Time for your Practice to Revisit your Security Standards

Does your practice have safeguards in place to protect your HIPAA sensitive information? Has your practice participated in security training or conducted a Risk Assessment. Do you have a mitigation plan in place if your practice does experience a breach in your data? These are all important and relevant questions to be asking yourself as a provider moving into the New Year. According to a recent report released by Experian, the potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually in 2015.

Experian’s almanac predicts a stormy forecast is ahead for the healthcare industry as the threats are growing. The report points to many vulnerabilities, the expanding number of access points to protected health information, or PHI, and other sensitive data via electronic medical records and the growing popularity of wearable technology makes the healthcare industry a vulnerable and attractive target for cybercriminals.

“We expect healthcare breaches will increase – both due to potential economic gain and digitization of records. Increased movement to electronic medical records and the introduction of wearable technologies introduced millions of individuals into the healthcare system, and, in return increased, the potential for data breaches,” the report notes.

”Healthcare organizations face the challenge of securing a significant amount of sensitive information stored on their network, which combined with the value of a medical identity string makes them an attractive target for cybercriminals,” the authors add. “The problem is further exasperated by the fact that many doctors’ offices, clinics and hospitals may not have enough resources to safeguard their patients’ PHI. In fact, an individual’s Medicare card – often carried in wallets for doctors’ visits – contains valuable information like a person’s Social Security number that can be used for fraud if in the wrong hands. Currently, we are not aware of any federal or law enforcement agency which tracks data on SSN theft from Medicare cards, but the problem is widely acknowledged.”

The takeaway? Security breaches are a real and increasing threat to the Healthcare industry and taking the proper precautions and implementing security standards, processes and protocols is no longer an option but a necessity. Consult with a security expert today for a Security Assessment and Mitigation Plan at EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) 1-800-376-0212 or contact@ehrpmc.com

HIPAA Compliant v. Mobile Devices

The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.

The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.

The description above may seem black and white but the recent rise in theft of healthcare data has revealed gray areas that have caused some debate amongst the medical security community as to what safeguards are to be taken in order to assure your providers and staff are HIPAA compliant. Recently Beth Israel Deaconess levied a hefty fine, when a provider’s unencrypted laptop was stolen that contained patient information. This incident was responsible for leaking sensitive information of more than 41 million patients. This is clearly a black and white case of negligence, which is why the fine was levied, however what if the laptop was encrypted and the owner was robbed at knife point and forced to disclose the password information? Not so black and white, right? According to a recent robbery reported by Boston’s Brigham and Woman’s Hospital, this is exactly what happened to one of their physicians, creating an interesting interpretation of the HIPAA Privacy Rule and Security Rule. This most incident reported the theft of two devices that contained patient related information on 999 patients.

The armed robbery, which took place Sept. 24, was reported to the Boston Police Department, who then issued a community alert six days later. According to the police department, the physician was robbed at knifepoint and then bound to a tree. The stolen items have not yet been recovered.

“We apologize for any inconvenience and deeply regret any concern this situation may cause our patients,” said Cedric Priebe, MD, chief information officer at BWH, in a Nov. 17 press statement. “We have no knowledge that the information on these devices has been accessed, and we are reviewing related policies and procedures in an effort to determine if there are steps that may decrease the likelihood of this type of incident in the future.”

The bigger question of whether encryption alone covers a healthcare organization responsibility to the HIPAA Security Rule. According to the Department of Health and Human Services, the answer is No, encryption alone not enough. HHS states that the HIPAA Security Rule involves, “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key … and such confidential process or key that might enable decryption has not been breached.”

This is the third HIPAA breach for BWH, according to data from HHS – and the third theft. BWH, is one of the largest healthcare organizations in Massachusetts and one of the most respected. If it can happen here, it can happen anywhere. With the advances of technology and sharing of information come the responsible to protect that information, the government has defined how that information is to be protected but it is responsibility of the Healthcare organization to safeguard patient sensitive information and put the proper precautions and mitigation plans in place to ensure security. Consult with a Security Expert today at EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) by contacting us at 1-800-376-0212 or contact@ehrpmc.com, even if you have completed a Security Assessment and have a Mitigation plan already in place, it’s better to have the assurance from a professional.

