Augusta University Medical Center reported that it had become a victim of phishing for the second time within a 12-month period although fewer than 1 percent of patients were impacted by the second effort. A trio of cybercrime rings took over 26,000 open MongoDB servers and demanded ransom for the owner to retain the data. A successful intrusion of Medical Oncology Hematology Consultants was detected, with 19,203 compromised patient records; however, by that point, the hackers had been inside the system for 20 days.
Kaleida Health announced that it had been victimized by phishing, with 744 patients affected; actually, though, that was adding to a previous tally – with 3,544 total records accessed. Ransomware brought down Pacific Alliance Medical Center; two months later, the firm said that 266,123 patients were impacted.
What do all of these situations and figures have in common? They are all Health Insurance Portability and Accountability Act (HIPAA) violations that took place in 2017. Also, you don’t want to be that organization. Forget the threat to your credibility (perhaps especially the much-dreaded Wall of Shame; the sheer expense is overwhelming. For any data breach, the average drop in revenue experienced by a healthcare firm is $3.7 million
So, with all that said (i.e., since it is more common than anyone would like, and since these cyberattacks are so incredibly costly), it is only reasonable to look over some HIPAA fundamentals and review security best practices for protecting HIPAA compliant data. With the information you collect, you can strategize implementation of the most strongly protected possible system.
Here are a few tips so that your environment can integrate best practices for securing the protected health information (PHI) that is under your watch:
Encryption is critical. Just look at a study published in Perspectives in Health Information Management in 2014. While this research is slightly dated, it is compelling because it is a true big data study that looked at all the breaches of HIPAA-protected files that were currently within the HHS Department’s system. At the time of the report, which used all events through September 22, 2013, 27 million people’s records had been compromised, via successful attacks of 674 covered entities and 153 business associates. Forms of intrusion included hacking, improper disposal, loss, theft, unauthorized access, etc. Breaches occurred in various digital environments both through devices and backends, as well as through hard-copy paper documents.
When you look at the data on types of breaches as pieces of the whole, you see how prominent theft is. Here are the top five types of breach in descending order of volume, with the number of individuals, covered entities, and business associates affected in each case (numbers that have now grown substantially): 1. theft – 12,785,150 people (via 344 CEs and 52 BAs); 2. loss – 7,359,407 people (via 74 CEs and 23 BAs); 3. hacking or IT event – 1,901,111 people (via 59 CEs and 20 BAs); 4. unauthorized access – 1,334,118 people (via 136 CEs and 44 BAs); and, 5. improper disposal – 649,294 people (via 32 CEs and 5 BAs).
The key concern here is that these issues are not just about theft. If it were just about laptops being stolen, that would not be as much of a problem because the criminals would not be able to get anything of them necessarily. All of these cases are ones in which the information on the devices that was stolen was unencrypted. In other words, all you need to do is encrypt that data – and even if it does get stolen, you don’t need to worry about it as a violation.
Assess your risk
Conduct a complete risk assessment of all the elements of your ecosystem that store, process, or transfer ePHI, along with other ways in which your information may be exposed physically. Related to the data center environment (whether it’s internal, third-party or hybrid), you want to ask these questions: Are natural disasters common in the location of the data center? Is there a responsible party associated with all hardware components? Have you assessed the security mechanisms that are now in place and any risks that are present? Have you taken into account all ways in which ePHI is accessed or manipulated within your system? Consider the creation, receipt, maintenance and transfer of this information.
Training is fundamental
It is easy, especially related to electronic protected health information, to become obsessed with the systems and to forget about the huge potential for human error. Your staff must be properly trained, especially since the threat landscape is evolving, with an increasingly sophisticated toolset for accessing the data. A very simple yet devastating mistake that is often made is phishing, when a staff member either clicks on a link or submits data, such as usernames or a Social Security number that, thereby, connects them in to a fraudulent system. It is horrifying but true that something as simple as a fake email could create a point of entry for malware or viruses.
Paubox is a San Francisco-based startup that focuses on making HIPAA-compliant email easy to accomplish for the healthcare industry. Rather than making encryption cumbersome for the user, Paubox makes it easy without adding additional steps. This makes adoption and deployment of Paubox easy for any size organization, from the single doctor private practice to the largest hospital.
