e2o HIT Blog
Subscribe to RSS Feed
Six Best Practices for Protecting ePHI from SANS Security Model
SANS security model provides a good framework for protecting, storing and transmitting ePHI-focus on security.
HIPAA compliance does NOT equal a plan for secure PHI.
SANS Security Model Best Practices
Six best practices for securing ePHI using the SANS Security Model and HIPAA Compliance:
- Defensive Wall 1 - Proactive Software assurance
- Application security skills assessment and certification
2. Defensive Wall 2 - Blocking Network-Based Attacks
- Intrusion Detection System (IDS/IPS), Firmware (FW), Mass Storage System (MSS)
3. Defensive Wall 3 - Blocking Host-Based Attacks
4. Defensive Wall 4 - Eliminating Security Vulnerabilities
- Vulnerability management, Patch management, Penetration testing
5. Defensive Wall 5 - Safely Supporting Authorized Users
- Encryption, Virtual Private Network, Data Loss Prevention
6. Defensive Wall 6 - Tools to Manage Security and Maximize Effectiveness
- Log management, SIEM, Training, Forensics
As HIPAA Audits Start from OCR, Small Practices Remain Unprepared
In March 2015, the U.S. Department of Health and Human Services' Office for Civil Rights is launching its first formal round of HIPAA audits. They will hit around 400 healthcare providers. Are they ready? Will they show compliance? What happens if they don't? What can they do to prepare?
It turns out that while many hospitals are ready for OCR inspectors, most solo doctors and small physician practices aren't. OCR isn't saying what the penalties will be, but many industry observers say the noncompliant physicians and healthcare systems face hefty penalties.
Unprepared doctors and practices shouldn't throw their arms up, even as HIPAA audits loom. There's a lot they can still do to show compliance. First, they need a plan specific to them, not something off the shelf. Please contact www.hipaawatchdog.com today or (800) 409-0096 to have a security risk assessment and employee training completed. A Risk Management Plan and Policies and Procedures will be customized for your practice as part of the comprehensive risk assessment done on HIPAA Watchdog.
HIPAA Breaches since 2009 in California
A tally of reported HIPAA security breaches since 2009 (Healthcare IT News, 3-12-15) shows an industry still unprepared to keep data safe. More than 41 million people nationwide have had their protected health information compromised in HIPAA privacy and security breaches. Using data from the Department of Health and Human Services, which includes HIPAA breaches involving more than 500 individuals, reported by 1,149 covered entities and business associates, the tally compiles a sortable, searchable list for our readers. To view the list which can be searched by State, go to List of HIPAA Breaches.
In California, 126 out of 1149 breaches were reported, affecting 2,393,125 people for just 100 of them. The types of breaches reported were: theft; hacking IT incidents; improper disposal, loss, theft of paper records and film; and unauthorized access and disclosure.
e2o Health and HIPAA Watchdog recommend that practices and clinics adopt self-auditing methods based on the 10 tips for preventing security breaches published in February and March 2015 on www.hipaawatchdog.com.
2014 & 2015 Meaningful Use Timelines and Deadlines Update
Important Timeline and Deadline Changes
for Eligible Professionals
February 27, 2015
2014 Flexibility Rule MU Attestations
DHCS anticipates that the State Level Registry (SLR) will be able to accept 2014 meaningful use (MU) applications from eligible professionals wishing to use the Flexibility Rule beginning on March 24, 2015. Among other provisions, the Flexibility Rule allows professionals who were delayed in accessing 2014 CEHRT due to vendor issues to attest to 2013 Stage 1 objectives and measures in 2014 using CEHRT that was certified to 2011 standards.
The deadline for applying for 2014 MU has been extended to May 31, 2015 because of the delay in the ability of the SLR to accept 2014 MU applications under the Flexibility Rule.
2015 MU Attestations
The SLR will not begin accepting MU applications for 2015 until June 1, 2015 in order to prevent overlap of the MU applications periods for 2014 and 2015.
2015 Public Health Registration
The deadline for professionals to register with public health agencies for submitting Stage 2 public health objectives in 2015 is March 1, 2015. However, this deadline will not apply if CMS follows through with its announced intent to change from a full year to a 90-day reporting period in 2015. If this change is implemented the deadline to register with public health agencies will be 60 days after the first day of the 90-day reporting period chosen by the professional.
