The rapid digitalization happening in healthcare promises to streamline patient care and the availability of patient information.
Overall, advancements in technology fueling this are a step in the right direction. That said, there are side effects to this trend that put sensitive patient data at risk.
Healthcare organizations are rife with sensitive personal data, ranging from health records to social security numbers, birth dates, and addresses. This makes them an appealing target for cybercriminals looking to steal and profit from that information. One recent survey reports that the majority of hospitals (82 percent) have had a significant security incident in the past year.
Healthcare organizations must protect sensitive patient data as mandated by theHealth Insurance Portability and Accountability Act(HIPAA), the regulatory framework for the healthcare industry. As breaches continue to rise, healthcare providers and others in the industry must understand how to properly secure this sensitive data.
Here are three ways to ensure HIPAA compliance with patient privacy.
Ensure Technical Safeguards are in Place
Healthcare organizations must protect sensitive patient data from external and internal threats. While digital health records may improve efficiency, this electronically protected health information (ePHI) must be kept safe via technical safeguards.
This includes access and audit control requirements that determine access control capabilities for all information systems that have ePHI and ensuring that activity within these systems can be traced back to specific users. Organizations also need formal policies for access control.
Authentication and integrity are also critical, meaning that healthcare organizations must protect ePHI from being altered or destroyed and must also secure that data while stored at rest. Authentication can be accomplished via digital signatures, checksum technology, and error-correcting memory.
Data in motion must also be secured, especially with the proliferation of electronic medical records (EMR) and health information exchanges (HIEs). Healthcare organizations must be able to securely transmit patient medical records between facilities.
Apply Administrative Safeguards
Healthcare organizations bear responsibility for both Protected Health Information (PHI) and Personally Identifiable Information (PII), which requires the proper categorization of each type of data. Each type of data requires its own unique treatment, making it paramount that the information is properly classified.
Administrative safeguards break down into the following categories:
Security management process
Assigned security responsibility
Information access management
Security awareness and training
Security incident procedures
These areas help organizations implement policies and procedures to guide employees in the proper care and use of ePHI. This may include security training requirements along with a delegation of security responsibilities within an organization.
Prepare for Compliance Audits
It may sound obvious, but preparing for and submitting to compliance audits on a regular basis can help healthcare organizations stay in check and avoid expensive HIPAA fines. By employing a feedback loop based on the results of reviews, organizations can inform future decisions regarding security. Organizations should be conducting internal reviews ahead of scheduled audits to go over daily logs and to seek out anomalies, errors, and other suspicious activity that could signal a threat.
More than simply scanning for these anomalies, organizations must also have an appropriate and measured response mechanism in place. The ability to quickly respond to security issues is incredibly important and requires documentation and training.
This new digital environment makes for exciting new opportunities in the healthcare space. Unfortunately, it also brings with it new threats and security concerns that must be addressed. HIPAA compliance requires a comprehensive strategy to protect PHI and PII, including the right technology, the right safeguards, and the right training.
Cloud technology application in healthcare is not new. Back in 2015, we created a post on cloud usage in healthcare, where we researched this topic and predicted that we will see the growth of this industry. And now in 2019, we see that we were right. Let us see what as changed in this area with time.
What are the benefits of using cloud technology in healthcare?
Although not yet fully implemented, cloud computing is popular with healthcare because it offers a lot of positive features that are essentials for improving the medical industry.
Improved data management and storage
It goes without saying that the healthcare industry deals with a lot of data that needs to be stored somewhere. And cloud data storage capacity is one of the biggest advantages of adopting cloud technology in this industry. Plus, keeping records on the cloud allows analyzing the data, which in its turn can help prevent major disease outbreaks.
Mobility and speed
For hardware servers, we run a speed test to verify if the connection is speedy enough, but it is a fact that cloud computing offers faster connection and access to required information, which oftentimes is key in healthcare. Additionally, storing data on the cloud allows healthcare professionals to be able to access it from anywhere at any given time. It also enhances more efficient collaboration between them, as information is synchronized in real-time. This way doctors can easily view samples, lab results, and share notes, which significantly improves patient care.
Compared to supercomputers, cloud computing costs far less. Also, upgrades of any of the various features of cloud tools are both faster and cheaper than those done for hardware solutions.