Paubox is the easiest way to send and receive secure, HIPAA-compliant email. There are no portals to login to, no software or apps to install, no extra steps for senders or recipients. Users can just write and send email as normal from any device and Paubox will do the rest to deliver encrypted email straight to the recipient’s inbox.
Paubox encrypted email is the easiest to use HIPAA-compliant email solution for the healthcare industry. Using military grade encryption, Paubox focuses on the user first, allowing for seamless inbox-to-inbox email delivery without any extra steps.
Rather than limiting seamless delivery to a closed network, or requiring a button press or to enable secure email, Paubox allows users to just write and send email as normal from any device. Recipients will get encrypted email straight to their inbox without needing to login to portals or download and open an app.
Because of its ease of use, Paubox can deploy within hours for any size organization.
Customers can host their email with Paubox, or keep their existing email address. Paubox integrates with all major commercial email platforms like Outlook, Office 365 and Google Apps.
In addition, Paubox encrypted email includes inbound encryption and protection against ransomware, malware, virus, SPAM and phishing attacks. This extra security is especially important since many data breaches occur from malicious inbound email.
Paubox also offers an Encrypted Email API that allows organizations and developers to integrate seamless email encryption with their apps, patient portals and EHR management software.
Like all great companies, Paubox was founded to solve the needs of its customers.
Founder and CEO Hoala Greevy has moe than 18 years of experience in email security. After beginning his career at Critical Path, he founded Hawaii’s first email security company in 2003 called Pau Spam, which has since filtered more than one billion messages.
In 2014, when speaking to one of his Pau Spam customers, Make-A-Wish Foundation of Hawaii, Greevy discovered a need for easy to use encryption solutions that could meet industry regulations. There was no solution in the marketplace that was affordable, secure, and easy to use. From those initial discussions, Greevy founded Paubox and continues to develop features and products to fit the market’s needs.
Paubox offers its solutions both direct and through a network of trusted IT partners. Pricing is annual with discounts available for larger customers. In addition to encrypted email, Paubox also offers complimentary products that customers can select, including encrypted online forms, online storage and encrypted email API.
Imagine being a software developer at a company where your job description involves building HIPAA-compliant apps and services. As you onboard with your new company, you receive some formal basic training and learn about the privacy, security and breach notification rules, and after some additional training on various topics about your job, you enter your department and get acquainted with your work environment. This is the point where you find out what you’re really getting yourself into.
There is a direct correlation between the maturity level of applications developed in your organization and the quality of your work life. For example, if you walk into a developer role for a healthcare provider, you’re likely walking into a large and well-established IT group with many old and new technology platforms deployed, where you’ll take your place with a department that’s existed for several years and does fairly predictable work on prebuilt systems. But let’s say you’re working at the more cutting edge of healthcare technology, at a startup straddling innovation with compliance. In that case, understanding HIPAA compliance can feel incredibly daunting, especially as you may essentially be learning as you go with little guidance.
The good news is that it’s never been a better time to work on HIPAA-compliant healthcare apps. Advances in identity and access management (IAM) and consent frameworks make it easier for apps to authenticate, authorize and audit users, logging who is performing what within your application; advances in machine learning make it easier to parse these log streams, detecting threats and anomalies to application use, among other countless benefits. Further advances in application architecture, cloud and API technologies, database and container platforms (not to mention containerized database platforms), and development methodologies over the past decade have dramatically changed the way companies build applications and deploy platforms, culminating in what is known as the “twelve-factor application.”
In the present age, finding a professional and reliable medical billing professional is very hard. Every physician knows the importance of an expert medical biller for the management of cash flow. It would not be wrong to call online medical billing and coding the bloodline of the medical facility.
In this age of technology, hiring a medical biller is not appropriate when you can use the software to get the work done quickly. You have to make sure that you select the best medical billing practice management system that will work for you for decades. All you have to do is enter your practice and the method you use for testing and it would be easy for you to manage everything.
Recently it has been found that most of the physicians have just started their practice and they do not find it important to get the healthcare consulting services. What they do is simply divide the tasks among their employees. As a result, they might save some money but most of the time it is hard to manage data.