Switching Between Incentive Programs
The deadline for professionals to apply to CMS to switch between the Medicare and Medicaid EHR Incentive programs has been extended by CMS to March 20, 2015. Professionals will need to access their accounts in the National Level Registry at (https://ehrincentives.cms.gov/hitech/login.action) to initiate this one-time switch
Preventing Security Breaches -- How to Survive and Audit
From 2009 to 2014, reports of health data breaches affecting 500 or more people hit 1,176—a more-than hundredfold increase from an earlier five-year period.
HIPAA compliance checklists for what hospitals are already doing—and what individual practitioners should pay attention to—include the following steps:
- Adopt HIPAA-compliant privacy and security measures for all protected health information, or PHI, defined by the law as any medical data that is individually identifiable
- Conduct security risk assessments to identify potential vulnerabilities
- Ensure that EHRs used by the doctor or practice can verify all assertions about the privacy and security of the medical records
- Maintain paper documents for at least six years to support clinical quality measures
- Develop formal policies and training procedures for staff members that are tailored to the workflow of the organization
- Conduct regular training to change the behavior of employees who don’t comply with privacy and security measures or aren’t aware of them
- Conduct self-audits to test procedures for ensuring confidentiality and security of PHI
Prevent Security Breaches Tip #4 Report Breaches Using CMS Online Tool
Report Breaches Online
A new online portal for simplifying the process for reporting breaches has been released by the Department of Health and Human Services. They are still adding improvements such as questions about the actions taken in response to the breach. Business Associates can also enter breaches using this tool. If you report early and show actions taken, chances are that you are less likely to be penalized.
Some of the responses that organizations can check off are: adopting encryption technologies; changing or strengthening password requirements; creating new or updated security rule risk management plans; implementing new technical safeguards; improving physical security; revising business associate contracts; and providing training or retraining to BAs or workforce members.
Employee Snooping and Insider Misuse Prove to be among Biggest Privacy Threats
Employee breaches of HIPAA privacy and security are common and considered one of the greatest risks to the security of electronic protected health information (ePHI) in health organizations. The greatest reason is the lack of adequate training on HIPAA privacy and security, and role-specific refresher training for all employees who have access to patient medical records. All employees within the health organization must be HIPAA trained and show certification by passing the training.
The second reason for the breaches is that administrative safeguards for Access Control have not been implemented and enforced in the facility. These include unique user logon, password control, and logon monitoring software that tracks employees' access to the EHR on a daily basis and submits weekly reports to the HIPAA Security Officer.
HIPAA Watchdog offers online video training with interactive quizzes as part of the educational model. An online exam can be taken after completing the training, and the results will be sent to the HIPAA Security officer at the facility. If the employee passes the exam, a downloadable certificate is generated.
All health organizations are required to have an annual HIPAA Security Risk Assessment (SRA) done to meet meaningful use requirements and to comply with the HIPAA Security Rule. The SRA consists of six assessments: Administrative Safeguards, Physical Safeguards, Technical Safeguards, HIPAA Privacy, HITECH assessment, and policies and procedures. Completing an SRA is a five-step process and can be completed online with the help of a HIPAA Security expert using HIPAA Watchdog Security Compliance service as a software.
Employee Sacked after Snooping Patient EMR Records
Your organization can have the most well-crafted privacy and security policies in the world. But if those policies are accompanied by lukewarm emphasis and no accountability, or your staff just downright ignores them, you have a big security problem – just like the folks at one Ohio-based health system did last week.
Cleveland-based University Hospitals on Friday notified nearly 700 patients of a HIPAA privacy breach after one of its employees was caught snooping on confidential medical records. What's more is the employee was able to inappropriately access patient medical and financial records for nearly three and a half years without UH knowing.
UH had received a complaint over the employee's inappropriate access to the health system's electronic medical record system, and only after the allegation did UH audit the user's EMR access, according to a UH spokesperson. On Oct. 2, health system officials discovered the staff member had been snooping into the EMRs of 692 patients from January 2011 through June 2014.
The staff member, whose employment has since been terminated, was able to gain unfettered access to patient names, medical diagnoses, health insurance numbers, dates of birth, home addresses and additional treatment data. Other patients had their Social Security numbers, financial data, credit card numbers and driver's license numbers viewed.
"UH takes the protection of patient health information very seriously," wrote UH officials in a Nov. 28 press release. "UH continually evaluates and modifies its practices to enhance the security and privacy of its patients' information, including the ongoing training, education and counseling of its workforce regarding patient privacy matters."
