Tag: HIPAA

4 Rules When Accepting Credit Card Payments to Ensure HIPAA Compliance

Rich McIver
Rich McIver

Guest post by Rich McIver, founder, MerchantNegotiators.com.

In January of this year, Anthem, Inc. a managed care provider, learned of a cyber attack to their IT system. This attack, which occurred over several weeks beginning in December, 2014, compromised the identities over 80 million customers. The breach, in which the healthcare information of millions were compromised, constitutes a serious HIPAA violation, exposing the provider to potentially devastating legal liability.

Unfortunately, this sort of breach perpetrated against healthcare providers is becoming ever more common. The Ponemon Institute, along with ID Experts, issued a report in May this year that showcased healthcare data breaches. The Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data calculates a 125 percent growth in healthcare cyber attacks over the past five years. Although employee negligence and lost or stolen devices still result in many data breaches, a shift is occurring from accidental loss to intentional targeting of data that reveals individuals’ names, Social Security numbers, and other personal information.

The reason that healthcare providers are being targeted is that the information they maintain to provide care for their patients is often substantial enough that cyber criminals can use the data from a single healthcare provider to engage in identity theft. Moreover, cyber criminals target healthcare data because they recognize that many healthcare facilities, including insurance companies, don’t have the resources or technologies to prevent or to detect attacks.

Anthem is a large corporate entity that can afford and use the technology required to protect HIPAA sensitive data, and yet the breach still occurred. What can other healthcare businesses do to prevent or detect a cyber attack on HIPAA sensitive data?

Meeting Standards, Avoiding Fines
The growing use of electronic health records and electronic protected health information (ePHI) accounts for the need to protect information contained in these records. But while these records are often well secured, an often overlooked vulnerability point is credit card processing. Payment Card Industry Data Security Standard (PCI DSS) and HIPAA rules require entities to maintain reasonable and appropriate safeguards for protecting credit card payments. What this actually translates into actionable steps, however, is less clear. To that end, here are four rules to follow when accepting credit card payments to ensure that you’re meeting HIPAA/PCI mandated or suggested compliance guidelines:

Continue Reading

Interoperability Demands a Single National Patient Identifier

Mark Summers
Mark summers

Guest post by Mark Summers, healthcare expert, PA Consulting Group.

At HIMSS this year, multiple speakers laid out visions for a future where parents could consult with a pediatrician via a telemedicine encounter during the middle of the night, take their children to receive immunization shots at a retail clinic, and have all of this information aggregated in their primary care provider’s record so that providing an up to date immunization record at the start of the next school year is as simple as logging into the PCP’s patient portal and printing out the immunization record. In short, multiple speakers presented visions of a truly interoperable future where patient information is exchanged seamlessly between providers, healthcare applications on smartphones, and insurers.

While initiatives such as the CommonWell Health Alliance, Epic’s Care Everywhere, and regional health information exchanges attempt to address the interoperability challenge, these fall short of fully supporting the future vision described above. Today’s solutions do not address smartphone applications and still require manual intervention to ensure that suggested record matches truly belong to the same patient before the records are linked. This process is costly but manageable in an environment where a low volume of patient records are matched between large provider organizations. In a future world where patient data is available from a multitude of websites, smartphone applications and traditional healthcare organizations, it would be cost prohibitive to manually review and verify all potential record matches.

Of course, one solution to this dilemma would be to improve patient matching algorithms and no longer require manual review of records before they are linked. However, for this to be possible, a standard set of data attributes would need to be captured by any application that would use or generate patient data. In a 2014 industry report to the Office of the National Coordinator for Health Information Technology, first name, last name, middle name, suffix, date of birth, current address, historical address, current phone number, historical phone number, and gender were identified as data attributes that should be standardized. Many of the suggestions in this report were incorporated into the Shared Nationwide Interoperability Roadmap that the ONC released in January 2015.

Continue Reading

Three Steps Healthcare Organizations Can Take For a More Secure Network

Todd Weller

Guest post by Todd Weller, vice president of product development, Hexis Cyber Solutions

According to a 2014 Identity Theft Resource Center Report, the healthcare industry has officially surpassed other major industries and now accounts for 42.3 percent of all data breaches recorded last year. As the number of patient medical records transitions to a digital sharing model, the potential cost of data breaches is now substantially higher than for those less regulated, like retail and public services. It’s clear that the industry is increasingly vulnerable to sophisticated cyberattacks; hackers are after vital patient information such as social security numbers and past medical records. With limited budgets and priorities often, and rightfully, placed on patient care, many healthcare organizations lack the resources to implement stronger security levels. Despite these constraints, with the right technology and best practices in place healthcare organizations can position themselves for success.