Medical billing is not an easy task because there are many particulars that you have to take care of. A mistake in a single figure will disturb the entire calculations and you will have to suffer. Apart from that, you will waste your time and money.
So it is better that you get the online medical billing and coding tools. Here are some of the things that you must consider before selecting the management system.
1. Timely filing
When you are dealing with the insurance companies, you will get only a few days to file the claims. In case you have missed the deadline, you will not be able to appeal a denial.
When the insurance companies miss the services, it gets even worse because the claims are often sent on time. It means you will have to deal with a denial. Such kinds of issues occur when the services are sent in a batch. The insurance company sent you five services and it skipped the second one accidentally and now the company will not pay for it.
With the help of online medical billing and coding system, you can have the detailed records of the time and date when services were sent. They will help you to prove the mistakes and so your denial will be appealed. It would be easy for you to get the payments on time. Most of the workflow analysis in healthcare use the clearinghouse system for the accuracy of the results. It makes the results more effective. The best feature of the billing system is that they provide guaranteed results and you will not have to deal with the errors in the billing or filing.
2. Follow up on denied claims with online medical billing and coding
The insurance companies use different methods for denying the claims and they will easily give you a solid reason for it.
The issues comes when your employees to do not pay attention towards the follow ups
All they do is submit the appeal and get another denial and show you they have done the job
With the help of the online system, you can even appeal four times and it will let them know that they have to pay the claim.
With the help of online medical billing and coding, 90 percent of your claims will be paid.
3. Improve your communication with providers
When you have to log and compile the medical bill you have to make sure that the billing system and provider company are in-step. The healthcare revenue cycle management system has given a specific code to every patient. With the help of billing tools, you will be capable of expediting this category. However, you have to ensure that you maintain and check the system regularly.
With the help of electronic billing system you will get the following benefits:
Information sharing policy
Top-notch security for data and system
You will never have to deal with virus or data hacks. It will help you to keep your contracts up-to-date with your insurance and provider company. It will manage everything from the requirements of HIPAA to billing compliance.
Why should physicians and providers care about the possibility of a ransomware attack? There are several reasons. First, it is disruptive both to patient care and to the revenue cycle. Second, it is costly in terms of time, IT capital, and if the attacker is paid, money. Finally, the time it takes to correct the attack, implement paper charting and communication, and subsequently revise the electronic medical record system can be arduous.
To understand the necessary precautionary measures and what to do in the event of an attack, it is first necessary to identify what ransomware is and how it works. A common definition of ransomware is “a type of malicious software designed to block access to a computer system until a sum of money is paid.” A ransomware attack may target a business or an individual. The two categories of attacks are Denial of Service (“DoS”) and Distributed Denial of Service (“DDoS”). A DoS attack affects a single computer and a single internet connection, while a DDoS attack involves multiple computers and connections. According to PC World, three types of ransomware programs top the list – CTB-Locker, Locky and TeslaCrypt.
A common question that arises is whether or not to pay the ransom in order to have the data returned. The FBI advises not paying the ransom, advice that has been echoed by statistics.
“Kaspersky’s research revealed that small and medium-size businesses were hit the hardest, 42 percent of them falling victim to a ransomware attack over the past 12 months. Of those, one in three paid the ransom, but one in five never got their files back, despite paying. Overall, 67 percent of companies affected by ransomware lost part or all of their corporate data and one in four victims spent several weeks trying to restore access”
This leads us to the best ways to defend against an attack, as well as steps that should be taken if an attack occurs.
Proactive steps include: educating employees about social engineering, phishing and spear phishing, continuously making sure that software updates are installed, creating a layered approach to security defenses, limiting access to the network, making sure that policies and procedures are comprehensive and updated, and ensuring that data is backed up daily.
According to FBI Cyber Division Assistant Director, James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.” Hence, recognizing the avenues that cybercriminals use to gain access and taking appropriate administrative, physical, and technical precautions can reduce the risk of an attack.