 

Failure to Encrypt A Provider’s Laptop Leads to a $100,000 Fine

Identity theft and security breaches have affected such big name companies as Target, Home Depot and most recently JP Morgan. hackers, reportedly stealing financial information from over 76 million households. Financial information is important to safeguard understandably but what about your personal information, such as your medical records and social security number, the most coveted piece of information? A recent healthcare data breach has affected 30 million people and counting, this information however includes patients’ social security numbers, leaving some feeling more exposed than when wearing a hospital gown. Beth Israel Deaconess, in Boston, MA can attest to how this can happen to any Healthcare Organization, especially when the proper training and precautions are not put in place. Beth Israel Deaconess was hit with a heavy fine this month, after information was leaked from an incident occurring in 2012, when a physician’s personal laptop was stolen. The Massachusetts Office of Attorney General levied a $100,000 fine for failure to encrypt the device.

According to the Identity Theft Resource Center, Healthcare data has seemingly become increasingly targeted, accounting for 43 percent in major data breaches reported in 2013. It seems to be on pace for this year and a dark shadow has already been cast over 2015.

Although the Federal Reporting requires breach notifications, that is in my opinion too little too late. Hefty fines are turning the heads of many larger healthcare organizations, reporting that 69 percent of health security professionals in a 2013 survey said their organization has a data breach plan in place. That’s not a number to grant a sense of ease, in fact it’s not the 40 percent of larger healthcare organizations that are unprepared that worries me, it’s the smaller private practices that have no or strategy in place and much like the Beth Israel Deaconess incident are still carrying my private medical information and potentially my social security number on a personal laptop with no encryption to secure the contents of the computer.

The moral of this story…don’t be a victim, take HIPPA security seriously and protect your patients’ sensitive information. Talk to a security expert, get the right training for your staff and put the proper precautions in place.

Contact EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) for Assistance at 1-800-376-0212 or contact@ehrpmc.com for all your security needs including encryption!

Security Tips from EHR & Practice Management Consultants, Inc.

Approximately 40% of healthcare organizations reported a criminal data attack this year.

Ask yourself how can you put a multi-layer defense in place to prevent a Breach?

What are the risks?  Reputational Risks? Data Integrity Risks?

Areas To Address:

  • Encrypt Every Device and how to protect the data center from external and internal attacks
  • Have a Risk Analysis Done Properly since the OCR is asking up to 5 years back now to show that you have made a concious effort to mitigate your risks every year
  • Staff Training and education, penetration tests, cable locks or trackers for unencrypted devices all matter.
As previously mentioned in my blogs, the OCR stated over 60% of breaches occur because of theft or loss of an unencrypted device.  Therefore, it is important to keep track of any device that leaves the office!  Unauthorized disclosure of accounts accounted for 16% of breaches.  Hacking of account accounted for only 7% of actual breaches.
A 2011 Ponemon Institute report estimated full disk encryption to average $232 per user, per year.
Keeping EPHI secure is not only a matter of professional responsibility but a matter of cost, reputation, and integrity to the patient-provider relationship.
If you need help keeping EPHI (Electronic Patient Health Information) secure please contact us to do a HIPAA Privacy/ Security Risk Assessment & Mitigation Plan at 1-800-376-0212 or contact@ehrpmc.com.

Important Reasons To Keep Patient Information Secure

Some organizations are unaware they have a breach of information until the FBI initiates the incidence report.  It is not only hospitals that are responsible.  It could even go as far a medial application developer or third party vendors  It is highly recommended for healthcare organizations to verify vendors’ security  and make it part of their contract.  HIPAA breaches can cause you to get federal, state and/ or regional fines.