The costs associated with “damage control” for many healthcare providers is steep with the annual cap on fines for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, up from a maximum of $25,000 per year to $1.5 million. And fines are only part of the financial burden. Investigation and legal efforts, business downtime and decreased credibility all drive up costs even further.

Unfortunately, many healthcare organizations are still facing challenges when it comes to effectively communicating and collaborating on security. In many of these healthcare organizations, there is a department for privacy and compliance and then a separate department for enterprise IT security. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach as neither side is able to understand the full spectrum of the threat without the others’ data.

The consequences of the gap between compliance and IT security becomes evident when dealing with insider threats. An individual’s actions may look legitimate but when correlated against other activity, could indicate that malicious activity is occurring. A workstation that has always previously accessed clinical data or some other patient information doesn’t raise suspicion. But a subtle, steady increase in traffic, say of five or ten percent, correlated with communication to an unauthorized or new IP address, likely indicates a breach. The same example could apply to an external threat with a malicious actor using social engineering methods to entice an unwitting user to download malware. Once inside the network, the malware can replicate the very same scenario. Either way, a breach has occurred. The IT security department may discover the situation, investigate and handle it and move on to the next task. But without visibility into this type of data, how would the compliance department learn about possible data leakage and take the necessary steps to investigate and report?

Continue Reading

Data Breaches Are Now a Cottage Industry In Healthcare

What follows is a nice, yet concise, infographic developed by Clearwater Compliance — an organization that helps health systems ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI) – that provides a nice overview of the current state of healthcare breaches.

Clearwater Compliance states that according to Breach Level Index, there were 336 healthcare data breaches reported in the U.S. last year; “the Office for Civil Rights portal on the HHS website cited 165 breaches affecting 500 or more individuals in 2014.”

Interesting, the organization points out that non-digital breaches remain an issue. “Paper data breaches accounted for 9 percent of compromised records in the first half of 2014 – and a surprising 31 percent in the second half. In total, nearly 200,000 paper records were compromised last year, along with nearly 60,000 pieces of individually identifiable health information ranging from lab specimens to radiology film,” wrote the Clearwater Compliance team.

Additionally, insider mistakes and malice can be costly. In breaches examined, there were 45 incidents involving insider actions that resulted in the compromise of more than 478,000 records. “That means that about half of all the incidents we studied involved either mistakes or malice by an organization’s own employees and business associates.”

Clearwater Compliance makes the case that, despite an organization’s best efforts, “it’s almost impossible to eliminate all workforce-related data breaches. But organizations can take steps to foster an atmosphere of compliance and prevention.”

Lindy Benton

Lindy Benton, CEO of MEA|NEA, recently wrote in a piece for MultiBriefs: “According to the Wall Street Journal, Forrester Research recently conducted a survey of more than 2,100 healthcare IT pros and found that only about 60 percent of them said they encrypt devices like laptops, smartphones or tablets. Also according to the research, 39 percent of healthcare security incidents since 2005 have included a lost or stolen device.

“For some additional perspective, since federal reporting requirements started, the U.S. Department of Health and Human Services has tracked major breaches (those affecting 500 people or more) and has identified more than 945 incidents affecting patients’ personal information, affecting more than 30 million people.

“A majority of these breaches are tied to theft (17.4 million people), followed by data loss (7.2 million people), hacking (3.6 million) and unauthorized access of accounts (1.9 million people), according to The Washington Post. And these numbers do not even include the Community Health Systems numbers.

Continue Reading

Survey Reveals Shortfalls in Healthcare Security and Compliance Policy and Major Mobile Vulnerabilities

DataMotion, an email encryption and health information service provider (HISP), offers the results of its third annual survey on corporate email and file transfer habits, revealing significant security risks. While companies in all industries increasingly have put security and compliance policies in place – nearly 90 percent of all respondents affirming that in 2014 (compared to 81 percent in 2013) – the growth is largely from healthcare entities.

