Guest post by Steve Jourdan, founder and CEO, BedWatch.
It’s a broken record – we need innovation in healthcare. Being the largest economy in the world by a significant margin, with a number of resources at our disposal, one would think that our ability to deliver healthcare services would also rank at or near the top. In fact, we don’t rank well at all. A Bloomberg ranking from last year finds the U.S. healthcare market ranked 46th in the world in terms of efficiency, with the second highest healthcare costs per capita reported[1].
But, innovation equals risk, and risk is a four letter word in healthcare, for good reason. Margins are thin, enforcement and compliance efforts related to HIPAA are increasing, and, ultimately patient care hangs in the balance at a time when reimbursement models are shifting from fee-for-service to being outcome-based. It makes perfect sense that healthcare organizations take a conservative approach to their business.
However, continuing to do the same thing will not move us forward. Private industry and even the federal government[2] are taking advantage of these advancements. Technology is here, but it needs to be embraced; current technologies need to be adopted by healthcare for the benefit of everyone.
If I can perform secure online banking and investing directly from my smart phone, provided by the highly-regulated financial industry, why do I have to wait to receive healthcare services because health workers are using the technological equivalent of a Big Chief Pad and no. 2 pencil?
There is great promise in current mobile and cloud computing technologies, in that they are more accessible, easier to use, more secure, more scalable and can enable people to be more effective. The technology advancements we need are already here.
That said, use of current technology is only half of the solution. The other half is the people side of the equation. A culture of improvement must be embraced by the organization from the top down in order for significant improvements to be realized.
There’s little argument that overwhelming responsibility is placed on practice leaders to protect the security of patient records. Maintaining the accuracy, privacy and control of this data is one of the most crucial roles within the care setting. Given the high level of risk for exposure of this information and because of expanded enforcement of HIPAA, practices managing the release of information (ROI) must be more vigilant now than they have been in the past. Their processes for handling ROI need to meet not only the requirements of the law, but what’s in the best interest of the practices’ patients.
Along with a significant rise in HIPAA enforcement, practices must remain sensitive of how they handle the data that’s released to third parties. Redaction of personal information from records is one important way practice administrators can improve security, though it’s not the only way. Automating the removal of PHI by integrating redaction solutions with existing practice technology – such as electronic health records – searching and removing any protected information becomes electronic, eliminating a manual, repetitive process.
Removing risks associated with the release of PHI is possible with automated solutions that can remove data fields like patient name, dates of service, medication lists and other general information in the health record. But, even though solutions exist to automate the redaction of protected PHI, most organizations process records manually even as they migrate to electronic systems in other areas. Continue Reading
Two healthcare organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated Sept. 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.
NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center.” NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.
The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the Internet.
Guest post by Michael Howard, worldwide security practice lead, managed services, printing and personal systems group, HP.
As the information technology landscape continues to rapidly evolve, healthcare providers increasingly find themselves faced with new challenges on how to best serve their patients and protect their privacy. The Health Insurance Portability and Accountability Act (HIPAA), which introduced privacy and security regulations in 1996 for providers that use electronic transmission of data, made securing patient data a prominent issue.
If you are skeptical about potential costs associated with implementing a new security strategy in your office, consider this startling fact: According to the Ponemon Institute, the average cost per incident of corporate information theft is $5.5 million1. That number alone should be reason enough for providers to consider upgrading their security protocols. While computers and servers are often the first pieces of technology to be secured within the IT infrastructure, paper documents and printers are often overlooked. With the extensive amount of security offerings available, IT managers can have greater confidence that patient records remain safe. Below are the top three ways that healthcare providers can better secure their print infrastructure:
Store medical records in the cloud
Recent data from the U.S. Department of Health and Human Services indicates that paper still accounts for a large percentage of HIPAA breaches. Between Jan. 1, 2011 through April 15, 2014, 500 patient data breaches have been reported with 203 related to paper (more than 40 percent)2. One easy way to reduce the likelihood of a paper breach – and to save time spent shuttling from one file cabinet to another – is to transfer your hard copy medical records to an electronic health record (EHR) format and store them in the cloud. Securing the paper to digital data process can be a less painful process by implementing a software solution that makes it easy for users to scan documents, convert them to electronic files and then distribute them to predetermined destinations. Not only will you simplify the data storage and retrieval process, but you will also save office space by reducing the need for file cabinets and limit excess paper.
