintain security patches on its systems
    • failure to regularly re-assess its information security exposure and enhance risk controls
    • failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers
    • failure to control and track all changes to its network to ensure it remains secure

Final Notes

  • If you don't have coverage you really should be looking at it because this isn't going to get easier as these things continue to occur.
  • If you do have coverage you should revisit that application and check that you are following the standards you said you were doing in the policy. This probably won't be the first time this kind of thing comes up.
  • If you are a BA, you should check yourself and your coverage because your clients may start asking you what you have covered in order to do business with them.

Check out the latest episode!

Posted by at No comments:
Labels:

Friday, October 2, 2015

Episode 21: Where does your fruit hang?


Show Notes

If they were shocked that no one was actually watching for security holes at Ashley Madison you can bet they will be shocked that you haven't been looking because Healthcare is supposed to be private.

Ashley Madison: Nobody was watching

Top 10 Tech Companies with Ashley Madison Accounts

What kinds of things do you need to do to actually be considered looking for them, though?

  • HIPAA Compliant IT
  • Router / Firewall test showed 600% Increase in Unique Vulnerabilities Discovered Last Year (OCR / NIST conference)
    • Within hours or days of a release of software (firmware) vulnerabilities will be identified.
    • Keep firmware up-to-date
  • UTM - what is a UTM
    • not just a router off the shelf at best buy
    • IPS
    • Antivirus
    • Support Subscription!
  • Reporting each month - look at what is going on - if you have IT they can do it but you should be asking them for reports.
  • Printers / Copiers easy for hackers to get to first
    • Smart TVs
  • Patching helps when
  • Hackers
    • Start with "low hanging fruit" 
    • Beginning hackers look for easy challenges to practice their skills
    • Vulnerabilities for sale to each other
    • They just want in to see what you have and then see where they can go
    • Hacktivist - target you because of who works there or who you treat or your type of business
  • There is no way to know how many different parts of software are used from all over the world on any device or in any given application today
    • No list of ingredients on the back of your router or mobile device
  • None of this is new
    • We have all talked about it but no one listening to the security people until it happens at your business, office, or home
  • 10 vulnerabilities account for nearly 97% of all exploits
  • Write little script yourself you could be opening a hole because you don't realize there are security implications to what you just wrote

Doctor convicted of illegally accessing medical records Doctor having an affair and looked at the mistress' medical records. Looking to see if she had STDs. Plead guilty in federal court and kept his license but must be monitored.


Check out the latest episode!

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)