Some people jokingly say they’re “addicted” to their smartphones or to browsing online. They use their devices to visit social media platforms and websites and send texts throughout the day. But the vulnerability created by these activities for employers is no joke, and the risks extend to every industry, including healthcare, since most data breaches are caused by human error.
In doctor’s offices and other clinical operations, the risk is especially acute for providers who use cloud-based systems that require constant connection to the internet. The always-connected nature of these solutions exposes offices to ransomware and malware designed specifically for Windows, which can exploit the internet connection to steal sensitive patient information.
While many high-profile hacking and ransomware incidents have occurred over the past several years, security experts project that 2017 will be even worse as cybercriminals exploit new vulnerabilities introduced by the Internet of Things (IoT) and hackers increasingly turn to Distributed Delay of Services (DDoS) attacks. These are techniques for data theft that are only used to compromise remote data centers with shared servers, commonly called ‘the cloud’.
Practice leaders can respond with training, instructing staff on how to avoid “phishing” scams, fake web sites, fake links, and other temptations and traps, but stopping hackers will take a concerted and comprehensive effort. Encryption, platform and common sense security measures can all play a key role in protecting patient data.
Encryption’s Role in Data Protection
Encryption — the use of an algorithm to make data indecipherable to criminals without an encryption ‘key’ — is an essential component of data security. To comply with HIPAA standards, practices should use software and/or hardware that utilizes Advanced Encryption Standard (AES), the only standard that can be called encryption according to the National Institute of Standards and Technology (NIST).
HIPAA requires that providers use secure, encrypted email. HIPAA also states that providers have a duty to encrypt electronic patient health information (ePHI) that is ‘at rest’ (i.e., on a server, terminal, backup device, etc.) and ‘in motion’(i.e., traveling through an office network or to and from remote connections, etc.) and that their database be further protected with a unique, encrypted password.
Unfortunately, most practice software does not have built-in AES encryption and some do not even have a unique password. Practices with software that does not have built-in encryption who use Windows will have to purchase outside expertise to implements and monitor security and make to help them be HIPAA compliant with regard to encryption.
Platform and Security’s Role in Keeping Data Safe
Practices that use Windows software without built-in encryption must pay for IT security services to deploy encryption on every device that houses ePHI. Mac users can handle the safety of data at rest by turning on FileVault in preferences. This is a glaring example of the difference platforms make in keeping data safe and the cost to the doctor.
Virtual private networks (VPNs) are an option for practices to compensate for practice management and EHR software that does not encrypt data in motion, but VPNs increase costs and complexity and can degrade network responsiveness. But even with a VPN, practices must make sure their software provides a unique, encrypted database password; otherwise, they’re well advised to get software that does.
Hacking is on the rise, and ransomware is a huge problem for practices that operate on Windows. In March 2016 alone, 56,000 Windows users reported attacks. Practices that use native Mac software have not been affected by ransomware. Macs are also less expensive to operate in the long run: IBM gave employees the option to use PCs or Macs and found that each PC required twice as much support and cost IBM $535 more than a Mac during a four-year period.
Cloud software and hosting server farms aren’t the solution: Malware, including ransomware, can infect every device that connects to an infected computer, including offsite cloud servers and backup devices. The FBI says the only sure way to recover is to restore data from an uninfected backup that is not connected, followed by reformatting devices.
Note about “the cloud”: You have heard from cloud vendors that “everyone is going to the cloud.” What you may not have heard is that 40 percent of organizations that migrated their data and applications to the cloud are now bringing all or some of them back because of security and cost concerns. Also a recent survey of dentists indicated that of the top dental software perhaps no more than 3 percent of dentists are using cloud software, although it has been available to them for eight years.
Now that electronic health records have become the norm, healthcare providers — as well as healthcare systems and insurers — have access to unprecedented amounts of patient data. As a result, the practice of data mining, or analyzing data sets to identify trends and patterns, has become commonplace in healthcare, with the ultimate intent of improving patient care, improving efficiencies in the delivery of care, and reducing costs. Simply put, data mining has the potential to save lives and save money, but that doesn’t mean that it isn’t without risk.
