I hope healthcare organizations delivered lots of TUMS and Advil to their beleaguered cybersecurity teams as a holiday bonus in 2018 – and maybe even a masseuse! With an overload of alerts, attacks and system compromises, it’s safe to say that working in a security operations center (SOC) can take both a mental and physical toll:
From 2010 to 2017, nearly 2,150 breaches involving more than 176 million patient records were reported to the Office of Civil Rights at the U.S. Department of Health and Human Services, according to a study published by the Journal of the American Medical Association (JAMA). During this period, the total number of breaches increased every year (except for 2015), with 199 reported in 2010 and 344 reported in 2017.
The Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in the United States in 1996. The legislation creates data security and privacy requirements for safeguarding medical information. In recent years, HIPAA compliance has become a hot button issue for software developers in the healthcare space, as a number of high profile data breaches compromised millions of patient records across the country.
If you’re developing an eHealth or mobile health app, it is vital that you determine whether your software could be subject to the requirements of HIPAA for medical software applications. Failure to do so could subject you to thousands or even millions of dollars of liability if the use of your application results in an unauthorized disclosure of health information that is protected under HIPAA. Here’s how to tell whether HIPAA applies to you, and how to know if your software is HIPAA compliant.
Does HIPAA apply to me?
Before you start worrying about compliance with the security and privacy requirements of HIPAA, you should determine whether they can be applied to you and your organization. Both the HIPAA privacy rule and the HIPAA security rule apply to all covered entities under HIPAA, such as health plans, healthcare clearinghouses and healthcare providers. The website for Centers Medicade & Medicaid Service offers a Covered Entity Guidance Tool that can help you determine whether your organization is a covered entity.
HIPAA was expanded in 2009 with the introduction of the HITECH Act and again in 2013 with the HIPAA omnibus rule which clarified the responsibilities of business associates of covered entities when it comes to managing privacy and security of patient records. Further guidance was issued in 2016 indicating that cloud service providers would also be covered by the HIPAA privacy, security and breach notification rules.
Software developers in the healthcare space need to tread carefully here – the original regulations of HIPAA that deal with covered entities probably won’t apply to most organizations creating eHealth or mobile health products, but if your app will manage protected health information and share it with any covered entities, such as health plans or doctors, then HIPAA applies to you and you must comply.
If your software collects protected health information from patients but does not share it with a doctor or another covered entity at any point, the HIPAA rules won’t apply to you and you don’t need to worry about compliance.
Required safeguards for software HIPAA compliance
The available data indicates that while theft of computing hardware was the primary cause of healthcare data breaches in 2017, the greatest vulnerability that was exploited was health IT networks. For software developers, the HIPAA security rule is the most likely potential source of compliance issues. The rule mandates three types of safeguards that protect patient data – administrative, physical, and technical. In creating these safeguards, software developers must establish a secure application where authorized personnel have access to the required patient information while unauthorized persons do not. Patient information must also be protected from alteration or destruction.
Administrative safeguards ensure that software administrators who make have access to the data are acting responsibly. If your software stores medical data, anyone with access to that data must be authorized and trained on the ethical and legal requirements of that access. Administrative safeguards include:
Security management process
Information access management
Workforce training and management
Physical safeguards help to mitigate data breaches by ensuring that only authorized users can access the facilities and machines where protected health information is stored. Physical safeguards include managed policies for:
Facility access and control
Workstation and device security
Technical safeguards present the greatest challenge for software developers building HIPAA-compliant products, as software bugs represent the best opportunity for data attacks against your organization. HIPAA does not detail exactly what firewalls, anti-malware devices or encryption tools should be used to secure your software against a data breach, but it does indicate the need for several types of controls:
Guest post by Dean Wiech, managing director, Tools4ever.
Identity and access management (IAM) in healthcare continues to be a growing part of the industry. The management of identities, user accounts and access to both data and applications is a large task for hospitals and healthcare organizations. In the healthcare industry especially, the need to follow strict access and security rules and regulations exists, which makes IAM even more challenging. This need has led to newer solutions to meet the needs of healthcare organizations.