Challenges and risks of cloud application in healthcare
Even though cloud technology has many advantages for healthcare, nevertheless, there is a number of risks and challenges that slow down the transition process to the new system completely. The biggest ones of them are the following:
Whatever cloud solution healthcare organizations decide to use, it must be compliant with the Health Insurance Portability and Accountability Act (HIPAA) for secure data portability. It means that these principles should not only be understood and followed by medical facilities, but by cloud technology vendors as well. However, there are many cloud providers on the market now who offer HIPAA compliance.
The data backup plan was established as a mandatory stage of HIPAA compliance to create, implement and maintain a set of rules and procedures for healthcare organizations to follow when managing the backup and restore requirements of electronic protected health information (ePHI). A data backup plan is part of the HIPAA Security Rule and encompasses wider contingency planning processes that any chosen business associate (BA) or managed service provider (MSP) must be able to demonstrate a compliant backup service capable of backing up and restoring exact copies of healthcare data when required.
The data backup plan should be integrated within a wider contingency plan because it is designed as a failsafe for the protection of patient data. Most MSPs will already be offering disaster recovery technology capable of moving over data and services to a secondary location almost instantaneously. But backups are often considered the last line of defense in the event of a catastrophic system failure. It allows for data restoration capability to be available in the worst possible scenarios.
If you are looking for good business ideas, the healthcare industry should be your first option. The industry is a fantastic place for individuals with healthcare-related business ideas as well as aspiring entrepreneurs to invest in. Exploring these ideas is excellent for many reasons. There is an opportunity to serve the aging population in the country and helping individuals who are struggling with the drug crisis.
Currently, there are many technological and medical advances as well as widespread interests in health and wellness. All these are great incentives for healthcare entrepreneurs. Also, combining all these factors means that there is a thriving market for the health-related businesses and medical staffing network.
Aspiring entrepreneurs can convert one of the many health-related business ideas into viable ways to make a living. But before getting started, they need to understand how staffing, liability, and HIPAA guidelines play into their decision making since non-compliance can result in closures and fines depending on the severity of the violation. Here are the main healthcare businesses ideas that can help you invest in the industry:
Medical mobile screening
When thinking about a new healthcare-related business idea, then medical mobile screening is a good option for you since it requires less investment. Medical mobile screening is nothing but a simpler version of booking a physician’s appointment, ordering medicines, and scheduling vaccinations through the use of digitized technology.
This means that an individual can do all these activities without visiting a doctor or queuing for long hours while waiting for their turn to come up. From the business person’s point-of-view, this simplicity means far less overhead. Better yet, a medical staffing agency can be used to find worthy candidates from around the globe, further reducing business expenses by removing the need to headquarter everyone in the same location. The staff, just like the patients, can be situated virtually anywhere with an internet connection.
Retail pharmacy business
This business is the simplest and easiest way to venture in the healthcare industry. It is among the most flourishing and productive healthcare businesses in the sector today. If you are looking forward to establishing your own drug store business, you must a abide by the current regulations of the retail pharmacy business that manage and guide the stockpiling, sourcing supply, sale and recording keeping in regard to the HIPAA compliance.
Retail pharmacy business is the best for individuals planning to open a store in the vicinity of medical facilities since demand is more in such locations. The retail pharmacy business is among the growing and profitable healthcare business opportunities that never go out of consumers since they have daily use products.
Guest post Gene Fry, vice president of technology and compliance officer, Scrypt, Inc.
According to the 2016 Survey of America’s Physicians, around 70 percent of the nearly 800,000 physicians in active patient care in the U.S. work independently or in practices consisting of 30 physicians or fewer. For these small and medium sized practices, maintaining a robust HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance strategy is extremely difficult. In fact, one report suggests a third of small practices do not have a HIPAA compliance plan in place at all, which is a worrying statistic, given the potential repercussions of a HIPAA breach.
Only last year, HHS’ Office for Civil Rights (OCR), the agency responsible for enforcing the HIPAA Privacy and Security rules, announced an initiative to more widely investigate smaller HIPAA breaches. While this may not have been directly aimed at small practices – small breaches can just as easily occur at large organizations – it provided a stark reminder to all covered entities that no organization is exempt from the rules, and noncompliance is noncompliance, regardless of magnitude or intent.
To highlight this, back in 2012, Phoenix Cardiac Surgery — a four-physician practice based in Arizona — was fined $100,000 and required to take corrective actions, after it was revealed the company had been using a publically accessible calendar service to transmit ePHI to employees’ private email accounts. This violation would have been avoidable, had the offender known the use of such technologies by a medical practice is prohibited under HIPAA.