As you might expect, using patient data for any purpose beyond providing care for the individual patient brings with it some tricky issues regarding privacy, and keeping the information from falling into the wrong hands. There are significant legal issues related to the use of patient data in data mining efforts, specifically related to the de-identification, aggregation, and storage of the data. Failing to take the appropriate steps when using personal health data as a tool for population health could lead to serious consequences, including a violation of HIPAA.
The question, then, is how to protect patient privacy while still gaining the insights that data mining can provide.
Protecting Patient Privacy for Data Mining
One of the major security concerns related to data mining is the fact that many patients don’t even realize that their information is being used in this way. Considering the way in which mined information can be used, this is of concern to many privacy advocates.
For example, in one noted example, Carolinas HealthCare, which runs more than 900 care facilities in the southern U.S., has purchased consumer data on more than two million people, which they use in algorithms to determine the risk for illness. The data includes purchase information collected from credit cards and consumer loyalty programs, as well as public records, to determine which people are at the most risk of getting sick. Providers can potentially use this information to remind patients to visit the gym more often, or encourage them to stop eating so much fast food. Other hospitals have used general demographic information about home and vehicle ownership or family makeup, to gain insight into a patient’s health and well-being, as well as identify potential barriers to care. However, what sets this type of data mining apart from healthcare data mining is that it’s data collected via other sources, and therefore not covered by HIPAA rules.
Still, many patients who have been contacted as a result of this type of data mining have noted that the practice feels intrusive. Even more intrusive is the potential for their personal health data to be used in this way, especially without their permission. Under HIPAA rules, data mining is a secondary, future use of health data, and thus requires the explicit permission of the patient before being used.
By the very definition, data mining is the process of looking for previously unknown patterns in data, so there is no way of knowing from the beginning what data is useful, or what relationships will be uncovered, meaning that there is potential for identifying information to be used or revealed. This highlights an important consideration when it comes to collecting and using personal information for data mining: Permission from the individual. Privacy advocates recommend offering patients the option to opt-in, opt out of specific uses, or opt-out entirely.
As developers of electronic health record (EHR) software, my company gets into a lot of conversations with providers about their expectations for the future. This information helps us make decisions about what to build next. Here are three trends we’re hearing from our customers right now:
Low-tech beats high-tech in telemedicine
Unlike the way it was imagined decades ago by science fiction writers, telemedicine does not necessarily mean holographic images or live video conferencing with a physician half a continent away. Patients would rather receive “low tech” remote care from their primary care physician who has a full picture of their health status.
This form of telemedicine happens whenever an EHR system adds to a patient’s clinical chart the messages, pictures, or videos sent securely via smartphone. It happens whenever a smartphone connects to a remote health monitoring device for collection of real-time data such as blood pressure, oxygen levels, and heart rate.
The new rules allowing reimbursement of telemedicine and other non-face-to-face services will encourage physicians to bill for these remote care activities. Medicare’s recently expanded set of billing codes for Chronic Care Management (CCM) is a good example of how the future of value-based care goes beyond the office visit to keep patients out of hospitals and emergency rooms. The ability to securely and rapidly receive and answer a patient’s questions via text, and then capture those activities in the patient’s permanent clinical record is a critical step in that direction.
Primary care providers are trying new types of practices
Primary care physicians are frustrated with the hassle and expense of dealing with insurance companies. The new Medicare fee-for-value quality payment program is creating uncertainty about future reimbursement levels and requires additional reporting. Also, there is an acute level of burnout with “corporate medicine,” which has providers booked for dozens of daily appointments, only to spend less than 15 minutes with each patient.
In order to remain independent, a small but growing group of primary care practitioners are becoming more financially creative and experimenting with new models of practice. One example is direct care, in which a financial relationship is established directly between patient and provider, cutting out insurance altogether. This model includes concierge and direct primary care (DPC), where patients become “members” of a practice and pay a fixed monthly fee for unlimited primary care – similar to a gym membership, but for healthcare. Another example of direct care is the cash-only practice that sees walk-in patients for urgent care.
EHR interoperability will catch FHIR
Physicians and their patients are frustrated with the lack of interoperability in health IT. The concept of having a patient’s medical records accessible to any authorized provider at any time is still a rare occurrence. When a patient switches primary care physicians, the first office typically prints out and faxes their medical records to the second office, which introduces the possibility of errors, HIPAA violations, and others.