For example, Health Net the Woodland Hills, Calif.-based health insurance company learned its business associate IBM had lost nine unencrypted server drives on January 2011. These servers contained names, Social Security numbers, addresses and health information of Health Net employees, members and providers. They did not receive federal fines  but two state attorneys general offices filed suit against the firm.
As a result, Health Net had to pay $625,000 in fines and damages to the Connecticut attorney general and the state insurance commissioner. Additionally they settled with the Vermont’s attorney general for $55,000.
As of the statistics in 2012, if your data was breached you have a 1 in 4 chance of being a victim of fraud.
Breach Due to a A Weak Default Password on a Server
The report examined a HIPAA oversight by a contracted Utah Department of Health employee affecting 780,000 people in this breach. The server had a weak default password and failure to manage the department’s IT assets appropriately, hackers exploited the vulnerability and took  Social Security numbers, medical diagnostic codes and dates of birth.   Javelin Research estimated some 122,000 cases of fraud would occur.  Resulting in a total cost pegged at a whopping $406 million.  This represents approximately 20 hours to resolve each fraud case.

Having a Social Security number stolen put the person to be at risk indefinitely.

Trust & Patient Health

“People refuse to see doctors for sensitive conditions because they know the information won’t stay private. I’m talking about cancer, depression, sexually transmitted diseases,” said Deborah Peel, MD, founder of Patient Privacy Rights, a non-profit consumer privacy watchdog organization, in a 2013 Health Privacy Summit video. “That’s a tragedy when people who have very treatable, serious medical illnesses won’t get care.”
A 2014 Harvard School of Public Health study assessing the privacy perceptions of U.S. adults pertaining to their health data found more than 12 percent of some 1,500 respondents withheld information from care providers over medical security concerns.
If you need help keeping EPHI (Electronic Patient Health Information) secure please contact us to do a HIPAA Privacy/ Security Risk Assessment & Mitigation Plan at 1-800-376-0212 or contact@ehrpmc.com.

Over $2 million collected from Concentra and QCA Health Plan for breaches of patient information

The Department of Health and Human Services Office for Civil Rights announced on April 22 that it collected nearly $2 million to resolve potential HIPAA violations from Concentra Health Services & QCA Health Plan for failure to secure protected health information on laptops and mobile devices.

Both organizations demonstrated long-time non-compliance with HIPAA, according to OCR, which has now taken this level of action against at least 20 organizations.

In an announcement titled, “Stolen Laptops Lead to Important HIPAA Settlements,” OCR noted, “These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.” Susan McAndrew, deputy director of health information privacy, stated: “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.”

Encryption is the #1 source of patient breaches.  If you have questions on how to encrypt your PCs and mobile devices please contact us at EHR & Practice Management Consultants, Inc. (800) 376-0212 or contact@ehrpmc.com

Cyber Threats are at Highest Risk in the Healthcare Industry

In April 2014 the FBI Cyber Division issued a warning that medical devices and healthcare systems are at risk for increased cyber attacks due to financial benefits of hackers.

Due to the deadline for providers to go on an EHR by 2015 there will be many providers going on an EHR to reach this deadline which will include a greater number of medical devices connected to the Internet which will be at an increased risk of cyberattack for medical information of patients.

Compared to other industries the FBI stated the healthcare industry is not as well prepared to handle these cyber attacks.

As cited by Symantec, last year 37% of breacjhes were forund to be in the healthcare industry which is the largest for any industry.

As I have discussed in my earlier blogs, this not only puts the patient’s identity at risk for fraudulent activity but it also creates potential health risks in case a person fraudulently uses their identity and receives medical treatment. This can have misinformation as part of the true patients health history, treatments, and medications they are on. Not only could this cause an increase in the patients premium but misinformation could be given to other patients regarding the patients health and be mistreated by other providers. This is why it always important for a patient to periodically go online with their insurance company to make sure the claims being sent to the insurance firm are for claims that they actually had on their behalf. Additionally, when their providers are starting to receive information on the health information exchange (HIE) of care they received elsewhere to verify with the provider this is correct.

Identity theft not only can cost a person thousands of dollars to have resolved but can also put their health outcomes at risk.

If you are a provider/ practice/ clinic and would like a full risk assessment and mitigation plan completed for your practice to avoid any security breaches of your patients protected health information please contact us at EHR & Practice Management Consultants, Inc.  1 (800) 376-0212 or contact@ehrpmc.com