More than 97 percent from the industry report their organizations as having policies in place, compared to 90.4 percent in 2013. However, challenges remain for healthcare when it comes to implementing these, ranging from low employee comprehension to policy violations. Additionally, a lack of encryption, risks in mobile device usage and low awareness of Direct Secure Messaging (Direct) pose serious issues for the highly regulated industry.

DataMotion polled more than 780 IT and business decision-makers across the U.S. and Canada. In particular, the survey focused on individuals who routinely work with sensitive data and compliance regulations in a variety of industries including healthcare, financial services, education and government.

More than 300 respondents were from healthcare. Key insights/comparisons on the industry include:

Healthcare Security and Compliance Policy: Gains Undermined by Implementation Failure

Continue Reading

Health IT Thought Leader Highlight: Morgan Reed, Executive Director, ACT | The App Association

PageLines-logo_new-02.pngRepresenting more than 5,000 app companies and information technology firms, ACT | The App Association is widely recognized as the foremost authority on the intersection of government and the app economy. In addition to drafting best practices, guidelines, and FAQs to help inform app companies about new legal obligations, ACT | The App Association hosts conferences, bootcamps and workshops to provide developers the resources they need to ensure compliance.

As the only organization focused on the needs of small business entrepreneurs from around the world, ACT | The App Association advocates for an environment that inspires and rewards innovation while providing resources to help its members leverage their intellectual assets to raise capital, create jobs, and continue innovating.

Here, Morgan Reed, executive director of the organization, discusses its goals, the app economy, how ACT | The App Association works across mobile health, innovations in the space and what’s likely to come in the year ahead.

What are the biggest barriers to entry for new health IT companies? 

Morgan Reed

We have a “cascading” problem in the mobile health space right now. Regulatory guidance hasn’t kept pace with the rate of innovation, which has led to care providers being worried they will be exposed to liability, or will be providing services that aren’t covered by health plans.

It’s this fear and uncertainty that keeps hospital systems, independent practices, and individuals from adopting new technology, leaving care providers and patients to suffer as we wait for all the pieces to catch up.

What is ACT | The App Association doing to address issues facing mobile health companies? 

ACT | The App Association is spearheading an effort to bring updates to outdated health privacy laws with a group we recently launched called the Connected Health Initiative. This coalition of leading mobile health companies and key stakeholders urge Congress, the Food and Drug Administration (FDA), and Department of Health and Human Services (HHS) to adopt policies that encourage mobile health innovation.

How is ACT | The App Association working with Congress and the Department of Health and Human Services to bring clarity to the outdated regulatory environment facing mobile health companies?

Most recently, ACT | The App Association and a number of our member companies, all of which are part of the newly formed Connected Health Initiative, called on Congress to bring much needed updates to the Health Insurance Portability and Accountability Act (HIPAA). We outlined changes needed from the Department of Health and Human Services (HHS) to ensure HIPAA fits better in today’s mobile world.

Specifically:

Make existing regulation more accessible for tech companies. Information on HIPAA is still mired in a Washington, D.C. mindset that revolves around reading the Federal Register, or hiring expert consultants to ‘explain’ what should be clear in the regulation itself. Not surprisingly, app makers do not find the Federal Register to be an effective resource when developing health apps.

Additionally, there are limited user-friendly resources available for app developers, who are mostly solo inventors or small groups of designers – not large companies with the resources to easily hire counsel or consultants who can help through the regulatory process.

Proposed solution: HHS must provide HIPAA information in a manner that is accessible and useful to the community who needs it. The agency should draft new FAQs that directly address mobile developer concerns.

Continue Reading

HIMSS15 Trade Show Vendor Highlight: etherFAX

In this series, we are featuring some of the thousands of vendors who will be participating in the HIMSS15 conference and trade show. Through it, we hope to offer readers a closer look at some of the solution providers who will either be in attendance – with a booth showcasing and displaying key products and offerings – or that will have a presence of some kind at the show – key executives in attendance or presenting, for example.

Even as HIMSS Media has said that its employees will be making more of an effort this year to cover the trade show floor and its vendors and events, hopefully this series will give you a bit more useful information about the companies that help make this event, and the industry as a whole, so exciting.