Healthcare is experiencing major breakthroughs in technology with the rise in digital transformation. mHealth – a terminology that combines mobile technology with healthcare is proliferating and bringing up an opportunity to revamp public health.
Mobile technology is playing a vital role in delivering healthcare seamlessly, with ease of access to both providers as well as consumers.
The magnitude and scope of development of mHealth is beyond explanation. As per GreatCall, mHealth is projected to be a $26 billion industry by the end of 2017. Surely, 10 years from now healthcare mobile devices will become smarter than they already are.
This technology has a potential to reduce the risk of errors and save the time and money that is often wasted. As more and more care providers are shifting to mobile health technologies, consumers have a plethora of options to choose from. Its adoption rate is at an all-time high since it has a variety of utilities to offer.
Development of point of care medical devices, fitness and wellness smartphone apps, clinical medication apps, medical resources, journals and patient records is on the surge. Mobile technology is helping increase patient engagement and connected care. Almost, 83 percent physicians believe in the power of mHealth for patients.
There is a whole new world of possibilities and challenges that mobile has opened for healthcare along with its growing development and support. For instance, end point app security, data breaches and HIPAA violations have sharply increased and there is a need to regulate them. Despite these, mHealth proves to be the most promising industry trend for caregivers and consumers alike.
To understand the general consumer response, usage trends security concerns governing mHealth, Kays Harbor has come up with an infographic. This infographic depicts interesting facts and numbers reported by surveys conducted by firms like SkyCure, Research2Guidance, Great Call, etc.
Guest post by Santosh Varughese, president of Cognetyx
Cybersecurity is a serious concern for every industry in America, but healthcare has been particularly hard hit. It is the most likely industry in the U.S. to suffer a data breach. According to the Ponemon Institute, nearly nine out of 10 healthcare organizations have been breached at least once, and nearly half have been breaced three times or more. Cyber-criminals are clearly winning this war, despite more funding, more firewalls, and more scrutiny. Here are five reasons why healthcare organizations are losing the cybersecurity war.
C-level healthcare executives still aren’t taking data security seriously.
Although the epidemic of healthcare cyber-attacks has C-suite executives claiming they finally realize the gravity of the situation, their actions tell a different story. A recent survey by HIMSS found that while most facilities have given information security a higher priority, healthcare IT personnel still complain of insufficient funding and staffing for cybersecurity. The same concerns were expressed by IT personnel surveyed in the Ponemon study and an earlier study conducted by IBM.
Frontline employees aren’t taking it seriously, either.
A group of security researchers from the University of Pennsylvania, Dartmouth and USC recently conducted an ethnographic study of cybersecurity practices among nurses, doctors, and other frontline medical personnel. The results showed a flagrant, widespread, shocking disregard for even the most basic data security practices; among other things, workers were observed:
Writing passwords on sticky notes and tacking them on machines in full view of anyone who wandered by.
Allowing other staff members to use their login credentials out of “professional courtesy.”
Purposefully defeating automated system timeouts by placing foam cups over sensors or by having another employee tap a spacebar at intervals.
Criminal hackers are fully aware of these types of practices and do not hesitate to take advantage of them; 95 percent of breaches occur when hackers get their hands on legitimate login credentials, either by obtaining them from a malicious insider or by taking advantage of an employee’s negligence or carelessness.
Too many facilities think that HIPAA compliance is sufficient to secure their data.
Most healthcare organizations focus primarily or exclusively on HIPAA compliance, erroneously thinking that complying with HIPAA is all they need to do to secure their systems. However, HIPAA was never meant to be a blueprint for a comprehensive data security plan. The law primarily addresses documentation and procedures, such as specifying when a patient’s medical records can legally be released, not technical safeguards. Information security experts surveyed by the Brookings Institution stated that HIPAA does very little to address the types of security challenges faced by large healthcare organizations with hundreds of employees and highly complex, interconnected data environments. The proof is in the numbers; if HIPAA compliance were enough to protect patient data, 90 percent of healthcare organizations would not have experienced breaches.