Here are the top four account management issues in healthcare that can be significantly improved:
Onboarding of Employees
The first issue that many healthcare organizations face is efficiently onboarding new clinicians and employees. For example, when a new doctor or nurse begins employment, they need their account created, and the correct access to the systems and applications they require in order to assist patients. The issue is, too often, new employees are waiting idle while all of their access and accounts are created.
By streamlining and automating the account management processes, this issue can be improved. Automating the process allows administrators to easily enter new employee’s information into a source system, such as the HRM system and check off which systems the employee needs access to and accounts in; and the new accounts are automatically created.
Changes to Accounts
Next, there is the issue of movement or changes to an employee account throughout their employment. Often, clinicians need to contact their manager to ask for permission for a change to or additional access, who then in turn needs to contact IT or HR to have the change carried out.
IAM software with workflow management capabilities has evolved to assist with this situation. A web portal with workflow can be set up so that employees can easily request changes to their account and then have it securely carried out.
As an example, a nurse moves to a different unit, or floor, and needs access to a different set of data or applications. A nurse can easily request the access through a portal and the request is automatically sent to the correct people for approval. Once the approval is given, the change automatically is made. If the request needs multiple levels of approval, it will move to the next person in line. In addition, all of these changes are logged so that the healthcare organization knows exactly what changes are made, when they were made and who approved them.
In this series, we are featuring some of the thousands of vendors who will be participating in the HIMSS15 conference and trade show. Through it, we hope to offer readers a closer look at some of the solution providers who will either be in attendance – with a booth showcasing and displaying key products and offerings – or that will have a presence of some kind at the show – key executives in attendance or presenting, for example.
Hopefully this series will give you a bit more useful information about the companies that help make this event, and the industry as a whole, so exciting.
Tools4ever is focused on ensuring secure and compliant user and authorization management, which is often complicated within healthcare institutions because of the relatively high employee turnover and absenteeism. Deploying an automated identity administration solution that integrates with EHR systems will automate the user account lifecycle and help to resolve these problems. In addition, healthcare employees often need quick, but secure access to many different systems and applications. Tools4ever’s password management solution can help reduce many of the password issues clinicians’ experience.
Tools4ever distinguishes itself through a no nonsense approach and a low total cost of ownership. In contrast to comparable identity management solutions, Tools4ever delivers a complete solution in just weeks rather than months or years. Thanks to this approach, Tools4ever is one the largest vendors in IAM with more than 5 million managed user accounts. Tools4ever delivers a variety of software products and integrated consultancy services covering identity management and access management, such as user provisioning, password management, and single sign-on (SSO).
Jacques Vriens established Tools4ever in 1999 and has expanded Tools4ever into a global software company. The initial focus was on tools for system administrators but building upon the knowledge and experience gathered in the early years, he quickly expanded the product portfolio into identity and access management.
In any industry passwords can be a hassle to manage, but perhaps this is no more true than healthcare. Password strategies are put in place to keep data secure, including patient’s information, but they often cause headaches for clinicians. And since every minute matters in the clinical setting, any process that takes longer than necessary can become a major problem when patient outcomes hang in the balance.
Since providers often need to access their own systems, as well as patient data and treatment history quickly, to assist patients, something as simple as getting locked out of systems or forgetting credentials to accounts is time consumer and tedious to overcome. Contacting the helpdesk and waiting to get passwords reset wastes what little time caregivers have to with patients. Simplifying password resets can give critical time back to caregivers and support staff in the care setting.
Easier said than done, of course. Many healthcare organizations resist implementing any type of password solution because they don’t want to bombard clinicians with yet another new technology. One of the major reasons being that they assume the implementation and training time are lengthy and because they’re currently bogged down by a variety of other pressing issues, such as meaningful use and preparing for the transition to ICD-10 in October 2015.
Also, because healthcare organizations must abide by strict rules and regulations, implementing password solutions can sometimes be an issue. In addition, healthcare’s leaders need to ensure that any new technologies implemented follow these regulations.
An Easy Solution to Password Reset Issues
Several leading healthcare organizations have opted to use self-service password reset solutions to easily solve their password reset issues. Just as banking websites allow consumers to reset their passwords, end users can easily reset their passwords after correctly answering security questions that they previously provided answers to. Clinicians simply click the “forgot my password” button and can easily reset their password from anywhere at any time. This allows clinicians to proactively solve the problem without have to contact another department for help.