Elevator Pitch

Founded in 2009, etherFAX offers a solution that extends existing fax server solutions to the cloud. By eliminating the need for costly network fax systems, such as fax boards and recurring telephony fees, etherFAX leverages the Internet to manage all business-critical fax communications for healthcare organizations.

About Statement

etherFAX was established in 2009 and leverages talent with 30-plus years of experience designing and developing fax technology solutions. By eliminating the need for costly components such as fax boards, media gateways, and telephony infrastructure, etherFAX’s namesake technology, network and datacenter solutions leverage the Internet to manage business-critical fax communications.

As a hybrid fax solution, etherFAX eliminates the complexities and costs of provisioning SIP, T.38, PRI, T1, and other analog connections. By simply connecting on-premise fax server resources to etherFAX, all fax communications are securely delivered via the cloud. Say goodbye to expensive fax hardware, complex fault-tolerant designs, and costly disaster recovery solutions. etherFAX is the fax board in the cloud, capable of processing billions of faxes.

Market Opportunity

etherFAX serves the healthcare market by securely transmit electronic health records (EHRs), electronic medical records (EMRs), health information exchange data (HIEs) and unstructured patient data. etherFAX enables healthcare organizations and medical groups, insurance companies and billing operators to securely transport data and ensure compliance with government mandated regulations such as the Health Insurance Portability and Accountability Act (HIPAA).

Fully integrating with existing fax servers and applications such as EMR solutions and healthcare management systems, etherFAX leverages the Internet to manage all healthcare-critical fax communications without capacity constraints.

Services and Products Offered

HIMSS 15 Focus:

o   etherFAX – Extending existing fax server solutions to the cloud, etherFAX eliminates the need for costly network fax systems, such as fax boards and recurring telephony fees. etherFAX leverages the Internet to manage all your business-critical fax communications.

o   etherFAX SEN – Gives healthcare and enterprise organizations the capability to create their own private fax network to ensure secure data and document transmissions. Offering a simple and unique approach to document delivery, etherFAX SEN offers speed, performance and reliability without compromising security.

o   etherFAX A2E – The etherFAX A2E device, manufactured by MultiTech, provides a plug-and-play device that enables organizations to extend their existing fax machines to the cloud.

Additional Services:

etherFAX DR – Provides immediate failover for all business-critical fax communications, ensuring uptime when existing telephony equipment fails, such as fax boards, PRI lines, servers and applications.

etherFAX Toolkit – Integrating fax capabilities within applications has never been easier with the etherFAX API. The solution provides the capability to fax-enable custom developed applications in addition to enterprise resource planning (ERP), document management systems, etc.

etherFAX Colocation Services – etherFAX provides highly-secure, protected, and climate-controlled colocation services that are capable of supporting the most complex business-critical IT environments.

Continue Reading

Three Steps Healthcare Organizations Can Take for a More Secure Network

Guest post by Todd Weller, vice president of corporate development, Hexis Cyber Solutions, Inc.

Todd Weller
Todd Weller

According to a 2014 Identity Theft Resource Center Report, the healthcare industry has officially surpassed other major industries and now accounts for 42.3 percent of all data breaches recorded last year. As the number of patient medical records transitions to a digital sharing model, the potential cost of data breaches is now substantially higher than for those less regulated, like retail and public services. It’s clear that the industry is increasingly vulnerable to sophisticated cyberattacks; hackers are after vital patient information such as social security numbers and past medical records.

With limited budgets and priorities often, and rightfully, placed on patient care, many healthcare organizations lack the resources to implement stronger security levels. Despite these constraints, with the right technology and best practices in place healthcare organizations can position themselves for success.

The costs associated with “damage control” for many healthcare providers is steep with the annual cap on fines for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, up from a maximum of $25,000 per year to $1.5 million. And fines are only part of the financial burden. Investigation and legal efforts, business downtime and decreased credibility all drive up costs even further.

Unfortunately, many healthcare organizations are still facing challenges when it comes to effectively communicating and collaborating on security. In many of these healthcare organizations, there is a department for privacy and compliance and then a separate department for enterprise IT security. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach as neither side is able to understand the full spectrum of the threat without the others’ data.

