In this series, we are featuring some of the thousands of vendors who will be participating in the HIMSS15 conference and trade show. Through it, we hope to offer readers a closer look at some of the solution providers who will either be in attendance – with a booth showcasing and displaying key products and offerings – or that will have a presence of some kind at the show – key executives in attendance or presenting, for example.
Hopefully this series will give you a bit more useful information about the companies that help make this event, and the industry as a whole, so exciting.
Since 1987, ESET has been developing award-winning security software that now helps over 100 million customers to enjoy safer technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires.
ESET is a leading security solution provider for healthcare organizations of all sizes. The company pioneered and continues to lead the industry in proactive threat detection.
Services and Products Offered
ESET products protect mobile, traditional endpoints and servers, secure VPN and critical applications with multi-factor authentication. The company also provides professional services to help healthcare organizations with deployment, malware removal, security assessment and knowledge transfer.
Protect against and block malware introduced by removable media and storage devices that can expose an organization to data leaks.
Keep email servers free of malware, spam and spear phishing attacks that lead to data breaches.
Prevent users from visiting compromised websites that can bring malware into your network, and enforce the organization’s Internet use policy.
Guest post by Stephen Cobb, senior security researcher, ESET.
Whatever you thought of President Obama’s penultimate State of the Union address, you have to admit it set some sort of record for the most words devoted to issues of data privacy and security (198 by my count). Furthermore, those words alluded to a raft of statements and announcements on these topics that were published in the days leading up to the speech. In short, it is clear that this President wants to make some changes with respect to cybersecurity and data privacy. What is not yet clear is how those changes will affect healthcare IT and the management of electronic health records. Will breach notification requirements change? Will penalties for breaches be increased?
The answers are not entirely clear at the moment. For a start, the President is a Democrat, but Republicans control the House and Senate. In other words, it is hard to know which of his proposals will be enacted. That said, it is better to look at them now and ask questions, engaging in the debates they are bound to provoke rather than wait and see what new laws finally emerge. For example, the President proposes to erect a single national 30-day data breach notification law in place of the scores of different state data laws that companies currently have to comply with. How will that affect electronic health records?
The answer may be “very little” and that could be good news for electronic health records and health IT. In its current form, the proposed Personal Data Notification & Protection Act does not disrupt existing federal notification requirements related to health data breaches. The draft legislation does not apply to HIPAA covered entities and business associates, nor the FTC covered vendors of personal health records. Here is a boiled down version of the current language which I have put in quotes to show it comes from the bill: “Nothing in this Act shall apply to business entities to the extent that they act as covered entities and business associates subject to the HITECH act (section 17932 of title 42), including the data breach notification requirements and implementing regulations of that act. Nor will it apply to business entities to the extent that they act as vendors of personal health records and third party service providers subject to the HITECH act.”
If the law were to be passed with that language intact, it would leave in place what many of us still think of as the HIPAA 60-day notification deadline, as well as the FTC 30/60-day PHR regime. And when you’re trying to comply with a regulatory regime, a lack of change can be good. Another way of looking at the breach notification issue is that the healthcare sector, while often maligned for leaking data, is actually a pioneer in notification. The HIPAA privacy and security requirements were in play even before California passed the first of the state breach notification laws, which now exist in some form in more than 40 states (creating the patchwork regulatory nightmare that the President’s unified federal law seeks to dissolve).
Guest post by Stephen Cobb, senior security researcher, ESET.
HIPAA’s privacy and security rules are often labeled as being burdensome and restrictive. The rules are increasingly criticized as ineffective and people wonder how an organization can be HIPAA compliant and still suffer a breach of protected health information.
A medical approach to answering that question might be to think about infection prevention and control. Infection control protocols exist to prevent the spread of infectious diseases. However, a patient can get infected at a hospital or clinic that has such protocols in place. The reasons for such anomalies include lapses in conformance to the protocol and inappropriate protocol relative to potential infection vectors.
Such language maps closely to the demands of healthcare data protection, which could be described as the prevention and control of unauthorized access to protected health information. Clearly there is a need for healthcare organizations and their employees to fully comply with “policies and procedures that are appropriate to the threats.” Getting people to comply requires organizational commitment from the top down, backed by the adequate equipping and educating of staff at all levels.
But what if those policies and procedures are not appropriate to the threats? What if the infection vectors are different from those you trained to defend against, or the threat agent more virulent than you supposed? That’s where a lot of health data security breaches occur, in that gap between established practices and emerging threats. The difference between being “HIPAA compliant” and “secure” often comes down to underestimating threats. Continue Reading
By Stephen Cobb, senior researcher, ESET North America.
The benefits of making health records available electronically would seem to be obvious. For a start, faster access to more accurate patient information – which is one of the promises of EHRs (electronic health records) and HIEs (health information exchanges) – could save lives. The author of a recent report on the many thousands of lethal “patient adverse events” that occur in America every year, Dr. John T. James, pointed to “more accurate and streamlined medical recordkeeping” as a top priority in the effort to reduce these deadly medical errors. Yet headlines about healthcare facilities exposing confidential patient data to potential abuse have been all over the media this year. So, will security issues and privacy concerns stymie EHR adoption or slow down HIE rollouts?
Today, more than half of all Americans probably have at least some part of their medical record stored on computer. In January, the CDC reported that roughly four out of five office-based physicians are now using some type of EHR system, up from one in five in 2001. A few months later, in a Harris poll sponsored by ESET, only 17 percent of adult Americans said that, to their knowledge, their health records were not in electronic format.
During that same survey of 1,734 American adults, we asked “are you concerned about the security and privacy of your electronic patient health records” and 40 percent said they were. Slightly more of them, 43 percent said they were not. However, if we take out the 17 percent whose records were not in electronic format, the “concerned or not?” question breaks down as 48 percent Yes, versus 50 percent No, a statistical tie.
Guest post by Lysa Myers, security researcher, ESET
In my last post, I discussed the steps to performing a healthcare IT risk assessment. Once you’ve determined the risks within your environment, an important part of addressing those risks is to set up policies about acceptable use – formally known as Acceptable Use Policies (AUP) – for your staff members and then to train your staff accordingly.
The weakest link in most security chains is the human element, namely people thwarting protections put in place, intentionally or by mistake, or simply through lack of understanding. But how do you set up policies and train people if neither you nor the people on your staff are particularly security-savvy?
Trainings and Templates
If you’re starting at or near ground zero when it comes to information security knowledge, the first question to ask is: Would be better to train someone to become your security guru, or to simply improve overall knowledge within the organization and establish common-sense usage policies?
Unless you have someone in your organization who is dedicated to IT tasks, it may be difficult to mandate security training, but it’s wise to have a security-conscious person handling your infrastructure. At a minimum, when you train the rest of your staff on their security roles and responsibilities, your IT personnel should go through at least as much training: they will likely be in charge of setting up the protections that are to be used by the rest of the organization.
If you have a smaller healthcare organization, you can still create an AUP, without a security guru. In fact, having a less complex organization simplifies the definition process. In this case, something which is focused on healthcare and yet very simple, where you can “fill in the blanks” could be quite helpful: HealthIT.gov provides a template that could work well for smaller organizations.
Guest post by Lysa Myers, security researcher, ESET.
Risk assessment is something we all do, every day, in healthcare and in our daily lives. Consider crossing the road. Should you cross at the lights? Can you trust the traffic to obey the lights? Doctors perform risk assessments when prescribing medications or evaluating a patient for an operation. Unfortunately, risk assessment for electronic health records (EHRs) is not fully understood or implemented by some healthcare organizations, especially smaller facilities that lack dedicated IT or security staff. Yet, this type of risk assessment is increasingly important to the success of healthcare-related businesses.
How do you proceed if your organization lacks the expertise to complete an EHR risk assessment? Because this is such a complex topic, the answer to that question could easily fill volumes. But we all have to start somewhere, so I will provide a basic description to steer you in the right direction to do more in-depth research on your own.
How to do an EHR risk assessment
There are four basic steps – the time and effort they require depends upon the size and complexity of your organization, and the thoroughness of your assessment. You may wish to do your assessment in multiple passes over time, getting more in-depth as you go. This turns a huge headache that must be dealt with all at once into something more manageable that can be revisited to keep up with changes as they occur.
AirStrip provides a complete, vendor and data source agnostic enterprise-wide clinical mobility solution, which enables clinicians to improve the health of individuals and populations. With deep clinical expertise and strong roots in mobile technology and data integration, AirStrip is empowering the nation’s leading health systems as the industry continues to evolve to new business models, accountable care and shared risk. Based in San Antonio, Texas, AirStrip allows health systems to unlock the full potential of their existing technology investments with a complete mobility solution that provides access to critical patient data across the care continuum. AirStrip is backed by investments from Sequoia Capital, Qualcomm, Inc., Hospital Corporation of America (HCA) and the Wellcome Trust. AirStrip’s customers includes HCA, Texas Health Resources, Vanguard Health Systems (part of Tenet Healthcare Corporation), Dignity Health and Ardent Health Services.
Allscripts delivers the insights that healthcare providers require to generate world-class outcomes. The company’s Electronic Health Record, practice management and other clinical, revenue cycle, connectivity and information solutions create a Connected Community of Health for physicians, hospitals and post-acute organizations.
Axial’s products improve the quality of patient care, and reduce the cost of providing it, by credentialing the most qualified providers, delivering point of care decision support tools, and utilizing a 360-degree cloud-based predictive model to stratify risk and quantify outcomes. Axial furthers the IHI Triple Aim of driving healthcare value by developing cost-effective, quality-based treatment pathways combined with seamless IT and workflow integration.