As many healthcare providers are in the process of transitioning from paper to EHRs, it is important to be well informed on what happens to your data once it enters the cloud. Most cloud-based solutions offer bank-grade encryption for data transfer, in addition to highly protected data centers. By saving your EHRs to the cloud, you will be able to update patient records in real-time and reference past prescriptions and treatment plans while in the room with your patient. This promotes more personalized and convenient care and helps reduce duplications and inaccuracies.
Guest post by Jay Savaiano, director, worldwide healthcare business development, CommVault.
Healthcare professionals are inundated with an abundant amount of ways that they can access and store clinical data. Healthcare IT departments are given the task of making sure the delivery of that clinical data is readily available and can be accessed via a myriad of devices, as well as in a secure manner that meets the compliance standards that the entire enterprise has agreed on upholding. The deluge of data and the ever-changing ways that the data is accessed is creating some major challenges and concerns for the majority of professionals who are responsible for managing the nation’s healthcare information stream.
In a recent nationwide survey of healthcare IT managers in enterprise organizations, 75 percent of respondents – up 14 percent from last year – indicated they were concerned about the protected health information (PHI) residing in Bring-Your-Own-Cloud (BYOC) solutions, such as Box or Dropbox. A large number of BYOC solutions even offer the first 2GB of storage for free, which may speak to their popularity.
Today, smart phones, tablets and computers that have helped proliferate the popularity of “Bring-Your-Own-Device” programs all come out of the box with some sort of free cloud-based storage solution. Though Intel and ReadWrite report that 49 percent of U.S. IT managers “Strongly Agree that BYOD Improves Worker Productivity,” when you couple BYOC with BYOD together and add protected health information to the mix, healthcare organizations can be opening themselves up to a tremendous amount of liability.
With the policies inherent in clinical applications themselves, it is easy to maintain the security of the content, which is often structured and rarely stored locally. However, the challenge revolves around the unstructured data with PHI. For example, if a clinician maintains a spreadsheet of basic patient data and he or she places that spreadsheet in a BYOC-type solution, both the clinician and the healthcare organization are putting themselves in a liable position. Only when cloud-based solutions are authorized by the healthcare facility and meet the organization’s compliance criteria – which can and usually dictates the cloud provider is willing to sign a business associate agreement in support of HIPAA – are the organization and clinician able to limit the potential liability impact. There can still be other factors that create new liability, but by making the limitation of rogue cloud storage a priority, healthcare organizations can better protect themselves against a potential data breach and subsequent lawsuit.
Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.
“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.
While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.
Maintaining blood supplies to meet the needs of the hospitals in the region is a key mandate for the Rhode Island Blood Center. The Center collects 250 pints of blood from donors to meet this commitment. To make it easy for donors, more than 3,000 mobile blood drives are held annually throughout the community.
While we have nurses and lab technicians to take care of the donors’ physical needs, it is my job as the IT Systems Manager at Rhode Island Blood Center to take care of their personal information. We gather this information from each donor at the mobile clinics and store it on laptops, so it is essential that we have safeguards in place to ensure the data is properly secured.
Data security is a key concern for the majority of healthcare organizations in the US. And like most organizations, Rhode Island Blood Center must follow regulatory guidelines and protect patient data.
My department is responsible for the IT and telecommunications equipment used at the remote blood drives and the six Center locations. The typical set-up includes a large number of Center-owned laptops where donor information is stored.
While most people arrive at a clinic and see the positive results of a community coming together and helping each other – all I see are laptops loaded with confidential information for which Rhode Island Blood Center is ultimately responsible. I know if even one laptop is lost or stolen, confidential donor information could be at risk.
Data at Risk
Reviewing daily healthcare news, it is clear that data breaches are a huge issue for healthcare organizations across the US, but bad press isn’t the only issue – many organizations face large non-compliance fines and damage to their reputation that can never be restored.
A new security risk assessment (SRA) tool to help guide health care providers in small to medium sized offices conduct risk assessments of their organizations is now available from HHS.
The SRA tool is the result of a collaborative effort by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR). The tool is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The application, available for downloading at www.HealthIT.gov/security-risk-assessment also produces a report that can be provided to auditors.
HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information. By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems. Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data.