Small and medium practices, big responsibilities
Keeping on top of HIPAA compliance, alongside the many other regulatory constraints that come with managing a busy medical practice, is a challenge for any organization, but small and medium practices typically have fewer resources and less budget to manage and mitigate risks effectively in-house, so the challenge is larger than most.
Managing a full-time HIPAA compliance program, for example, is simply not feasible for most small organizations, as they are unlikely to have staff members who possess the necessary skills to lead a team in promoting HIPAA best practices, as well as undertaking risk assessments and so on. As such, all responsibility lands with the medical staff, who must assume dual roles; as both clinicians, and compliance experts. While it could be argued that every medical professional should be well versed in HIPAA compliance anyway, the reality is not all are, and this presents major security and privacy risks.
The good news is, there are some relatively easy steps small- and medium-sized practices can take to significantly minimize the risk of a HIPAA breach occurring, that don’t require any major financial investment. While the following points are not a definitive list of HIPAA requirements, they should provide a good starting point.
Start with the basics and build up
HIPAA is complex and often overwhelming, but there’s no point worrying about the small details if the fundamentals are not in place. Organizations must ensure that all staff are familiar with the following key areas of HIPAA:
Why HIPAA exists and who it covers
Key requirements under the HIPAA Privacy Rule, the Security Rule and the Breach Notification Rule
Protected Health Information (PHI/ePHI) and the key personal identifiers
HIPAA enforcement and the consequences of noncompliance
Their responsibilities as an individual within the organization
Many hospitals, clinics and healthcare organizations today talk about going paperless. In fact, according to a November 2016 research report from IDC, more than 40 percent of healthcare organizations report that they have a paper-reduction initiative in place.
Yet even hospitals that have achieved late-stage meaningful use status still receive and process high volumes of paper. This is especially true for important printing workflows, such as medical records, administrative files, admissions documents, prescriptions and pharmacy information. According to a recent survey by HIMSS Analytics, commissioned by Nuance, 90 percent of survey respondents reported some clinicians still use paper-based documents.
There is no escaping that healthcare organizations are committed to paper, at least for the short-term future. For instance, the IDC study found print volumes are expected to remain flat for the next two years, before beginning to decline after that time period.
When you consider that this amount of paper is expensive (both in terms of actual printing costs as well as overall document management processes), hard to track, and poses serious security and compliance risks, you may wonder why so many healthcare organizations continue to rely on paper.
To help answer the question, we’ll take a closer look at the reasons cited in the IDC report. We’ll also offer a few best practices any healthcare organization can follow now to reduce its reliance on paper to address the challenges posed by manual or paper-based workflows.
Why Paper Use Continues
According to the IDC report, the top reasons hospitals, clinics and healthcare organizations continue to use paper include incompatible document management systems or technology. This issue is most notable between the organization and outside facilities, leaving default paper processes as the best workaround.
Another reason is that many workflows still require paper documentation, most notably patient check-in/belongings forms, records requiring signatures, consent forms and more. Additionally, the majority of prescriptions and pharmacy records are still paper-based. For example, only 10 percent of responding hospitals indicated that prescriptions were electronic.
Lastly, healthcare organizations are large-scale consumers of fax technology. Hospitals report that many still receive and send up to 1,000 pages per month by fax. Interestingly, these hospitals report that while faxing may be an antiquated technology, many are behind in implementing new technology and must continue to focus on what works for them.
The handling and sharing of medical records is a critical and sensitive issue, and one that affects millions of providers, patients and payers every day. According to the Center for Disease Control and Prevention, Americans alone make more than a billion visits to doctors’ offices, clinics and hospitals annually, so one can only imagine how often medical records exchange hands between patients, physicians, specialists, healthcare organizations and their staff.
Test results, images, medical and billing history and other related information continue to be mailed, faxed and—more commonly—emailed between interested parties. Email is the most popular of these options because it combines the wide accessibility of snail mail with the immediacy of fax transmission. But email as a means of sharing sensitive healthcare data lacks in three critical areas: security, regulatory compliance and working with large files.
Security, privacy and protection
Gaps in email security should have doctors and patients sweating bullets any time they attach medical information to an email and hover their cursor over the “send” button.
The overarching problem lies in the encryption, or lack thereof. Like CDs and popular online sharing services, medical records transmitted via email are generally unencrypted. This is the case not only in transit, but also when they sit on the servers of the email providers. Thus, sensitive medical information lies vulnerable at all times.
Exchanging records by email means exposing patients’ personal information and their entire medical histories to a nefarious underworld of hackers seeking to exploit such information. It may include the most personal and private information, from social security numbers to diagnoses for chronic illnesses. Should information get in the wrong hands, there’s no predicting the extent and impact of the consequences.