The consequences of the gap between compliance and IT security becomes evident when dealing with insider threats. An individual’s actions may look legitimate, but when correlated against other activity, could indicate that malicious activity is occurring. A workstation that has always previously accessed clinical data or some other patient information doesn’t raise suspicion. But a subtle, steady increase in traffic, say of 5 percent or 10 percent, correlated with communication to an unauthorized or new IP address, likely indicates a breach. The same example could apply to an external threat with a malicious actor using social engineering methods to entice an unwitting user to download malware. Once inside the network, the malware can replicate the very same scenario. Either way, a breach has occurred. The IT security department may discover the situation, investigate and handle it and move on to the next task. But without visibility into this type of data, how would the compliance department learn about possible data leakage and take the necessary steps to investigate and report?

Continue Reading

Critical Aspects to Achieving Meaningful Use: Patient Admission and Discharge

Chris Strammiello
Chris Strammiello

Chris Strammiello, vice president of marketing and product strategy, Nuance.

Patient admissions and discharge processes implemented at many hospitals today are rife with vulnerabilities and potential HIPAA violations. One of the greatest challenges hospitals face is how they can successfully deliver on dual requirements to make the information in a patient’s electronic health record (EHR) more accessible while at the same time making it more secure, especially because of their reliance on paper, analog fax machines and unmonitored multi-function devices (MFDs).

Every time a document or form is copied, scanned, printed, faxed or emailed — on either an analog fax machine, digital MFD or mobile phone or tablet — a patient’s protected health information (PHI) can be accidentally exposed or intentionally compromised. In light of this, federal standards have now defined digital MFDs as workstations, where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, maintain an audit trail of all activity and encrypt data at rest and in motion.

Healthcare organizations need to add a layer of security and control to electronic and paper-based patient admissions and discharge processes to help minimize the manual work and decisions that invite human error, automatically mitigate the risk of non-compliance and avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.

As hospitals are rapidly approaching an FY 2015 deadline for meaningful use, they must demonstrate their “meaningful use” of certified EHR technology, including the ability to protect patients’ health information, or face reduced Medicare payments. The recent HIMSS Analytics survey found that despite the vast majority of hospitals reporting progress toward Stage 2 EHR, barely half of them — just 54 percent — were yet capable of protecting electronic health information, a required Core Objective in Stage 1.

Acting under provisions of HITECH, the Department of Health and Human Services Office of Civil Rights issued new rules in 2013 that enhance patients’ privacy protections, expand individuals’ rights to their health information and strengthen the government’s ability to enforce the law. One new development from these rules is that a security risk assessment tool prepared by the Office of the National Coordinator for Health Information Technology (ONC) mentions copiers 15 times as being workstations where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.

Hospitals also need to conduct a risk assessment to identify threats and vulnerabilities (including copiers), implement and train workers in data loss protection (DLP) technology and procedures, and establish security incident reporting.

Continue Reading

Secure Messaging: A Top Healthcare Issue In 2015

Dr. Jose Barreau is the chairman and CEO, Doc Halo.

Jose Barreau
Dr. Jose Barreau

Health IT advancements have become a very important part of the doctor-to-doctor and doctor-to-staff communication channel, and secure text messaging is a very important tool that allows physicians to streamline vital tasks. In busy environments like hospitals, the need for efficient and real-time communication touch points between doctors and staff promotes better patient care, increases productivity and reduce expenses. Over time, innovations like secure text messaging have made healthcare workflow much faster and safer.

Why secure texting is an important element for improving doctor communication channels
A streamlined mobile health platform makes it easy for doctors to use many different communication tools, such as secure texting. Secure texting features can allow senders to create separate threads when conversing with another doctor about multiple patients, providing a platform that reduces medication errors and maintains HIPAA compliance at the same time. As an overall strategy, physician-to-physician messages, notes between doctors and nurses, managers or other staff, checking on and scheduling appointments or video/photo consultations with specialists works alongside secure messaging to create an optimal mobile health system.

What’s more, doctors can accomplish more tasks during their time on the floor because they don’t have to lose time searching for phone numbers. Scrambling to find an office or hospital’s number following a traditional page adds complexity and reduces valuable response time.

Secure messaging can also improve referrals between doctors by leveraging the organization’s internal database and giving the physician the ability to easily send that person a message seeking to refer a patient in real time. Names can be organized by specialty and then aligned in an organizational directory so physicians can access the individuals they need without hassle.

Continue Reading