Evidently, they did not take it seriously, enough until a breach was discovered.
Former Health Plan Employee Slated to get Jail Time
When it comes to data breaches, hacking and loss or theft of unencrypted devices are far from healthcare security professionals' only concerns. Employee snooping and insider misuse also prove to be among the biggest privacy threats in the healthcare sector today.
Just last week, a former Tufts Health Plan employee was convicted of disclosing patient information in a fraudulent tax refund scheme after stealing the personal data of more than 8,700 members. The former employee, Emeline Lubin, started working at Tufts Health Plan in Watertown, Mass., back in 2010. For that time, Lubin sent lists of member data to a Florida man in efforts to file false income tax returns. Lubin could face up to five years in prison and a $250,000 fine.
What to Do in Case of a HIPAA Breach
HIPAA Breach Tips
1. First, in preparing for a HIPAA breach, organizations should engage their risk management department and look into purchasing cyber insurance. But know what's in the insurance policy, as many of the cyber insurance policies are service agreements with pre-selected approaches to deal with breaches and subsequent notification. You need to be very careful what you buy.
- Next, an organization should employ a centrally-managed platform used to detect and prevent unauthorized use and transmission of data. Then it's a matter of performing a rolling risk assessment, with continual security improvements.
- Make sure you train and authenticate personnel. HIPAA Watchdog has a training video that all employees should watch. Our recommendation is that you should include more job specific HIPAA incidence training in your practice after the video training.
- Training should also be robust. Not everybody who needs to be trained is getting trained.
- After the training, a healthcare organization should limit access to EHR and Medical charts by an employee's need to know basis. Policies regarding notification, mitigation and reporting also need to be published and distributed to all employees.
- If a breach still occurs, create an internal report. Breach notification should go all the way up the organization's chart to the CEO before HHS and the press are notified.
- Although covered entities and business associates have 60 days to report a breach to HHS and the press, it is better to do it sooner. If an organization waits until the last minute, the trust level goes significantly down.
- Immediately following the breach, passwords and authorizations should be changed, and all the evidence documentation should be saved. Involving legal counsel to enable the attorney-client privilege can also prove beneficial.
- Next, it's about remediation.
e2o Health Collaborates with AAOS and HIMSS in an Instructional Webinar on MU-Stage 2 Attestation
e2o Health in Collaboration with American Academy of Orthopedic Surgeons (AAOS) in Rosemont, Illinois and HIMSS
to Present a 90' Instructional Webinar
on MU-Stage 2 Attestation in January, 2015
e2o Health is honored to participate with AAOS, an orthopedic surgeon and a representative from HIMSS to present a 90' educational webinar on the subject of MU-Stage 2 Attestation. The webinar will reach an audience of close to 27,773 surgeons on record with AAOS through their web portal, http://www.aaos.org/.
With this opportunity, e2o Health and its subsidiary companies, Meaningful Use Experts and HIPAA Watchdog, reach out nationally, for a second time, with Meaningful Use education and support for thousands of doctors in a specialty practice.
HIPAA Breach Response Tips
A recent article from Healthcare IT News pointed out that some 90 percent of healthcare organizations surveyed have reported at least one data breach in the past two years, with more than a third seeing more than five breaches. Responding to these breaches in the proper manner proves integral not only to reining in costs and avoiding litigation but also to maintaining the integrity of the organization.
HIPAA Breach Response Tips
First, in preparing for a HIPAA breach, organizations should engage their risk management department and look into purchasing cyber insurance. But know what's in the insurance policy, as many of the cyber insurance policies are services agreements with pre-selected approaches to deal with breaches and subsequent notification.
Next, an organization should employ a centrally-managed platform used to detect and prevent unauthorized use and transmission of data. Then it's a matter of performing a rolling risk assessment, with continual security improvements.
Third, Make sure you train and authenticate personnel. We advocate against the use of online-based training exercises. Our recommendation is that you have much more job specific HIPAA incidence training, as they typically prove to be more effective in the long run.
e2o Health provides comprehensive workflow training for all of your staff on HIPAA Privacy and Security and can help you with a managed platform to detect and prevent unauthorized use of data.
Call us at (800) 409-0096 for a free Security Readiness Assessment
If your referral results in a sale, you'll receive a gift card for Ruth's Chris Steak House.