A little more than a year ago the former Director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), Leon Rodriquez, referred to covered entities that did not realize they have business associate relationships in place. He went on to say that some business associates did not know that they were actually business associates. Rodriquez stressed it was both the responsibility of the covered entity and the business associate to understand this relationship does exist.
Regarding ramped up HIPAA enforcement and compliance, Rodriquez indicated future audits will be narrower in scope and include more organizations than ever before. Covered entities and their business associates also will be audited under the new permanent program, and audits will focus on vulnerabilities that could change year to year as new issues arise. This appeared to be the start of an intended awareness program and fair warning.
With Rodriquez’s departure to Homeland Security in June, it seemed like the task of continuing the drum beat message of ramped up HIPAA enforcement fell to Linda Sanches.
Sanches is OCR’s senior health information privacy advisor. In that position, she oversees the HIPAA security and breach notifications audit program and may know a thing or two about the direction OCR wants to take with future audits. Sanches recently spoke at the Health Information and Management Systems Society (HIMSS) Privacy and Security Forum. However, she did not provide any striking revelations or critical insights about these new audits, just more of what the industry seems to know already, that these audits are coming.
Much like Rodriquez did in the past, Sanches spoke more in generalities than specifics. She indicated OCR was looking at a broader view of the entire healthcare industry as possible criteria for selection of who would be targeted for an audit. Using the National Provider Identifier (NPI) database is a method being considered to select entities like hospitals, practices and dental providers for audits.
Guest post by Stephen Cobb, senior security researcher, ESET.
HIPAA’s privacy and security rules are often labeled as being burdensome and restrictive. The rules are increasingly criticized as ineffective and people wonder how an organization can be HIPAA compliant and still suffer a breach of protected health information.
A medical approach to answering that question might be to think about infection prevention and control. Infection control protocols exist to prevent the spread of infectious diseases. However, a patient can get infected at a hospital or clinic that has such protocols in place. The reasons for such anomalies include lapses in conformance to the protocol and inappropriate protocol relative to potential infection vectors.
Such language maps closely to the demands of healthcare data protection, which could be described as the prevention and control of unauthorized access to protected health information. Clearly there is a need for healthcare organizations and their employees to fully comply with “policies and procedures that are appropriate to the threats.” Getting people to comply requires organizational commitment from the top down, backed by the adequate equipping and educating of staff at all levels.
But what if those policies and procedures are not appropriate to the threats? What if the infection vectors are different from those you trained to defend against, or the threat agent more virulent than you supposed? That’s where a lot of health data security breaches occur, in that gap between established practices and emerging threats. The difference between being “HIPAA compliant” and “secure” often comes down to underestimating threats. Continue Reading
According to the 2014 Exclusive EHR Study conducted by the MPI Group and Medical Economics, 70 percent of clinicians said their EHR investment has not been worth the effort, resources and costs. Widespread dissatisfaction with electronic records systems is casting an unfortunate shadow over the great potential they hold for making today’s medical practices more efficient and for improving healthcare delivery. However, practices can help avoid future disappointment with their EHR decision and save time and resources by understanding how to avoid common implementation pitfalls.
1. Choosing the wrong EHR
The intuitiveness and ease of use of your EHR will affect every area of your practice. If you don’t consider yourself to be technologically savvy, finding an intuitive solution should be at the top of your list. (After all, presumably you’re a clinician, not an IT expert.) Was a clinician was involved with the development of the EHR system? If a clinician wasn’t involved, chances are your idea of “usable” won’t line up with that of the vendor’s.
Another aspect to consider is cost, which can vary across a wide spectrum from free to several thousand dollars a month. Decide on the maximum price that you are willing to pay. This will reduce the list of vendors for consideration. Oh by the way, beware of the word “free.” Your biggest hidden cost is not the dollars spent on software, but the hours of lost productivity from a system that impedes you with banner ads and other annoying distractions.
To be certain that the EHR you choose is the right one for your practice, do everything in your power to expose yourself to the software prior to purchasing. It is worth asking the vendor whether they offer free trials. If not, consider watching video tutorials, attending webinars and shadowing another clinician using the EHR.
2. Underestimating the importance of an implementation plan
To ensure the smoothest transition possible, develop an implementation plan that will introduce you to your new EHR and also help you identify specific questions to ask the vendor. Your EHR vendor will likely have one to give you – just ask.
At a minimum, a useful implementation guide should tell you how to do the following: